module
SystemTap MODPROBE_OPTIONS Privilege Escalation
| Disclosed | Created |
|---|---|
| Nov 17, 2010 | Apr 22, 2019 |
Disclosed
Nov 17, 2010
Created
Apr 22, 2019
Description
This module attempts to gain root privileges by exploiting a
vulnerability in the `staprun` executable included with SystemTap
version 1.3.
The `staprun` executable does not clear environment variables prior to
executing `modprobe`, allowing an arbitrary configuration file to be
specified in the `MODPROBE_OPTIONS` environment variable, resulting
in arbitrary command execution with root privileges.
This module has been tested successfully on:
systemtap 1.2-1.fc13-i686 on Fedora 13 (i686); and
systemtap 1.1-3.el5 on RHEL 5.5 (x64).
vulnerability in the `staprun` executable included with SystemTap
version 1.3.
The `staprun` executable does not clear environment variables prior to
executing `modprobe`, allowing an arbitrary configuration file to be
specified in the `MODPROBE_OPTIONS` environment variable, resulting
in arbitrary command execution with root privileges.
This module has been tested successfully on:
systemtap 1.2-1.fc13-i686 on Fedora 13 (i686); and
systemtap 1.1-3.el5 on RHEL 5.5 (x64).
Authors
Tavis Ormandy
bcoles bcoles@gmail.com
bcoles bcoles@gmail.com
Platform
Linux
Architectures
x86, x64, armle, aarch64, ppc, mipsle, mipsbe
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.