9
CVSSv2

CVE-2017-6554

Published: 14/04/2017 Updated: 03/10/2019
CVSS v2 Base Score: 9 | Impact Score: 10 | Exploitability Score: 8
CVSS v3 Base Score: 7.2 | Impact Score: 5.9 | Exploitability Score: 1.2
VMScore: 945
Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C

Vulnerability Summary

pmmasterd in Quest Privilege Manager prior to 6.0.0.061, when configured as a policy server, allows remote malicious users to write to arbitrary files and consequently execute arbitrary code with root privileges via an ACT_NEWFILESENT action.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.
Vulnerable Product Search on Vulmon Subscribe to Product

quest privilege manager 6.0.0-27

quest privilege manager 6.0.0-50

Exploits

#!/usr/bin/env python2 """ # Exploit Title: Quest Privilege Manager pmmasterd Arbitrary File Write # Date: 10/Mar/2017 # Exploit Author: m0t # Vendor Homepage: wwwquestcom/products/privilege-manager-for-unix/ # Version: 600-27, 600-50 # Tested on: ubuntu 1404 x86_64, ubuntu 1604 x86, ubuntu 1204 x86 # CVE : 2017-6554 REQUIREMENTS ...

Mailing Lists

This Metasploit modules exploits a buffer overflow in the Quest Privilege Manager, a software used to integrate Active Directory with Linux and Unix systems The vulnerability exists in the pmmasterd daemon, and can only triggered when the host has been configured as a policy server ( Privilege Manager for Unix or Quest Sudo Plugin) A buffer overf ...

Metasploit Modules

Quest Privilege Manager pmmasterd Buffer Overflow

This modules exploits a buffer overflow in the Quest Privilege Manager, a software used to integrate Active Directory with Linux and Unix systems. The vulnerability exists in the pmmasterd daemon, and can only triggered when the host has been configured as a policy server ( Privilege Manager for Unix or Quest Sudo Plugin). A buffer overflow condition exists when handling requests of type ACT_ALERT_EVENT, where the size of a memcpy can be controlled by the attacker. This module only works against version < 6.0.0-27. Versions up to 6.0.0-50 are also vulnerable, but not supported by this module (a stack cookie bypass is required). NOTE: To use this module it is required to be able to bind a privileged port ( <=1024 ) as the server refuses connections coming from unprivileged ports, which in most situations means that root privileges are required.

msf > use exploit/linux/misc/quest_pmmasterd_bof
      msf exploit(quest_pmmasterd_bof) > show targets
            ...targets...
      msf exploit(quest_pmmasterd_bof) > set TARGET <target-id>
      msf exploit(quest_pmmasterd_bof) > show options
            ...show and set options...
      msf exploit(quest_pmmasterd_bof) > exploit