Kloxo Local Privilege Escalation Vulnerability in Setuid Root Binaries

A local privilege escalation vulnerability has been identified in Kloxo versions through 6.1.12. The issue arises from two setuid root binaries, lxsuexec and lxrestart, which allow users with Apache-level access (uid 48) to execute arbitrary commands as root. This vulnerability can be exploited without authentication, leveraging the lxsuexec binary to gain elevated privileges via the lxrestart binary.

Impact

Exploitation of this vulnerability allows for unauthorized local privilege escalation to the root user.

Reproduction

To reproduce this vulnerability, a user must have access to the Apache web server, typically running under uid 48. Once this condition is met, the lxsuexec binary can be used to execute commands as root. The lxrestart binary can be exploited by writing a payload to be executed with elevated privileges, taking advantage of the lack of input sanitization in the lxrestart command processing.