MCSManager Privilege Escalation Vulnerability

A privilege escalation vulnerability exists in MCSManager version 10.5.3. The daemon process runs as the root user by default, and sensitive information, including tokens and terminal logs, is stored in a data directory that is accessible to all users. This allows other users on the system to read the daemon's key, log in, and gain elevated privileges.

Impact

Exploitation of this vulnerability allows for unauthorized access to the MCSManager daemon with elevated privileges, potentially leading to unauthorized actions or access within the application or system.

Reproduction

To reproduce this vulnerability, log into a user account on the system that is not root. Access the MCSManager daemon's data directory, which is located at /opt/mcsmanager/daemon/data/Config/global.json. The default directory permissions allow all users to read the files. The global.json file contains sensitive information, including a key that can be used to log into the MCSManager daemon. Once logged in, any privileges associated with the daemon can be accessed, including those of the root user if a bash instance is active with root privileges.

Remediation

Users can manually change the permissions of the /opt/mcsmanager directory to 700, restricting access to the directory owner. This can be done by executing the command 'chmod 700 /opt/mcsmanager' as the root user.