CVE-2008-5394

Debian GNU/Linux - Local Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-5394. PoCs published by Paul Szabo.

AI-analyzed exploit summary This exploit leverages a race condition in the utmp handling mechanism to manipulate symbolic links, allowing an attacker to gain read access to sensitive files like /etc/shadow. It involves compiling and running two helper programs to fill the utmp database and jiggle symbolic links.

Description

/bin/login in shadow 4.0.18.1 in Debian GNU/Linux, and probably other Linux distributions, allows local users in the utmp group to overwrite arbitrary files via a symlink attack on a temporary file referenced in a line (aka ut_line) field in a utmp entry.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Paul Szabo · bashlocallinux

https://www.exploit-db.com/exploits/7313

View Code ZIP pw:eip

This exploit leverages a race condition in the utmp handling mechanism to manipulate symbolic links, allowing an attacker to gain read access to sensitive files like /etc/shadow. It involves compiling and running two helper programs to fill the utmp database and jiggle symbolic links.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Racy

Target: Linux systems with vulnerable utmp handling (specific version not specified)

No auth needed

Prerequisites: Access to a system with group utmp privileges to set the SUID bit on the compiled binary · Ability to execute the compiled binaries and run the telnet command

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1222 - File and Directory Permissions Modification

devstral-2 · analyzed Feb 16, 2026 Full analysis →