Solaris Update manager and Sun Patch Cluster - Symlink attack

2010-03-31 / 2010-04-01
Credit: DHS
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-59


CVSS Base Score: 3.3/10
Impact Subscore: 4.9/10
Exploitability Subscore: 3.4/10
Exploit range: Local
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: None

Symlink attack with Solaris Update manager and Sun Patch Cluster Larry W. Cashdollar Vapid Labs 1/24/2009 Many patches use insecure file creation in /tmp to store data during installation. The easiest one to exploit is /tmp/CLEANUP which is used in a handful of package installation scripts: script code is typically: CLEANUP_FILE=/tmp/CLEANUP echo "EXISTING_FILE_PRESERVED: ${dest} ${dest}.${TAG}" >> ${CLEANUP_FILE} Similar code is found in: ./118833-36/SUNWcsr/install/i.renamenew ./118833-36/SUNWcsr/install/u.initd ./118833-36/SUNWcsr/install/i.initd ./118833-36/SUNWcsr/install/preinstall ./118833-36/SUNWintgige/install/i.renamenew ./118833-36/SUNWvolr/install/u.initd ./118833-36/SUNWvolr/install/i.initd ./118833-36/SUNWsndmu/install/postinstall ./118833-36/SUNWsacom/install/i.initd ./118833-36/SUNWsacom/install/u.initd ./118833-36/SUNWsndmr/install/postinstall ./118833-36/SUNWsndmr/install/i.renameold ./120272-26/SUNWsmmgr/install/u.initd ./120272-26/SUNWsmmgr/install/i.initd ./137093-01/SUNWcsr/install/i.renameold ./137137-09/SUNWnxge.u/install/i.renameold ./137137-09/SUNWcsr/install/i.renamenew ./137137-09/SUNWcsr/install/i.renameold ./137137-09/SUNWckr/install/i.renameold ./137137-09/SUNWnxge.v/install/i.renameold ./141444-09/SUNWixgbe/install/i.renamenew ./141444-09/SUNWnxge.u/install/i.renamenew ./141444-09/SUNWnxge.v/install/i.renamenew ./127127-11/SUNWtsg/install/preinstall ./127127-11/SUNWtsg/install/i.renamenew ./127127-11/SUNWtsu/install/i.renamenew ./127127-11/SUNWypr/install/i.renameold ./127127-11/SUNWcsr/install/i.group ./127127-11/SUNWcsr/install/i.pamconf ./127127-11/SUNWcsr/install/i.passwd ./127127-11/SUNWcsr/install/i.renamenew ./125555-06/SUNWcsu/reloc/usr/lib/patch/patch_override_dir/137137_SUNWnx ge_i.renameold ./122660-10/SUNWcsr/install/preinstall ./119313-29/SUNWwbcor/install/i.initd ./119313-29/README.119313-29 ./120011-14/SUNWckr/install/i.renameold ./120011-14/SUNWcsr/install/i.renamenew ./120011-14/SUNWcsr/install/i.renameold ./120011-14/SUNWcsr/install/preinstall ./120011-14/SUNWsndmu/install/postinstall ./120011-14/SUNWsndmr/install/i.renameold ./121453-02/undo_pkgs.pkg ./121453-02/payload.pkg ./121453-02/SUNWppror/install/i.initd ./122911-19/README.122911-19 ./122911-19/SUNWapchr/install/i.initd ./122911-19/SUNWapchr/install/i.renamenew ./122911-19/SUNWapchr/install/u.initd ./122911-19/SUNWtcatr/install/i.renamenew ./139555-08/SUNWcsr/install/i.renamenew ./120543-15/SUNWapch2r/install/i.renamenew ./125215-03/SUNWwgetr/install/i.renamenew If a user creates a symlink to a root owned file, /etc/shadow for example it will be clobbered by the patch installation process if that patch application applies to the system. $ cd /tmp $ ln -s /etc/shadow CLEANUP I was able to append the contents of CLEANUP to /etc/shadow. With the GUI Sun Update Manager being used to install patches on a system local users can easily run scripts and create symlinks in an attempt to clobber files and potentially escalate priviledges as this application is typically run in multi user mode. There are other attackable files that are created as well. I have only investigated the easiest one however.

References:

http://xforce.iss.net/xforce/xfdb/57149
http://www.securityfocus.com/bid/38928
http://www.securityfocus.com/archive/1/archive/1/510311/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/510305/100/0/threaded


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top