lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 24 Mar 2010 13:26:48 -0400
From: bugs <bugs@....dhs.org>
To: <bugtraq@...urityfocus.com>
Subject: Symlink attack with Solaris Update manager and Sun Patch Cluster


Symlink attack with Solaris Update manager and Sun Patch Cluster

Larry W. Cashdollar

Vapid Labs http://vapid.dhs.org

1/24/2010

With the GUI Sun Update Manager being used to install patches on a system
local users can easily run scripts and create symlinks in an attempt to
clobber files and potentially escalate privileges as this application is
typically run in multi-user mode.
Many patches use insecure file creation in /tmp to store data during
installation. The easiest one to exploit is /tmp/CLEANUP which is used in a
handful of package installation scripts:

script code is typically:

CLEANUP_FILE=/tmp/CLEANUP
 echo "EXISTING_FILE_PRESERVED: ${dest} ${dest}.${TAG}" \
                        >> ${CLEANUP_FILE}
Similar code is found in:

./118833-36/SUNWcsr/install/i.renamenew
./118833-36/SUNWcsr/install/u.initd
./118833-36/SUNWcsr/install/i.initd
./118833-36/SUNWcsr/install/preinstall
./118833-36/SUNWintgige/install/i.renamenew
./118833-36/SUNWvolr/install/u.initd
./118833-36/SUNWvolr/install/i.initd
./118833-36/SUNWsndmu/install/postinstall
./118833-36/SUNWsacom/install/i.initd
./118833-36/SUNWsacom/install/u.initd
./118833-36/SUNWsndmr/install/postinstall
./118833-36/SUNWsndmr/install/i.renameold
./120272-26/SUNWsmmgr/install/u.initd
./120272-26/SUNWsmmgr/install/i.initd
./137093-01/SUNWcsr/install/i.renameold
./137137-09/SUNWnxge.u/install/i.renameold
./137137-09/SUNWcsr/install/i.renamenew
./137137-09/SUNWcsr/install/i.renameold
./137137-09/SUNWckr/install/i.renameold
./137137-09/SUNWnxge.v/install/i.renameold
./141444-09/SUNWixgbe/install/i.renamenew
./141444-09/SUNWnxge.u/install/i.renamenew
./141444-09/SUNWnxge.v/install/i.renamenew
./127127-11/SUNWtsg/install/preinstall
./127127-11/SUNWtsg/install/i.renamenew
./127127-11/SUNWtsu/install/i.renamenew
./127127-11/SUNWypr/install/i.renameold
./127127-11/SUNWcsr/install/i.group
./127127-11/SUNWcsr/install/i.pamconf
./127127-11/SUNWcsr/install/i.passwd
./127127-11/SUNWcsr/install/i.renamenew
./125555-06/SUNWcsu/reloc/usr/lib/patch/patch_override_dir/137137_SUNWnxge_i.renameold
./122660-10/SUNWcsr/install/preinstall
./119313-29/SUNWwbcor/install/i.initd
./119313-29/README.119313-29
./120011-14/SUNWckr/install/i.renameold
./120011-14/SUNWcsr/install/i.renamenew
./120011-14/SUNWcsr/install/i.renameold
./120011-14/SUNWcsr/install/preinstall
./120011-14/SUNWsndmu/install/postinstall
./120011-14/SUNWsndmr/install/i.renameold
./121453-02/undo_pkgs.pkg
./121453-02/payload.pkg
./121453-02/SUNWppror/install/i.initd
./122911-19/README.122911-19
./122911-19/SUNWapchr/install/i.initd
./122911-19/SUNWapchr/install/i.renamenew
./122911-19/SUNWapchr/install/u.initd
./122911-19/SUNWtcatr/install/i.renamenew
./139555-08/SUNWcsr/install/i.renamenew
./120543-15/SUNWapch2r/install/i.renamenew
./125215-03/SUNWwgetr/install/i.renamenew

If a user creates a symlink to a root owned file, /etc/shadow for example
it will be clobbered by the patch installation process if that patch
application applies to the system.

$ cd /tmp $ ln -s /etc/shadow CLEANUP

I was able to append the contents of CLEANUP to /etc/shadow.

There are other attackable files that are created as well. I have only
investigated the easiest one however.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ