srsexec in Sun Remote Services (SRS) Net Connect Software Proxy Core package in Sun Solaris 10 does not enforce file permissions when opening files, which allows local users to read the first line of arbitrary files via the -d and -v options.
Recent assessments:
h00die at March 25, 2020 12:46am UTC reported:
This is similar to CVE-2009-2936, but on a local binary instead of a network port. The binary, which is obscure and not easy to find, when given an arbitrary file as input with debug and verbose mode set, will attempt to load it. The arbitrary file will fail to load because it isnβt a correct file, and the first line will be echoed back to the screen, split at 20 characters in length. The binary also runs with the suid
bit set, so most likely youβll want /etc/shadow
to get rootβs hash.
Assessed Attacker Value: 4
Assessed Attacker Value: 4Assessed Attacker Value: 5
labs.idefense.com/intelligence/vulnerabilities/display.php?id=531
osvdb.org/35940
secunia.com/advisories/25194
sunsolve.sun.com/search/document.do?assetkey=1-26-102891-1
www.securityfocus.com/bid/23915
www.securitytracker.com/id?1018046
www.vupen.com/english/advisories/2007/1769
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2617
exchange.xforce.ibmcloud.com/vulnerabilities/34223
oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1920