Advisory #: 214
Title: Solaris 11 x86 nsdb-update-nci utility can reveal password in temporary file
Author: Larry W. Cashdollar
Date: 2020-10-20
CVE-ID:[CVE-2020-14758]
CWE:
Download Site: https://docs.oracle.com/cd/E36784_01/html/E36871/nsdb-update-nci-1m.html
Vendor: Oracle
Vendor Notified: 2020-02-25
Vendor Contact: securirty@oracle.com
Advisory:
Description: The nsdb-update-nci command marks a distinguished name on an LDAP server as a container for FedFS data by adding the fedfsNsdbContainer-Info object class to the root of the naming context and setting the fedfsNcePrefixR attribute to point to the relative DN from the root of the naming context.
Vulnerability:
The utility nsdb-update-nci uses /tmp in an insecure way. This can reveal password in a temporary file in /tmp. 41:rm -f /tmp/ldap_pw$$ 42:touch /tmp/ldap_pw$$ 43:chmod 600 /tmp/ldap_pw$$ 44:echo $pw\\c >> /tmp/ldap_pw$$ 48:rm -f /tmp/ldap_nce$$ 49:touch /tmp/ldap_nce$$ 50:echo "dn: $root" >> /tmp/ldap_nce$$ 51:echo "changetype: add" >> /tmp/ldap_nce$$ 52:echo "objectClass: top" >> /tmp/ldap_nce$$ 53:echo "objectclass: organization" >> /tmp/ldap_nce$$ 54:echo "objectclass: dcObject" >> /tmp/ldap_nce$$ 55:echo "objectClass: fedfsNsdbContainerInfo" >> /tmp/ldap_nce$$ 56:echo "o: $o" >> /tmp/ldap_nce$$ 57:echo "dc: $o" >> /tmp/ldap_nce$$ 59: echo "fedfsNceDN: $root" >> /tmp/ldap_nce$$ 61: echo "fedfsNceDN: $nce,$root" >> /tmp/ldap_nce$$ 63:$LDAPADD -h $nsdb -p $port -D "$admin,$root" -y /tmp/ldap_pw$$ < /tmp/ldap_nce$$ 65: rm /tmp/ldap_nce$$ 66: rm /tmp/ldap_pw$$ 70:rm /tmp/ldap_nce$$ 73: rm /tmp/ldap_pw$$ 87:rm -f /tmp/ldap_dir$$ 88:touch /tmp/ldap_dir$$ 89:echo "dn: $nce,$root" >> /tmp/ldap_dir$$ 90:echo "changetype: add" >> /tmp/ldap_dir$$ 91:echo "objectclass: $longcomp" >> /tmp/ldap_dir$$ 92:echo "$comp: $val" >> /tmp/ldap_dir$$ 93:$LDAPADD -h $nsdb -p $port -D "$admin,$root" -y /tmp/ldap_pw$$ < /tmp/ldap_dir$$ 95: rm /tmp/ldap_dir$$ 96: rm /tmp/ldap_pw$$ 99:rm /tmp/ldap_dir$$ 100:rm /tmp/ldap_pw$$
Export: JSON TEXT XML
Exploit Code:
  1.  
Screen Shots:
Notes: