Title: Solaris 2.7/2.8 catman Temp File Vulnerability |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2000-12-18 |
CVE-ID:[CVE-2001-0095] |
CWE: |
Download Site: www.oracle.com |
Vendor: Oracle Systems |
Vendor Notified: 2000-11-23 |
Vendor Contact: |
Advisory: http://www.vapid.dhs.org/advisories/solaris_2.7_2.8_catman_race_condition_vulnerability.html |
Description: Through the use of symlinking temporary files created by /usr/bin/catman upon execution by root a local user can clobber root owned files. |
Vulnerability: The catman command creates preformatted versions of the online manual. It also creates the windex database for utilities like apropos and whatis. The problem lies with catman creating a temporary file in /tmp, the file has the form of /tmp/sman_pidofcatman. An attacker can monitor the process list for the execution of catman and create a symlink to a root owned file. catman will upon execution overwrite the contents of that file. This is a new bug for catman and is not addressed in the current patch cluster for Solaris 2.7 Sparc. |
Export: JSON TEXT XML |
Exploit Code:
|
Screen Shots: |
Notes: 6024 |
Larry W. Cashdollar
Larry Cashdollar
Larry W. Cashdollar vulnerability
Larry Cashdollar advisory