Title: Oracle Solaris Bind/Postinstall script for Bind package local root |
Author: Larry W. Cashdollar, @_larry0 |
Date: 2013-01-14 |
CVE-ID:[CVE-2013-0415] |
CWE: |
Download Site: www.oracle.com |
Vendor: Oracle Systems |
Vendor Notified: 2013-01-15 |
Vendor Contact: security@oracle.com |
Advisory: http://www.vapid.dhs.org/advisories/solaris_patch_cluster_race.html |
Description: Solaris Sparc patch cluster January 2013. |
Vulnerability: If the system administrator is updating the system using update manager or smpatch (multi user mode) a race condition exists with the postinstall script for SUNWbindr that may lead to arbitrary code execution as root if the race is won.
vulnerable code in:
./patches/119784-22/SUNWbindr/install/pkg_postinstall: UPGRADE=${TMP}/BIND_UPGRADE ./patches/119784-22/SUNWbindr/install/postinstall: UPGRADE=${TMP}/BIND_UPGRADE
vulnerable code:
UPGRADE=${TMP}/BIND_UPGRADE
rm -f $UPGRADE
(If I create the file first between these two steps, I should have ownership before it is over written and inject malicious code to get root.)
cat >> $UPGRADE <<-\UPDATESTART_METHOD oset=$@ # Remember current options if any. svc="svc:network/dns/server"
if [ -z "$TMP" ]; then
TMP="/tmp"
fi
|
Export: JSON TEXT XML |
Exploit Code:
|
Screen Shots: |
Notes: 89243 |
Larry W. Cashdollar
Larry Cashdollar
Larry W. Cashdollar vulnerability
Larry Cashdollar advisory