AOH :: HP Unsorted S :: BU-2094.HTM

Symlink attack with Solaris Update manager



Symlink attack with Solaris Update manager
Symlink attack with Solaris Update manager



Symlink attack with Solaris Update manager and Sun Patch Cluster
Larry W. Cashdollar
Vapid Labs
1/24/2009

Many patches use insecure file creation in /tmp to store data during installation.  The easiest one to exploit is /tmp/CLEANUP which is used in a handful of package installation scripts:

script code is typically:

CLEANUP_FILE=/tmp/CLEANUP
 echo "EXISTING_FILE_PRESERVED: ${dest} ${dest}.${TAG}" \
                        >> ${CLEANUP_FILE}
Similar code is found in:

./118833-36/SUNWcsr/install/i.renamenew
./118833-36/SUNWcsr/install/u.initd
./118833-36/SUNWcsr/install/i.initd
./118833-36/SUNWcsr/install/preinstall
./118833-36/SUNWintgige/install/i.renamenew
./118833-36/SUNWvolr/install/u.initd
./118833-36/SUNWvolr/install/i.initd
./118833-36/SUNWsndmu/install/postinstall
./118833-36/SUNWsacom/install/i.initd
./118833-36/SUNWsacom/install/u.initd
./118833-36/SUNWsndmr/install/postinstall
./118833-36/SUNWsndmr/install/i.renameold
./120272-26/SUNWsmmgr/install/u.initd
./120272-26/SUNWsmmgr/install/i.initd
./137093-01/SUNWcsr/install/i.renameold
./137137-09/SUNWnxge.u/install/i.renameold
./137137-09/SUNWcsr/install/i.renamenew
./137137-09/SUNWcsr/install/i.renameold
./137137-09/SUNWckr/install/i.renameold
./137137-09/SUNWnxge.v/install/i.renameold
./141444-09/SUNWixgbe/install/i.renamenew
./141444-09/SUNWnxge.u/install/i.renamenew
./141444-09/SUNWnxge.v/install/i.renamenew
./127127-11/SUNWtsg/install/preinstall
./127127-11/SUNWtsg/install/i.renamenew
./127127-11/SUNWtsu/install/i.renamenew
./127127-11/SUNWypr/install/i.renameold
./127127-11/SUNWcsr/install/i.group
./127127-11/SUNWcsr/install/i.pamconf
./127127-11/SUNWcsr/install/i.passwd
./127127-11/SUNWcsr/install/i.renamenew
./125555-06/SUNWcsu/reloc/usr/lib/patch/patch_override_dir/137137_SUNWnxge_i.renameold
./122660-10/SUNWcsr/install/preinstall
./119313-29/SUNWwbcor/install/i.initd
./119313-29/README.119313-29
./120011-14/SUNWckr/install/i.renameold
./120011-14/SUNWcsr/install/i.renamenew
./120011-14/SUNWcsr/install/i.renameold
./120011-14/SUNWcsr/install/preinstall
./120011-14/SUNWsndmu/install/postinstall
./120011-14/SUNWsndmr/install/i.renameold
./121453-02/undo_pkgs.pkg
./121453-02/payload.pkg
./121453-02/SUNWppror/install/i.initd
./122911-19/README.122911-19
./122911-19/SUNWapchr/install/i.initd
./122911-19/SUNWapchr/install/i.renamenew
./122911-19/SUNWapchr/install/u.initd
./122911-19/SUNWtcatr/install/i.renamenew
./139555-08/SUNWcsr/install/i.renamenew
./120543-15/SUNWapch2r/install/i.renamenew
./125215-03/SUNWwgetr/install/i.renamenew



If a user creates a symlink to a root owned file, /etc/shadow for example it will be clobbered by the patch installation process if that patch application applies to the system.

$ cd /tmp
$ ln -s /etc/shadow CLEANUP

I was able to append the contents of CLEANUP to /etc/shadow.

With the GUI Sun Update Manager being used to install patches on a system local users can easily run scripts and create symlinks in an attempt to clobber files and potentially escalate priviledges as this application is typically run in multi user mode.

There are other attackable files that are created as well. I have only investigated the easiest one however.

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.