Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:14651
HistoryOct 12, 2006 - 12:00 a.m.

[Full-disclosure] iDefense Security Advisory 10.11.06: Sun Microsystems Solaris NSPR Library Arbitrary File Creation Vulnerability

2006-10-1200:00:00
vulners.com
15
JSON

Sun Microsystems Solaris NSPR Library Arbitrary File Creation Vulnerability

iDefense Security Advisory 10.11.06
http://www.idefense.com/intelligence/vulnerabilities/
Oct 11, 2006

I. BACKGROUND

The Netscape Portable Runtime (NSPR) API allows compliant applications
to use system facilities such as threads, thread synchronization, I/O,
interval timing, atomic operations and several other low-level services
in a platform-independent manner. More information can be found on
Mozilla's website at http://www.mozilla.org/projects/nspr/.

II. DESCRIPTION

Local exploitation of a design error vulnerability in version 4.6.1 of
NSPR, as included with Sun Microsystems Solaris 10, allows attackers to
create or overwrite arbitrary files on the system.

The problem exists because environment variables are used to create log
files. Even when the program is setuid, users can specify a log file
that will be created with elevated privileges.

III. ANALYSIS

Exploitation allows local attackers to elevate privileges to root.

IV. DETECTION

iDefense confirmed that Solaris 10 with NSPR version 4.6.1 is vulnerable
to privilege escalation. Additionally, iDefense has also confirmed via
the source code that version 4.6.2 does not address the vulnerability.

V. WORKAROUND

iDefense is currently unaware of any effective workaround for this
issue.

VI. VENDOR RESPONSE

Sun Microsystems has addressed this issue with Sun Security Alert 102658
which can be found at:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102658-1

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2006-4842 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

08/31/2006 Initial vendor notification
09/04/2006 Initial vendor response
10/11/2006 Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://www.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2006 iDefense, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email [email protected] for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Related

seebug 9
canvas 1
packetstorm 1
zdt 1
exploitpack 5
cve 1
ubuntucve 1
exploitdb 5
nessus 18
seebug
seebug
Solaris 10 libnspr - constructor Local Root Exploit
2014-07-01 00:00:00
Sun Solaris Netscape Portable Runtime API 4.6.1 - Local Privilege Escalation Vulnerability (2)
2014-07-01 00:00:00
Solaris 10 libnspr LD_PRELOAD Arbitrary File Creation Local Root Exploit
2006-10-27 00:00:00
canvas
canvas
Immunity Canvas: CVE_2006_4842
2006-10-12 00:07:00
packetstorm
packetstorm
Solaris libnspr NSPR_LOG_FILE Privilege Escalation
2018-09-18 00:00:00
zdt
zdt
Solaris libnspr NSPR_LOG_FILE Privilege Escalation Exploit
2018-09-18 00:00:00
exploitpack
exploitpack
Solaris 10 libnspr - Constructor Arbitrary File Creation Privilege Escalation (3)
2006-10-24 00:00:00
Solaris 10 libnspr - LD_PRELOAD Arbitrary File Creation Privilege Escalation (2)
2006-10-16 00:00:00
Solaris 10 libnspr - LD_PRELOAD Arbitrary File Creation Privilege Escalation (1)
2006-10-13 00:00:00
cve
cve
CVE-2006-4842
2006-10-12 00:07:00
ubuntucve
ubuntucve
CVE-2006-4842
2006-10-12 00:00:00
exploitdb
exploitdb
Solaris 10 libnspr - 'LD_PRELOAD' Arbitrary File Creation Privilege Escalation (1)
2006-10-13 00:00:00
Sun Solaris Netscape Portable Runtime API 4.6.1 - Local Privilege Escalation (2)
2006-10-24 00:00:00
Solaris 10 libnspr - 'LD_PRELOAD' Arbitrary File Creation Privilege Escalation (2)
2006-10-16 00:00:00
nessus
nessus
Solaris 10 (x86) : 119214-33
2018-03-12 00:00:00
Solaris 10 (x86) : 119214-36 (deprecated)
2005-10-19 00:00:00
Solaris 10 (sparc) : 119213-36
2018-03-12 00:00:00
JSON
Related for SECURITYVULNS:DOC:14651
seebug9canvas1packetstorm1zdt1exploitpack5cve1ubuntucve1exploitdb5nessus18