Solaris patchadd Race Condition Vulnerability
BID:2127
Info
Solaris patchadd Race Condition Vulnerability
| Bugtraq ID: | 2127 |
| Class: | Race Condition Error |
| CVE: | |
| Remote: | No |
| Local: | Yes |
| Published: | Dec 18 2000 12:00AM |
| Updated: | Dec 18 2000 12:00AM |
| Credit: | This vulnerability was first announced by Jonathan Fortin <[email protected]> via Bugtraq on December 18, 2000. |
| Vulnerable: |
Sun Solaris 2.5.1 Sun Solaris 8_sparc Sun Solaris 7.0 Sun Solaris 2.6 |
| Not Vulnerable: | |
Discussion
Solaris patchadd Race Condition Vulnerability
patchadd is the patch management tool included with the Solaris Operating Environment, distributed by Sun Microsystems. A problem exists which could allow a user to corrupt or append system files.
The problem exists in the creation of /tmp files by patchadd. patchadd creates a variety of files in /tmp while installing the patches on the operating system. The files created in /tmp are mode 0666, and are created with the extension sh<pid of patchadd>.1, sh<pid of patchadd>.2, and so on. Running the program requires administrative access. It is possible to brute force guess the pid of patchadd, and create files in the /tmp directory that are symbolic links to sensitive system files.
It is therefore possible for a user with malicious intent to gain elevated privileges, corrupt system files, or execute arbitrary commands.
patchadd is the patch management tool included with the Solaris Operating Environment, distributed by Sun Microsystems. A problem exists which could allow a user to corrupt or append system files.
The problem exists in the creation of /tmp files by patchadd. patchadd creates a variety of files in /tmp while installing the patches on the operating system. The files created in /tmp are mode 0666, and are created with the extension sh<pid of patchadd>.1, sh<pid of patchadd>.2, and so on. Running the program requires administrative access. It is possible to brute force guess the pid of patchadd, and create files in the /tmp directory that are symbolic links to sensitive system files.
It is therefore possible for a user with malicious intent to gain elevated privileges, corrupt system files, or execute arbitrary commands.
Exploit / POC
Solution / Fix
Solaris patchadd Race Condition Vulnerability
Solution:
Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
Currently the SecurityFocus staff are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
References
Solaris patchadd Race Condition Vulnerability
References:
References: