OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Solaris patchadd(1) (3) symlink vulnerabilty
From: Jonathan Fortin (jfortinREVELEX.COM)
Date: Mon Dec 18 2000 - 05:02:58 CST

Greetings Bugtraq,

I was playing around with patchadd and the bug was found when I issued a
"truss -f -o patch.log patchadd patch" where patch was a tarball and then
patchadd omitted an error because of it being a tarball, so then when I went
through the debug output, i found out that there was a serious race
condition vulnerability.

  Line Pid exec call

   105: 12869: open64("/tmp/sh12869.1", O_RDWR|O_CREAT|O_TRUNC, 0666) = 3
   136: 12869: open64("/tmp/sh12869.2", O_RDWR|O_CREAT|O_TRUNC, 0666) = 3
   481: 12869: open64("/tmp/sh12869.3", O_RDWR|O_CREAT|O_TRUNC, 0666) = 3

   file "/tmp/sh12869.1":

   105: 12869: open64("/tmp/sh12869.1", O_RDWR|O_CREAT|O_TRUNC, 0666) = 3
   106: 12869: write(3, "\n U s a g e : p a t c".., 482) = 482
   107: 12869: close(3)

   file "/tmp/sh12869.2":

   136: 12869: open64("/tmp/sh12869.2", O_RDWR|O_CREAT|O_TRUNC, 0666) = 3
   137: 12869: write(3, " m a i l =\n i n s t a n".., 145) = 145
   138: 12869: close(3)

   file "/tmp/sh12869.3:

  481: 12869: open64("/tmp/sh12869.3", O_RDWR|O_CREAT|O_TRUNC, 0666) = 3
  482: 12869: close(61) Err#9 EBADF
  483: 12869: fcntl(3, F_DUPFD, 0x0000003D) = 61
  484: 12869: close(3)

Race Condition
remote NO
local YES

Vulnerable: I only checked Solaris 2.7 sparc with latest install_cluster
installed.

Discussion:

When patchadd is executed, It creates a temporary file called
"/tmp/sh<pidofpatchadd>.1" , "/tmp/sh<pidofpatchadd>.2 ,
"/tmp/sh<pidofpatchadd>.3 and assigns them mode 666 then gets unlink'd upon
exit.A vulnerability exist in patchadd, a patch utility shipped with
Solaris, where as if an attacker predicts the correct pid of the next
process before execution of patchadd by another user or If he creates a fiew
hundred symlinks to brute force the pid before execution of patchadd, he can
with a symbolic link pointing to a specific key system file, overwrite
contents of the file , he can do up to 3 file simultaneously, and user will
be able to do his own modifications to this file since this file would have
world-write permissions resulting in a increase of privilege and host
compromise.

Exploit:

1. Email admin telling him theirs a new patch out there that needs to be
installed.
2. Create a perl/C script that will copy /etc/passwd and /etc/shadow to a
hidden file that you will want to be appended to /etc/shadow/passwd later
on, get the next current available process , create 2 symlinks and when the
current process id is taken, then stat for /etc/passwd and /etc/shadow to be
666, if not avail, do it again, when avail, append a user with id 0 no
password to those hidden files , then those files will truncate /etc/passwd
and /etc/shadow then will be appended to them and send ya an email to login
and take advantage!
3. su trojand_user
4. #

Solutions:

None that I can think of, setting $TMPDIR didn't work, chroot won't work
because your applying patches to your current root unless you want to cp -rp
them to you real root after but that would be shitty.

hrm.. :<

Only solution is to rm -rf /tmp/* /tmp/.* , pull out twisted pair cables
from the box, then make sure no users are on, make sure theirs no cron/at
job runing
by 3rd party user, and then invoke patchadd :) (im trying to be funny)

Thank you

Sincerely,

Jonathan Fortin

*************************************
* Jonathan Fortin, Unix Engineer *
* Company: Revelex Corporation *
* Email: jfortinrevelex.com *
* Mobile: 514-244-6208 *
* Tel: 514-938-8405 *
*************************************