{"id": "OSVDB:5899", "bulletinFamily": "software", "title": "SunOS loadmodule Double IFS Privilege Escalation", "description": "## Vulnerability Description\nSunOS contains a flaw in loadmodule that may allow a malicious local user to gain unauthorized root privileges. The issue is due to the way the loadmodule program fails to sanitize the path environment variable. Sun attempted to patch this by clearing the IFS variable but it can still be exploited by setting the IFS variable twice. This flaw may lead to a loss of Confidentiality and Integrity.\n## Solution Description\nCurrently, there are no known workarounds or upgrades to correct this issue. However, Sun Microsystems has released a patch to address this vulnerability.\n## Short Description\nSunOS contains a flaw in loadmodule that may allow a malicious local user to gain unauthorized root privileges. The issue is due to the way the loadmodule program fails to sanitize the path environment variable. Sun attempted to patch this by clearing the IFS variable but it can still be exploited by setting the IFS variable twice. This flaw may lead to a loss of Confidentiality and Integrity.\n## References:\nVendor Specific Solution URL: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fpatches%2F100448&zone_32=100448-03\n[Vendor Specific Advisory URL](http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/114&type=0&nav=sec.sba)\n[Related OSVDB ID: 5861](https://vulners.com/osvdb/OSVDB:5861)\n[Related OSVDB ID: 5860](https://vulners.com/osvdb/OSVDB:5860)\nOther Advisory URL: http://www.attrition.org/security/advisory/8lgm/8lgm-23.txt\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/1995_3/0256.html\nISS X-Force ID: 498\n[CVE-1999-0282](https://vulners.com/cve/CVE-1999-0282)\n[CVE-1999-1586](https://vulners.com/cve/CVE-1999-1586)\nCIAC Advisory: g-02\nCERT: CA-1995-12\nCERT: CA-1993-18\n", "published": "1995-01-02T00:00:00", "modified": "1995-01-02T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vulners.com/osvdb/OSVDB:5899", "reporter": "OSVDB", "references": [], "cvelist": ["CVE-1999-1586", "CVE-1999-0282"], "type": "osvdb", "lastseen": "2017-04-28T13:20:00", "history": [], "edition": 1, "hashmap": [{"key": "affectedSoftware", "hash": "8a60935bf187cb5b406b94f28ede833a"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "aa7f8c1c95261aadd76af87dec0fa9fa"}, {"key": "cvss", "hash": "cfd16da9581e0c21db590e40dfd9e493"}, {"key": "description", "hash": "f33e42ddb425d1dda75a10801026e846"}, {"key": "href", "hash": "1fe57a5c47614bac8f4c260d3db346e3"}, {"key": "modified", "hash": "c895624c0a57026c7e105b7d38774bb1"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "c895624c0a57026c7e105b7d38774bb1"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "955b328dc7cd615c13af5464c9183464"}, {"key": "title", "hash": "4694686cf0936684769a46db5200b9af"}, {"key": "type", "hash": "1327ac71f7914948578f08c54f772b10"}], "hash": "07df08dc1053ebb0a0dd0fdafd4ed295f8d6ec3f50d0c78ead603fb3735f4d67", "viewCount": 1, "objectVersion": "1.2", "affectedSoftware": [{"name": "SunOS", "operator": "eq", "version": "4.1.x"}], "enchantments": {"vulnersScore": 7.2}}

{"result": {"cve": [{"id": "CVE-1999-1586", "type": "cve", "title": "CVE-1999-1586", "description": "loadmodule in SunOS 4.1.x, as used by xnews, does not properly sanitize its environment, which allows local users to gain privileges, a different vulnerability than CVE-1999-1584.", "published": "1999-12-31T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-1586", "cvelist": ["CVE-1999-1586"], "lastseen": "2017-07-11T11:13:59"}, {"id": "CVE-1999-0282", "type": "cve", "title": "CVE-1999-0282", "description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-1999-1584, CVE-1999-1586. Reason: This candidate combined references from one issue with the description from another issue. Notes: Users should consult CVE-1999-1584 and CVE-1999-1586 to obtain the appropriate name. All references and descriptions in this candidate have been removed to prevent accidental usage.", "published": "1997-09-23T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0282", "cvelist": ["CVE-1999-0282"], "lastseen": "2016-09-03T02:11:36"}], "osvdb": [{"id": "OSVDB:5860", "type": "osvdb", "title": "SunOS loadmodule Path Environment Privilege Escalation", "description": "## Vulnerability Description\nSunOS version 4.1.x contains a flaw in loadmodule that may allow a malicious local user to gain unauthorized root privileges. The issue is due to the way the loadmodule program fails to sanitize the path environment variable. This flaw may lead to a loss of Confidentiality and Integrity.\n## Solution Description\nCurrently, there are no known workarounds or upgrades to correct this issue. However, Sun Microsystems has released a patch to address this vulnerability.\n## Short Description\nSunOS version 4.1.x contains a flaw in loadmodule that may allow a malicious local user to gain unauthorized root privileges. The issue is due to the way the loadmodule program fails to sanitize the path environment variable. This flaw may lead to a loss of Confidentiality and Integrity.\n## Manual Testing Notes\n$ set path=(. $path)\n$ echo \"/bin/sh\" > ld\n$ chmod 711 ld\n$ /usr/openwin/loadmodule sd.o evqload\n# whoami\n\n## References:\nVendor Specific Solution URL: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fpatches%2F100448&zone_32=100448-03\n[Vendor Specific Advisory URL](http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/114&type=0&nav=sec.sba)\n[Related OSVDB ID: 5861](https://vulners.com/osvdb/OSVDB:5861)\n[Related OSVDB ID: 5899](https://vulners.com/osvdb/OSVDB:5899)\nISS X-Force ID: 498\n[CVE-1999-0282](https://vulners.com/cve/CVE-1999-0282)\n[CVE-1999-1586](https://vulners.com/cve/CVE-1999-1586)\nCIAC Advisory: g-02\nCERT: CA-1995-12\nCERT: CA-1993-18\n", "published": "1995-01-02T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vulners.com/osvdb/OSVDB:5860", "cvelist": ["CVE-1999-1586", "CVE-1999-0282"], "lastseen": "2017-04-28T13:20:00"}, {"id": "OSVDB:5861", "type": "osvdb", "title": "SunOS modload Root Privilege Escalation", "description": "## Vulnerability Description\nSun Microsystems SunOS contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when an error in the modload program related to environment variables occurs. This flaw may lead to an escliation of user privledges.\n## Solution Description\nCurrently, there are no known workarounds or upgrades to correct this issue. However, Sun Microsystems has released a patch '101200-02' to address this vulnerability.\n## Short Description\nSun Microsystems SunOS contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when an error in the modload program related to environment variables occurs. This flaw may lead to an escliation of user privledges.\n## References:\nVendor Specific Solution URL: http://sunsolve.sun.com/pub-cgi/findPatch.pl?patchId=101200&rev=02\n[Vendor Specific Advisory URL](http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/124&type=0&nav=sec.sba)\n[Related OSVDB ID: 5860](https://vulners.com/osvdb/OSVDB:5860)\nISS X-Force ID: 551\n[CVE-1999-0282](https://vulners.com/cve/CVE-1999-0282)\n[CVE-1999-1584](https://vulners.com/cve/CVE-1999-1584)\nCIAC Advisory: g-02\nCERT: CA-1993-18\n", "published": "1993-12-01T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vulners.com/osvdb/OSVDB:5861", "cvelist": ["CVE-1999-0282", "CVE-1999-1584"], "lastseen": "2017-04-28T13:20:00"}]}}