Solaris Update Manager / Sun Patch Cluster Symlink Attack

`  
Symlink attack with Solaris Update manager and Sun Patch Cluster  
  
Larry W. Cashdollar  
  
Vapid Labs http://vapid.dhs.org  
  
1/24/2010  
  
With the GUI Sun Update Manager being used to install patches on a system  
local users can easily run scripts and create symlinks in an attempt to  
clobber files and potentially escalate privileges as this application is  
typically run in multi-user mode.  
Many patches use insecure file creation in /tmp to store data during  
installation. The easiest one to exploit is /tmp/CLEANUP which is used in a  
handful of package installation scripts:  
  
script code is typically:  
  
CLEANUP_FILE=/tmp/CLEANUP  
echo "EXISTING_FILE_PRESERVED: ${dest} ${dest}.${TAG}" \  
>> ${CLEANUP_FILE}  
Similar code is found in:  
  
./118833-36/SUNWcsr/install/i.renamenew  
./118833-36/SUNWcsr/install/u.initd  
./118833-36/SUNWcsr/install/i.initd  
./118833-36/SUNWcsr/install/preinstall  
./118833-36/SUNWintgige/install/i.renamenew  
./118833-36/SUNWvolr/install/u.initd  
./118833-36/SUNWvolr/install/i.initd  
./118833-36/SUNWsndmu/install/postinstall  
./118833-36/SUNWsacom/install/i.initd  
./118833-36/SUNWsacom/install/u.initd  
./118833-36/SUNWsndmr/install/postinstall  
./118833-36/SUNWsndmr/install/i.renameold  
./120272-26/SUNWsmmgr/install/u.initd  
./120272-26/SUNWsmmgr/install/i.initd  
./137093-01/SUNWcsr/install/i.renameold  
./137137-09/SUNWnxge.u/install/i.renameold  
./137137-09/SUNWcsr/install/i.renamenew  
./137137-09/SUNWcsr/install/i.renameold  
./137137-09/SUNWckr/install/i.renameold  
./137137-09/SUNWnxge.v/install/i.renameold  
./141444-09/SUNWixgbe/install/i.renamenew  
./141444-09/SUNWnxge.u/install/i.renamenew  
./141444-09/SUNWnxge.v/install/i.renamenew  
./127127-11/SUNWtsg/install/preinstall  
./127127-11/SUNWtsg/install/i.renamenew  
./127127-11/SUNWtsu/install/i.renamenew  
./127127-11/SUNWypr/install/i.renameold  
./127127-11/SUNWcsr/install/i.group  
./127127-11/SUNWcsr/install/i.pamconf  
./127127-11/SUNWcsr/install/i.passwd  
./127127-11/SUNWcsr/install/i.renamenew  
./125555-06/SUNWcsu/reloc/usr/lib/patch/patch_override_dir/137137_SUNWnxge_i.renameold  
./122660-10/SUNWcsr/install/preinstall  
./119313-29/SUNWwbcor/install/i.initd  
./119313-29/README.119313-29  
./120011-14/SUNWckr/install/i.renameold  
./120011-14/SUNWcsr/install/i.renamenew  
./120011-14/SUNWcsr/install/i.renameold  
./120011-14/SUNWcsr/install/preinstall  
./120011-14/SUNWsndmu/install/postinstall  
./120011-14/SUNWsndmr/install/i.renameold  
./121453-02/undo_pkgs.pkg  
./121453-02/payload.pkg  
./121453-02/SUNWppror/install/i.initd  
./122911-19/README.122911-19  
./122911-19/SUNWapchr/install/i.initd  
./122911-19/SUNWapchr/install/i.renamenew  
./122911-19/SUNWapchr/install/u.initd  
./122911-19/SUNWtcatr/install/i.renamenew  
./139555-08/SUNWcsr/install/i.renamenew  
./120543-15/SUNWapch2r/install/i.renamenew  
./125215-03/SUNWwgetr/install/i.renamenew  
  
If a user creates a symlink to a root owned file, /etc/shadow for example  
it will be clobbered by the patch installation process if that patch  
application applies to the system.  
  
$ cd /tmp $ ln -s /etc/shadow CLEANUP  
  
I was able to append the contents of CLEANUP to /etc/shadow.  
  
There are other attackable files that are created as well. I have only  
investigated the easiest one however.   
`