Solaris at Utility Lets Local Users Gain Root Access
SecurityTracker Alert ID: 1001732|
SecurityTracker URL: http://securitytracker.com/id/1001732
(Links to External Site)
Date: Jun 12 2001
Execution of arbitrary code via local system, Root access via local system|
Version(s): Solaris 7 and 8|
A vulnerability has been reported in the Sun Solaris at command-batch utility that allows local users to gain root-level privileges on the host.|
A local user can reportedly create an arbitrary format string in a custom message database that will be fetched by the gettext() function as part of the locale subsystem's internationalization capabilities. The local user can set the NLSPATH environment variable to point to the user-created message database. By using the "at" command [possibly with specific command line arguments], the local user can cause the the format string to be executed with root level privileges. This will happen because gettext() will look for the appropriate translated message to display by following the NLSPATH environment variable, finding the user-created format string in the user-created custom message database.
A local user can cause arbitrary shell commands to be executed on the host with root-level privileges.|
No solution was available at the time of this entry.|
Vendor URL: www.sun.com/ (Links to External Site)
Access control error, Input validation error|
|Underlying OS: UNIX (Solaris - SunOS)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Date: Tue, 12 Jun 2001 10:20:23 +0800|
Subject: "at" is vulnerable on Solaris 7 and 8
We found that "at" in Solaris is vulnerable on Solaris 7 and 8
The kind of bug is discussed on Bugtraqid:1634
Generally a program that needs to display a message to the user will obtain
the proper language
specific string from the database using the original message as the search
key and printing the
results using the printf(3) family of functions. By building and installing
a custom messages
database an attacker can control the output of the message retrieval
functions that get feed to the
Bad coding practices and the ability to feed format strings to the later
functions makes it
possible for an attacker to execute arbitrary code as a privileged user
(root) using almost any
SUID program on the vulnerable systems.
When succeeding "at" command, it will return a message:
"commands will be executed using: <shell>\n"
User can create a specified format string to the message for gettext(),
and set the NLSPATH environment variable..
That, user may get the root privilege..
The exploit will release later...
R&D Team, ISS-TW