Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   


Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker

Category:   Application (Generic)  >   At Vendors:   Sun
Solaris at Utility Lets Local Users Gain Root Access
SecurityTracker Alert ID:  1001732
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 12 2001
Impact:   Execution of arbitrary code via local system, Root access via local system

Version(s): Solaris 7 and 8
Description:   A vulnerability has been reported in the Sun Solaris at command-batch utility that allows local users to gain root-level privileges on the host.

A local user can reportedly create an arbitrary format string in a custom message database that will be fetched by the gettext() function as part of the locale subsystem's internationalization capabilities. The local user can set the NLSPATH environment variable to point to the user-created message database. By using the "at" command [possibly with specific command line arguments], the local user can cause the the format string to be executed with root level privileges. This will happen because gettext() will look for the appropriate translated message to display by following the NLSPATH environment variable, finding the user-created format string in the user-created custom message database.

Impact:   A local user can cause arbitrary shell commands to be executed on the host with root-level privileges.
Solution:   No solution was available at the time of this entry.
Vendor URL: (Links to External Site)
Cause:   Access control error, Input validation error
Underlying OS:  UNIX (Solaris - SunOS)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Exploit Code is Provided) Re: Solaris at Utility Lets Local Users Gain Root Access
Exploit code is provided.

 Source Message Contents

Subject:  "at" is vulnerable on Solaris 7 and 8

We found that "at" in Solaris is vulnerable on Solaris 7 and 8
The kind of bug is discussed on Bugtraqid:1634

Generally a program that needs to display a message to the user will obtain
the proper language
specific string from the database using the original message as the search
key and printing the
results using the printf(3) family of functions. By building and installing
a custom messages
database an attacker can control the output of the message retrieval
functions that get feed to the
printf(3) functions.

Bad coding practices and the ability to feed format strings to the later
functions makes it
possible for an attacker to execute arbitrary code as a privileged user
(root) using almost any
SUID program on the vulnerable systems.

When succeeding "at" command, it will return a message:
"commands will be executed using: <shell>\n"
User can create a specified format string to the message for gettext(),
and set the NLSPATH environment variable..

That, user may get the root privilege..
The exploit will release later...

Huang-Yu Wang
R&D Team, ISS-TW


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

Copyright 2017, LLC