Solaris patchadd(1) (3) symlink vulnerabilty

[Jonathan Fortin <jfortin () REVELEX COM>]

Greetings Bugtraq,


I was playing around with patchadd and the bug was found when I issued a
"truss -f -o patch.log patchadd patch" where patch was a tarball and then
patchadd omitted an error because of it being a tarball, so then when I went
through the debug output, i found out that there was a serious race
condition vulnerability.

  Line    Pid   exec call

   105:   12869:  open64("/tmp/sh12869.1", O_RDWR|O_CREAT|O_TRUNC, 0666) = 3
   136:  12869:  open64("/tmp/sh12869.2", O_RDWR|O_CREAT|O_TRUNC, 0666) = 3
   481:  12869:  open64("/tmp/sh12869.3", O_RDWR|O_CREAT|O_TRUNC, 0666) = 3

   file "/tmp/sh12869.1":

   105: 12869:  open64("/tmp/sh12869.1", O_RDWR|O_CREAT|O_TRUNC, 0666) = 3
   106: 12869:  write(3, "\n U s a g e :   p a t c".., 482)     = 482
   107: 12869:  close(3)

   file "/tmp/sh12869.2":

   136: 12869:  open64("/tmp/sh12869.2", O_RDWR|O_CREAT|O_TRUNC, 0666) = 3
   137: 12869:  write(3, " m a i l =\n i n s t a n".., 145)     = 145
   138: 12869:  close(3)

   file "/tmp/sh12869.3:

  481: 12869:  open64("/tmp/sh12869.3", O_RDWR|O_CREAT|O_TRUNC, 0666) = 3
  482: 12869:  close(61)                                       Err#9 EBADF
  483: 12869:  fcntl(3, F_DUPFD, 0x0000003D)                   = 61
  484: 12869:  close(3)


Race Condition
remote NO
local YES

Vulnerable: I only checked Solaris 2.7 sparc with latest install_cluster
installed.

Discussion:

When patchadd is executed, It creates a temporary file called
"/tmp/sh<pidofpatchadd>.1" , "/tmp/sh<pidofpatchadd>.2 ,
"/tmp/sh<pidofpatchadd>.3  and assigns them mode 666 then gets unlink'd upon
exit.A vulnerability exist in patchadd, a patch utility shipped with
Solaris, where as if an attacker predicts the correct pid of the next
process before execution of patchadd by another user or If he creates a fiew
hundred symlinks to brute force the pid before execution of patchadd, he can
with a symbolic link pointing to a specific key system file, overwrite
contents of the file , he can do up to 3 file simultaneously, and user will
be able to do his own modifications to this file since this file would have
world-write permissions resulting in a increase of privilege and host
compromise.

Exploit:

1. Email admin telling him theirs a new patch out there that needs to be
installed.
2. Create a perl/C script that will copy /etc/passwd and /etc/shadow to a
hidden file that you will want to be appended to /etc/shadow/passwd later
on, get the next current available process , create 2 symlinks and when the
current process id is taken, then stat for /etc/passwd and /etc/shadow to be
666, if not avail, do it again, when avail, append a user with id 0 no
password to those hidden files , then those files will truncate /etc/passwd
and /etc/shadow then will be appended to them and send ya an email to login
and take advantage!
3. su trojand_user
4. #

Solutions:

None that I can think of, setting $TMPDIR didn't work, chroot won't work
because your applying patches to your current root unless you want to cp -rp
them to you real root after but that would be shitty.

hrm.. :<

Only solution is to rm -rf /tmp/* /tmp/.* , pull out twisted pair cables
from the box, then make sure no users are on, make sure theirs no cron/at
job runing
by 3rd party user, and then invoke patchadd :) (im trying to be funny)


Thank you

Sincerely,


Jonathan Fortin

*************************************
* Jonathan Fortin, Unix Engineer    *
* Company: Revelex Corporation      *
* Email: jfortin () revelex com        *
* Mobile: 514-244-6208              *
* Tel:    514-938-8405              *
*************************************