[ SOURCE: http://www.secureroot.com/security/advisories/9772055682.html ] I was playing around with patchadd and the bug was found when I issued a "truss -f -o patch.log patchadd patch" where patch was a tarball and then patchadd omitted an error because of it being a tarball, so then when I went through the debug output, i found out that there was a serious race condition vulnerability. Line Pid exec call 105: 12869: open64("/tmp/sh12869.1", O_RDWR|O_CREAT|O_TRUNC, 0666) = 3 136: 12869: open64("/tmp/sh12869.2", O_RDWR|O_CREAT|O_TRUNC, 0666) = 3 481: 12869: open64("/tmp/sh12869.3", O_RDWR|O_CREAT|O_TRUNC, 0666) = 3 file "/tmp/sh12869.1": 105: 12869: open64("/tmp/sh12869.1", O_RDWR|O_CREAT|O_TRUNC, 0666) = 3 106: 12869: write(3, "\n U s a g e : p a t c".., 482) = 482 107: 12869: close(3) file "/tmp/sh12869.2": 136: 12869: open64("/tmp/sh12869.2", O_RDWR|O_CREAT|O_TRUNC, 0666) = 3 137: 12869: write(3, " m a i l =\n i n s t a n".., 145) = 145 138: 12869: close(3) file "/tmp/sh12869.3: 481: 12869: open64("/tmp/sh12869.3", O_RDWR|O_CREAT|O_TRUNC, 0666) = 3 482: 12869: close(61) Err#9 EBADF 483: 12869: fcntl(3, F_DUPFD, 0x0000003D) = 61 484: 12869: close(3) Race Condition remote NO local YES Vulnerable: I only checked Solaris 2.7 sparc with latest install_cluster installed. Discussion: When patchadd is executed, It creates a temporary file called "/tmp/sh.1" , "/tmp/sh.2 , "/tmp/sh.3 and assigns them mode 666 then gets unlink'd upon exit.A vulnerability exist in patchadd, a patch utility shipped with Solaris, where as if an attacker predicts the correct pid of the next process before execution of patchadd by another user or If he creates a fiew hundred symlinks to brute force the pid before execution of patchadd, he can with a symbolic link pointing to a specific key system file, overwrite contents of the file , he can do up to 3 file simultaneously, and user will be able to do his own modifications to this file since this file would have world-write permissions resulting in a increase of privilege and host compromise. Exploit: 1. Email admin telling him theirs a new patch out there that needs to be installed. 2. Create a perl/C script that will copy /etc/passwd and /etc/shadow to a hidden file that you will want to be appended to /etc/shadow/passwd later on, get the next current available process , create 2 symlinks and when the current process id is taken, then stat for /etc/passwd and /etc/shadow to be 666, if not avail, do it again, when avail, append a user with id 0 no password to those hidden files , then those files will truncate /etc/passwd and /etc/shadow then will be appended to them and send ya an email to login and take advantage! 3. su trojand_user 4. # Solutions: None that I can think of, setting $TMPDIR didn't work, chroot won't work because your applying patches to your current root unless you want to cp -rp them to you real root after but that would be shitty. hrm.. :< Only solution is to rm -rf /tmp/* /tmp/.* , pull out twisted pair cables from the box, then make sure no users are on, make sure theirs no cron/at job runing by 3rd party user, and then invoke patchadd :) (im trying to be funny) Thank you Sincerely, Jonathan Fortin ************************************* * Jonathan Fortin, Unix Engineer * * Company: Revelex Corporation * * Email: jfortin@revelex.com * * Mobile: 514-244-6208 * * Tel: 514-938-8405 * *************************************