[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Solaris patchadd symlink vulnerability

Title: Solaris patchadd symlink vulnerability
Released by: Jonathan Fortin
Date: 19th December 2000
Printable version: Click here
I was playing around with patchadd and the bug was found when I issued a

"truss -f -o patch.log patchadd patch" where patch was a tarball and then

patchadd omitted an error because of it being a tarball, so then when I went

through the debug output, i found out that there was a serious race

condition vulnerability.

  Line    Pid exec call

   105:   12869:  open64("/tmp/sh12869.1", O_RDWR|O_CREAT|O_TRUNC, 0666) = 3

   136:  12869:  open64("/tmp/sh12869.2", O_RDWR|O_CREAT|O_TRUNC, 0666) = 3

   481:  12869:  open64("/tmp/sh12869.3", O_RDWR|O_CREAT|O_TRUNC, 0666) = 3

   file "/tmp/sh12869.1":

   105: 12869:  open64("/tmp/sh12869.1", O_RDWR|O_CREAT|O_TRUNC, 0666) = 3

   106: 12869:  write(3, "\n U s a g e :   p a t c".., 482)     = 482

   107: 12869:  close(3)

   file "/tmp/sh12869.2":

   136: 12869:  open64("/tmp/sh12869.2", O_RDWR|O_CREAT|O_TRUNC, 0666) = 3

   137: 12869:  write(3, " m a i l =\n i n s t a n".., 145)     = 145

   138: 12869:  close(3)

   file "/tmp/sh12869.3:

  481: 12869:  open64("/tmp/sh12869.3", O_RDWR|O_CREAT|O_TRUNC, 0666) = 3

  482: 12869:  close(61)                                       Err#9 EBADF

  483: 12869:  fcntl(3, F_DUPFD, 0x0000003D)                   = 61

  484: 12869:  close(3)

Race Condition

remote NO

local YES

Vulnerable: I only checked Solaris 2.7 sparc with latest install_cluster



When patchadd is executed, It creates a temporary file called

"/tmp/sh.1" , "/tmp/sh.2 ,

"/tmp/sh.3  and assigns them mode 666 then gets unlink'd upon

exit.A vulnerability exist in patchadd, a patch utility shipped with

Solaris, where as if an attacker predicts the correct pid of the next

process before execution of patchadd by another user or If he creates a fiew

hundred symlinks to brute force the pid before execution of patchadd, he can

with a symbolic link pointing to a specific key system file, overwrite

contents of the file , he can do up to 3 file simultaneously, and user will

be able to do his own modifications to this file since this file would have

world-write permissions resulting in a increase of privilege and host



1. Email admin telling him theirs a new patch out there that needs to be


2. Create a perl/C script that will copy /etc/passwd and /etc/shadow to a

hidden file that you will want to be appended to /etc/shadow/passwd later

on, get the next current available process , create 2 symlinks and when the

current process id is taken, then stat for /etc/passwd and /etc/shadow to be

666, if not avail, do it again, when avail, append a user with id 0 no

password to those hidden files , then those files will truncate /etc/passwd

and /etc/shadow then will be appended to them and send ya an email to login

and take advantage!

3. su trojand_user

4. #


None that I can think of, setting $TMPDIR didn't work, chroot won't work

because your applying patches to your current root unless you want to cp -rp

them to you real root after but that would be shitty.

hrm.. :<

Only solution is to rm -rf /tmp/* /tmp/.* , pull out twisted pair cables

from the box, then make sure no users are on, make sure theirs no cron/at

job runing

by 3rd party user, and then invoke patchadd :) (im trying to be funny)

Thank you


Jonathan Fortin


* Jonathan Fortin, Unix Engineer    *

* Company: Revelex Corporation      *

* Email: jfortin@revelex.com        *

* Mobile: 514-244-6208              *

* Tel:    514-938-8405              *


(C) 1999-2000 All rights reserved.