[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Solaris 2.7/2.8 catman temp file vulnerability

Title: Solaris 2.7/2.8 catman temp file vulnerability
Released by: Larry W. Cashdollar
Date: 19th December 2000
Printable version: Click here
    Solaris 2.7/2.8 catman temp file vulnerability.

         Larry W. Cashdollar

                     Vapid Labs

Date Published: 12/18/2000

Advisory ID: 11242000-02

Risk: Low

Title: catman temp file vulnerability.

Class:  insecure temp file handling.

Remotely Exploitable:  no

Locally Exploitable:  Yes

Vulnerability Description:

  Through the use of symlinking temporary files created by /usr/bin/catman

upon execution by root a local user can clobber root owned files.

Vulnerable Packages/Systems: Solaris 2.x Sparc/x86

Solution/Vendor Information/Workaround:

  The vendor is currently working on releasing a patch.  See references

section for Vendor contact information.

Sun BugID: 4392144

Vendor notified on: 11/23/2000


  I alerted sun to this issue 11/23/2000 they responded 11/24/2000.  Kudos

to the Sun Engineering group.  This response time should be a model to

other vendors.

Technical Description:

  The catman command creates preformatted versions of the online

manual.  It also creates the windex database for utilities like apropos

and whatis.  The problem lies with catman creating a temporary file in

/tmp, the file has the form of /tmp/sman_pidofcatman.  An attacker can

monitor the process list for the execution of catman and create a symlink

to a root owned file.   catman will upon execution overwrite the contents

of that file.  This is a new bug for catman and is not addressed in the

current patch cluster for Solaris 2.7 Sparc.

Exploit/Concept Code: see attachments.


        Sun Microsystems.


        Vapid Labs.


Email: Larry W. Cashdollar 


The contents of this advisory are copyright (c) 2000 Larry W. Cashdollar and

may be distributed freely provided that no fee is charged for this

distribution and proper credit is given.

Ver 2.4 11/29/2000

(C) 1999-2000 All rights reserved.