Severity: 1/4

Consequences: privileged access/rights

Provenance: user shell

Means of attack: 1 attack

Ability of attacker: technician (2/4)

Confidence: confirmed by the editor (5/5)

Diffusion of the vulnerable configuration: medium (2/3)

Creation date: 26/06/2009

IMPACTED PRODUCTS

 OpenSolaris
 Sun Solaris
 Sun Trusted Solaris

DESCRIPTION OF THE VULNERABILITY

A user with the "Audit Control" RBAC profile is allowed to run the /usr/sbin/auditconfig command. This command is used to read and set audit parameters of the kernel.

The "-setasid", "-setaudit" and "-setauid" arguments of auditconfig execute commands with an indicated session-ID, term-ID or audit-ID.

However, the execit() function of the usr/src/cmd/auditconfig/auditconfig.c file uses the SHELL environment variable to launch the command. A local attacker can therefore change this environment variable to force auditconfig to execute his wanted command.

A local attacker with a RBAC execution profile can thus use auditconfig to elevate his privileges.

CHARACTERISTICS

Identifiers: 262088, 6414737, VIGILANCE-VUL-8826

http://vigilance.fr/vulnerability/Solaris-privilege-elevation-via-auditconfig-8826