Vigil@nce: Solaris, privilege elevation via auditconfig
June 2009 by Vigil@nce
A local attacker with a RBAC execution profile can use auditconfig to elevate his privileges.
Severity: 1/4
Consequences: privileged access/rights
Provenance: user shell
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: medium (2/3)
Creation date: 26/06/2009
IMPACTED PRODUCTS
OpenSolaris
Sun Solaris
Sun Trusted Solaris
DESCRIPTION OF THE VULNERABILITY
A user with the "Audit Control" RBAC profile is allowed to run the /usr/sbin/auditconfig command. This command is used to read and set audit parameters of the kernel.
The "-setasid", "-setaudit" and "-setauid" arguments of auditconfig execute commands with an indicated session-ID, term-ID or audit-ID.
However, the execit() function of the usr/src/cmd/auditconfig/auditconfig.c file uses the SHELL environment variable to launch the command. A local attacker can therefore change this environment variable to force auditconfig to execute his wanted command.
A local attacker with a RBAC execution profile can thus use auditconfig to elevate his privileges.
CHARACTERISTICS
Identifiers: 262088, 6414737, VIGILANCE-VUL-8826
http://vigilance.fr/vulnerability/Solaris-privilege-elevation-via-auditconfig-8826





News





