| Severity: 1/4
Consequences: privileged access/rights
Provenance: user shell
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: medium (2/3)
Creation date: 26/06/2009
IMPACTED PRODUCTS
OpenSolaris
Sun Solaris
Sun Trusted Solaris
DESCRIPTION OF THE VULNERABILITY
A user with the "Audit Control" RBAC profile is allowed to run the
/usr/sbin/auditconfig command. This command is used to read and
set audit parameters of the kernel.
The "-setasid", "-setaudit" and "-setauid" arguments of
auditconfig execute commands with an indicated session-ID, term-ID
or audit-ID.
However, the execit() function of the usr/src/cmd/auditconfig/auditconfig.c
file uses the SHELL environment variable to launch the command. A
local attacker can therefore change this environment variable to
force auditconfig to execute his wanted command.
A local attacker with a RBAC execution profile can thus use
auditconfig to elevate his privileges.
CHARACTERISTICS
Identifiers: 262088, 6414737, VIGILANCE-VUL-8826
http://vigilance.fr/vulnerability/Solaris-privilege-elevation-via-auditconfig-8826 |