Vigil@nce: Solaris, file corruption via dircmp
April 2009 by Vigil@nce
A local attacker can alter a file with privileges of a dircmp user.
– Severity: 1/4
– Consequences: data creation/edition
– Provenance: user shell
– Means of attack: 1 attack
– Ability of attacker: technician (2/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 01/04/2009
IMPACTED PRODUCTS
– OpenSolaris
– Sun Solaris
– Sun Trusted Solaris
DESCRIPTION OF THE VULNERABILITY
The /usr/bin/dircmp script is used to compare two directories.
This script stores differences in temporary files starting by
"/usr/tmp/dc$$". However, these filenames are predictable, files
are stored in a public directory and the script does not check if
a symbolic link is present.
A local attacker can therefore create a symbolic link in order to
alter a file with privileges of a dircmp user.
CHARACTERISTICS
– Identifiers: 253468, 6633566, BID-34316, VIGILANCE-VUL-8583
– Url: http://vigilance.fr/vulnerability/Solaris-file-corruption-via-dircmp-8583