Vigil@nce - Solaris: privilege escalation via Sun Update Manager
December 2013 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
When the administrator uses the Sun Update Manager, a local
attacker can create a malicious rcs9.sh script, in order to
escalate his privileges.
Impacted products: Solaris
Severity: 2/4
Creation date: 16/12/2013
DESCRIPTION OF THE VULNERABILITY
The Sun Update Manager is used by the administrator to update the
system.
During its usage, the postinstall script included in patches is
called. However, the postinstall script of 144501-19, 141445-09,
142059-01, 147148-26, 127128-11, 148889-03, 142910-17 and
144751-01 calls the script /tmp/disketterc.d/rcs9.sh.
When the administrator uses the Sun Update Manager, a local
attacker can therefore create a malicious rcs9.sh script, in order
to escalate his privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Solaris-privilege-escalation-via-Sun-Update-Manager-13948