SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   OS (UNIX)  >   At Vendors:   Sun
(Sun Issues Fix) Re: Sun Solaris 'at' Command Race Condition Enables Local Users to Delete Arbitrary Files
SecurityTracker Alert ID:  1006028
SecurityTracker URL:  http://securitytracker.com/id/1006028
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 31 2003
Impact:   Denial of service via local system, Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Solaris 2.6, 7, 8, and 9
Description:   A vulnerability was reported in the Sun Solaris at command. A local user can delete arbitrary files on the system.

iSEC Security Research reported that there is a flaw in the /usr/bin/at binary. The binary is configured with set user id (setuid) root privileges and allows at-jobs to be removed using the '-r' command line switch. The code that removes at-jobs from the at spool directory can reportedly be made to remove jobs located outside of the spool directory if the local user supplies a relative path name instead of an absolute path name.

The command will attempt to verify the ownership of the target file. However, a local user can modify the filesystem between the time that 'at' performs a stat() call on the target file and the time that 'at' removes (unlinks) the target file. A local user can create a symbolic link from an at-job file name to a target file on the system after the stat() call and before the unlink() call. The at-job binary may remove the symlinked target file.

A demonstration exploit is provided in the Source Message.
Impact:   A local user can remove arbitrary files on the system.
Solution:   Sun has released the following fixes:

SPARC

Solaris 7: patch 108319-03 or later
Solaris 8: patch 109007-09 and 108875-13 or later
Solaris 9: patch 114135-01 or later

Intel

Solaris 7: patch 108320-03 or later
Solaris 8: patch 109008-09 and 108876-13 or later
Solaris 9: patch 114136-01 or later

Sun is working on a patch for Solaris 2.6.

Sun notes that some of the patches may require other patches:

"The Solaris 8 cron/at patches 109007-09 and 109008-09 require the libbsm/c2audit patches 108875-13 and 108876-13 respectively for the correct functioning of the crontab(1) command. Future revisions of the Solaris 8 cron/at patches will contain the libbsm/c2audit binaries and will not require the installation of the libbsm/c2audit patches."
Vendor URL:  sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F50161 (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:   UNIX (Solaris - SunOS)

Message History:   This archive entry is a follow-up to the message listed below.
Jan 27 2003 Sun Solaris 'at' Command Race Condition Enables Local Users to Delete Arbitrary Files


 Source Message Contents
Date:  Fri, 31 Jan 2003 10:42:51 -0500
Subject:  Security Vulnerability with the at(1) Command on Solaris


Sun released a security alert regarding a vulnerability with the at(1) command on the Sun Solaris
operating system.

A local unprivileged user may be able to delete any file on the system.

Sun credits Wojciech Purczynski of iSEC Security Research for reporting this flaw. 

Solaris 2.6, 7, 8, and 9 are affected.

Sun notes that Solaris 2.5.1 will not be evaluated to determine if it is vulnerable or not.

Sun reports that, as a workaround, you can remove the set user id (setuid) bit from the at(1)
command by executing the following command with root privileges:

# chmod u-s /usr/bin/at

However, this will disable the "at" command. As root do the following: 

Sun has released the following fixes: 

SPARC 

Solaris 7: patch 108319-03 or later 
Solaris 8: patch 109007-09 and 108875-13 or later 
Solaris 9: patch 114135-01 or later 

Intel 

Solaris 7: patch 108320-03 or later 
Solaris 8: patch 109008-09 and 108876-13 or later 
Solaris 9: patch 114136-01 or later

Sun is working on a patch for Solaris 2.6. 

Sun notes that some of the patches may require other patches:

"The Solaris 8 cron/at patches 109007-09 and 109008-09 require the libbsm/c2audit patches 108875-13
and 108876-13 respectively for the correct functioning of the crontab(1) command. Future revisions
of the Solaris 8 cron/at patches will contain the libbsm/c2audit binaries and will not require the
installation of the libbsm/c2audit patches."

-----

Sun Alert ID: 50161 
Synopsis: Security Vulnerability with the at(1) Command on Solaris 
Category: Security 
Product: Solaris 
BugIDs: 4776480 
Avoidance: Patch 
State: Engineering Complete 
Date Released: 30-Jan-2003 
Date Closed: 
Date Modified:


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC