CVE-2001-0095
published 2001-02-12CVE-2001-0095: catman in Solaris 2.7 and 2.8 allows local users to overwrite arbitrary files via a symlink attack on the sman_PID temporary file.
PriorityP411low1.2CVSS 2.0
AVLACHAuNCNIPAN
EXPLOIT
EPSS
0.57%
42.9th percentile
catman in Solaris 2.7 and 2.8 allows local users to overwrite arbitrary files via a symlink attack on the sman_PID temporary file.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sun | sunos | — | — |
| sun | sunos | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
SunOS 5.7 Catman - Local Insecure tmp Symlink Clobber
exploitdb·2000-12-20
CVE-2001-0095 SunOS 5.7 Catman - Local Insecure tmp Symlink Clobber
SunOS 5.7 Catman - Local Insecure tmp Symlink Clobber
---
#!/usr/local/bin/perl -w
#
# The problem is catman creates files in /tmp
# insecurly. They are based on the PID of the
# catman process, catman will happily clobber
# any files that are symlinked to that file.
# The idea of this script is to watch the
# process list for the catman process, get
# the pid and Create a symlink in /tmp to our
# file to be clobbered. This exploit depends
# on system speed and process load. This
# worked on a patched Solaris 2.7 box (August
# 2000 patch cluster)
# SunOS rootabega 5.7 Generic_106541-12 sun4u
# sparc SUNW,Ultra-1 [email protected]
# 11/21/2000 Vapid Labs.
# http://vapid.betteros.org
$clobber = "/etc/passwd";
while(1) {
open ps,"ps -ef | grep -v grep |grep -v PID |";
while() {
@args
Exploit-DB
Solaris 2.7/2.8 Catman - Local Insecure tmp Symlink
exploitdb·2000-12-19
CVE-2001-0095 Solaris 2.7/2.8 Catman - Local Insecure tmp Symlink
Solaris 2.7/2.8 Catman - Local Insecure tmp Symlink
---
#!/usr/local/bin/perl -w
#
# The problem is catman creates files in /tmp insecurly.
# They are based on the PID of the catman process,
# catman will happily clobber any files that are
# symlinked to that file. The idea of this script is to
# create a block of symlinks to the target file with
# the current PID as a starting point. Depending on
# what load your system has this creates 1000 files in
# /tmp as sman_$currentpid + 1000.
#
# The drawback is you would have to know around when root
# would be executing catman. A better solution would be
# to monitor for the catman process and create the link
# before catman creates the file. I think this is a
# really small window however. This worked on a patched
# Solaris 2.7 box (August 2
Exploit-DB
Solaris 2.x/7.0/8 - 'Catman' Race Condition (2)
exploitdb·2000-11-21
CVE-2001-0095 Solaris 2.x/7.0/8 - 'Catman' Race Condition (2)
Solaris 2.x/7.0/8 - 'Catman' Race Condition (2)
---
source: https://www.securityfocus.com/bid/2149/info
catman is a utility for creating preformatted man pages, distributed as part of the Solaris Operating Environment. A problem exists which could allow local users to overwrite or corrupt files owned by other users.
The problem occurs in the creation of temporary files by the catman program. Upon execution, catman creates files in the /tmp directory using the file name sman_, where pid is the Process ID of the running catman process. The creation of a symbolic link from /tmp/sman_ to a file owned and writable by the user executing catman will result in the file being overwritten, or in the case of a system file, corrupted. This makes it possible for a user with malicious intent to over
Exploit-DB
Solaris 2.x/7.0/8 - 'Catman' Race Condition (1)
exploitdb·2000-11-21
CVE-2001-0095 Solaris 2.x/7.0/8 - 'Catman' Race Condition (1)
Solaris 2.x/7.0/8 - 'Catman' Race Condition (1)
---
source: https://www.securityfocus.com/bid/2149/info
catman is a utility for creating preformatted man pages, distributed as part of the Solaris Operating Environment. A problem exists which could allow local users to overwrite or corrupt files owned by other users.
The problem occurs in the creation of temporary files by the catman program. Upon execution, catman creates files in the /tmp directory using the file name sman_, where pid is the Process ID of the running catman process. The creation of a symbolic link from /tmp/sman_ to a file owned and writable by the user executing catman will result in the file being overwritten, or in the case of a system file, corrupted. This makes it possible for a user with malicious intent to over
No writeups or analysis indexed.
2001-02-12
Published