CVE-2006-4842
published 2006-10-12CVE-2006-4842: The Netscape Portable Runtime (NSPR) API 4.6.1 and 4.6.2, as used in Sun Solaris 10, trusts user-specified environment variables for specifying log files even…
PriorityP423low3.6CVSS 2.0
AVLACLAuNCNIPAP
EXPLOIT
EPSS
7.68%
93.8th percentile
The Netscape Portable Runtime (NSPR) API 4.6.1 and 4.6.2, as used in Sun Solaris 10, trusts user-specified environment variables for specifying log files even when running from setuid programs, which allows local users to create or overwrite arbitrary files.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| netscape | portable_runtime_api | — | — |
| netscape | portable_runtime_api | — | — |
| sun | solaris | — | — |
CVSS provenance
nvdv2.03.6LOWAV:L/AC:L/Au:N/C:N/I:P/A:P
vendor_redhat3.6LOW
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-c7x4-3f9v-h9qf: The Netscape Portable Runtime (NSPR) API 4
ghsa_unreviewed·2022-05-01
CVE-2006-4842 [LOW] CWE-20 GHSA-c7x4-3f9v-h9qf: The Netscape Portable Runtime (NSPR) API 4
The Netscape Portable Runtime (NSPR) API 4.6.1 and 4.6.2, as used in Sun Solaris 10, trusts user-specified environment variables for specifying log files even when running from setuid programs, which allows local users to create or overwrite arbitrary files.
Red Hat
nspr: setuid root programs linked with NSPR allow elevation of privilege
vendor_redhat·2006-09-05·CVSS 3.6
CVE-2006-4842 [LOW] CWE-270 nspr: setuid root programs linked with NSPR allow elevation of privilege
nspr: setuid root programs linked with NSPR allow elevation of privilege
The Netscape Portable Runtime (NSPR) API 4.6.1 and 4.6.2, as used in Sun Solaris 10, trusts user-specified environment variables for specifying log files even when running from setuid programs, which allows local users to create or overwrite arbitrary files.
Statement: This issue also affects other OS that use NSPR. However, Red Hat does not ship any application linked setuid or setgid against NSPR and therefore is not vulnerable to this issue.
Package: nspr (Red Hat Enterprise Linux 4) - Not affected
Package: nspr (Red Hat Enterprise Linux 5) - Not affected
Package: nspr (Red Hat Enterprise Linux 6) - Not affected
Package: nspr (Red Hat Enterprise Linux 7) - Not affected
No detection rules found.
Exploit-DB
Solaris - libnspr NSPR_LOG_FILE Privilege Escalation (Metasploit)
exploitdb·2018-09-18
CVE-2006-4842 Solaris - libnspr NSPR_LOG_FILE Privilege Escalation (Metasploit)
Solaris - libnspr NSPR_LOG_FILE Privilege Escalation (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Solaris libnspr NSPR_LOG_FILE Privilege Escalation',
'Description' => %q{
This module exploits an arbitrary file write vulnerability in the
Netscape Portable Runtime library (libnspr) on unpatched Solaris systems
prior to Solaris 10u3 which allows users to gain root privileges.
libnspr versions prior to 4.6.3 allow users to specify a log file with
the `NSPR_LOG_FILE` environment variable. The log file is created with
the privileges of the running process, resulting in privilege escalation
when used in combination with a SUID executable.
This module writes a
Exploit-DB
Sun Solaris Netscape Portable Runtime API 4.6.1 - Local Privilege Escalation (2)
exploitdb·2006-10-24·CVSS 3.6
CVE-2006-4842 [LOW] Sun Solaris Netscape Portable Runtime API 4.6.1 - Local Privilege Escalation (2)
Sun Solaris Netscape Portable Runtime API 4.6.1 - Local Privilege Escalation (2)
---
source: https://www.securityfocus.com/bid/20471/info
The Netscape Portable Runtime API running on Sun Solaris 10 operating system is prone to a local privilege-escalation vulnerability.
A successful exploit of this issue allows an attacker to gain superuser privileges, completely compromising the affected computer.
Version 4.6.1 running on Sun Solaris 10 is vulnerable to this issue.
#!/bin/sh
#
# $Id: raptor_libnspr3,v 1.1 2006/10/24 15:54:57 raptor Exp $
#
# raptor_libnspr3 - Solaris 10 libnspr constructor exploit
# Copyright (c) 2006 Marco Ivaldi
#
# Local exploitation of a design error vulnerability in version 4.6.1 of
# NSPR, as included with Sun Microsystems Solaris 10, allows attackers to
# cr
Exploit-DB
Solaris 10 libnspr - 'Constructor' Arbitrary File Creation Privilege Escalation (3)
exploitdb·2006-10-24·CVSS 3.6
CVE-2006-4842 [LOW] Solaris 10 libnspr - 'Constructor' Arbitrary File Creation Privilege Escalation (3)
Solaris 10 libnspr - 'Constructor' Arbitrary File Creation Privilege Escalation (3)
---
#!/bin/sh
#
# $Id: raptor_libnspr3,v 1.1 2006/10/24 15:54:57 raptor Exp $
#
# raptor_libnspr3 - Solaris 10 libnspr constructor exploit
# Copyright (c) 2006 Marco Ivaldi
#
# Local exploitation of a design error vulnerability in version 4.6.1 of
# NSPR, as included with Sun Microsystems Solaris 10, allows attackers to
# create or overwrite arbitrary files on the system. The problem exists
# because environment variables are used to create log files. Even when the
# program is setuid, users can specify a log file that will be created with
# elevated privileges (CVE-2006-4842).
#
# Yet another newschool version of the local root exploit: this time we place
# our code in the global constructor (ctors) for
Exploit-DB
Solaris 10 libnspr - 'LD_PRELOAD' Arbitrary File Creation Privilege Escalation (2)
exploitdb·2006-10-16·CVSS 3.6
CVE-2006-4842 [LOW] Solaris 10 libnspr - 'LD_PRELOAD' Arbitrary File Creation Privilege Escalation (2)
Solaris 10 libnspr - 'LD_PRELOAD' Arbitrary File Creation Privilege Escalation (2)
---
#!/bin/sh
#
# $Id: raptor_libnspr2,v 1.4 2006/10/16 11:50:48 raptor Exp $
#
# raptor_libnspr2 - Solaris 10 libnspr LD_PRELOAD exploit
# Copyright (c) 2006 Marco Ivaldi
#
# Local exploitation of a design error vulnerability in version 4.6.1 of
# NSPR, as included with Sun Microsystems Solaris 10, allows attackers to
# create or overwrite arbitrary files on the system. The problem exists
# because environment variables are used to create log files. Even when the
# program is setuid, users can specify a log file that will be created with
# elevated privileges (CVE-2006-4842).
#
# Newschool version of local root exploit via LD_PRELOAD (hi KF!). Another
# possible (but less l33t;) attack vector is /var/spo
Exploit-DB
Sun Solaris Netscape Portable Runtime API 4.6.1 - Local Privilege Escalation (1)
exploitdb·2006-10-13·CVSS 3.6
CVE-2006-4842 [LOW] Sun Solaris Netscape Portable Runtime API 4.6.1 - Local Privilege Escalation (1)
Sun Solaris Netscape Portable Runtime API 4.6.1 - Local Privilege Escalation (1)
---
source: https://www.securityfocus.com/bid/20471/info
The Netscape Portable Runtime API running on Sun Solaris 10 operating system is prone to a local privilege-escalation vulnerability.
A successful exploit of this issue allows an attacker to gain superuser privileges, completely compromising the affected computer.
Version 4.6.1 running on Sun Solaris 10 is vulnerable to this issue.
#!/bin/sh
#
# $Id: raptor_libnspr,v 1.1 2006/10/13 19:12:12 raptor Exp $
#
# raptor_libnspr - Solaris 10 libnspr oldschool local root
# Copyright (c) 2006 Marco Ivaldi
#
# Local exploitation of a design error vulnerability in version 4.6.1 of
# NSPR, as included with Sun Microsystems Solaris 10, allows attackers to
# cre
Exploit-DB
Solaris 10 libnspr - 'LD_PRELOAD' Arbitrary File Creation Privilege Escalation (1)
exploitdb·2006-10-13·CVSS 3.6
CVE-2006-4842 [LOW] Solaris 10 libnspr - 'LD_PRELOAD' Arbitrary File Creation Privilege Escalation (1)
Solaris 10 libnspr - 'LD_PRELOAD' Arbitrary File Creation Privilege Escalation (1)
---
#!/bin/sh
#
# $Id: raptor_libnspr,v 1.1 2006/10/13 19:12:12 raptor Exp $
#
# raptor_libnspr - Solaris 10 libnspr oldschool local root
# Copyright (c) 2006 Marco Ivaldi
#
# Local exploitation of a design error vulnerability in version 4.6.1 of
# NSPR, as included with Sun Microsystems Solaris 10, allows attackers to
# create or overwrite arbitrary files on the system. The problem exists
# because environment variables are used to create log files. Even when the
# program is setuid, users can specify a log file that will be created with
# elevated privileges (CVE-2006-4842).
#
# Usage:
# $ chmod +x raptor_libnspr
# $ ./raptor_libnspr
# [...]
# # id
# uid=0(root) gid=0(root)
# #
#
# Vulnerable platforms
Metasploit
Solaris libnspr NSPR_LOG_FILE Privilege Escalation
metasploit
Solaris libnspr NSPR_LOG_FILE Privilege Escalation
Solaris libnspr NSPR_LOG_FILE Privilege Escalation
This module exploits an arbitrary file write vulnerability in the Netscape Portable Runtime library (libnspr) on unpatched Solaris systems prior to Solaris 10u3 which allows users to gain root privileges. libnspr versions prior to 4.6.3 allow users to specify a log file with the `NSPR_LOG_FILE` environment variable. The log file is created with the privileges of the running process, resulting in privilege escalation when used in combination with a SUID executable. This module writes a shared object to the trusted library directory `/usr/lib/secure` and runs the specified SUID binary with the shared object loaded using the `LD_LIBRARY_PATH` environment variable. This module has been tested successfully with libnspr version 4.5.1 on Solaris
Bugzilla
CVE-2006-4842 nspr: setuid root programs linked with NSPR allow elevation of privilege
bugzilla·2015-08-14·CVSS 3.6
CVE-2006-4842 [LOW] CVE-2006-4842 nspr: setuid root programs linked with NSPR allow elevation of privilege
CVE-2006-4842 nspr: setuid root programs linked with NSPR allow elevation of privilege
NSPR logging is controlled with a couple of environment variables,
one to enable it, and a second to control the name of the log file.
This appears to all work in "optimized" (non-debug) builds.
So, if any setuid root program is linked with NSPR, any user can clobber
any file on the system (any root writable file) by setting NSPR's
environment variables to log to that file, and then running a setuid root
program linked with NSPR.
External reference:
https://bugzilla.mozilla.org/show_bug.cgi?id=351470
Bugzilla
Incorrect check for SUID/SGID/fscaps programs
bugzilla·2015-08-14·CVSS 3.6
CVE-2006-4842 [LOW] Incorrect check for SUID/SGID/fscaps programs
Incorrect check for SUID/SGID/fscaps programs
User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0
Build ID: 20150806132111
Steps to reproduce:
Bug 365703 and bug 351470 (CVE-2006-4842) are still only fixed partially. fscaps are not considered on GNU/Linux, and a check like getuid() == geteuid() misses cases where the program has switched UIDs completely.
Please use secure_getenv on GNU/Linux to read all environment variables, as explained here: https://sourceware.org/glibc/wiki/Tips_and_Tricks/secure_getenv
Discussion:
Tim, is this within your purview now?
---
Think I'm not the best person to do this. David, any thoughts on who can help here?
---
It is best to find someone familiar with operating system security, such as
a developer working on
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=418http://secunia.com/advisories/22348http://securitytracker.com/id?1017050http://sunsolve.sun.com/search/document.do?assetkey=1-26-102658-1http://www.securityfocus.com/archive/1/448691/100/0/threadedhttp://www.securityfocus.com/bid/20471http://www.vupen.com/english/advisories/2006/4016https://exchange.xforce.ibmcloud.com/vulnerabilities/29489https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1819https://www.exploit-db.com/exploits/45433/http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=418http://secunia.com/advisories/22348http://securitytracker.com/id?1017050http://sunsolve.sun.com/search/document.do?assetkey=1-26-102658-1http://www.securityfocus.com/archive/1/448691/100/0/threadedhttp://www.securityfocus.com/bid/20471http://www.vupen.com/english/advisories/2006/4016https://exchange.xforce.ibmcloud.com/vulnerabilities/29489https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A1819https://www.exploit-db.com/exploits/45433/
2006-10-12
Published