CVE-2017-3622
published 2017-04-24CVE-2017-3622: Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Common Desktop Environment (CDE)). The supported version that is…
PriorityP274high7.8CVSS 3.0
AVLACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
5.34%
91.6th percentile
Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Common Desktop Environment (CDE)). The supported version that is affected is 10. Easily "exploitable" vulnerability allows low privileged attacker with logon to the infrastructure where Solaris executes to compromise Solaris. Successful attacks of this vulnerability can result in takeover of Solaris. Note: CVE-2017-3622 is assigned for the "Extremeparr". CVSS 3.0 Base Score 7.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| oracle | solaris | — | — |
| oracle_corporation | solaris_operating_system | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for the DTUSERSESSION environment variable being set to path traversal sequences (e.g., '..') when executing dtappgather, which is the core exploitation mechanism. ↗
- →Alert on unexpected directory creation under /usr/lib/locale by non-root users, especially followed by placement of .so.2 or .so.3 shared object files, which indicates the privilege escalation payload staging. ↗
- →Detect symlink creation pointing /var/dt/appconfig/appmanager to /usr/lib/locale, which is used to redirect dtappgather's directory creation into the locale path. ↗
- →Monitor for SUID binaries (e.g., /usr/bin/at, /usr/bin/cancel, /usr/bin/chkey, /usr/bin/lp, /usr/lib/lp/bin/netpr) being executed with the LC_TIME environment variable set to a non-standard locale name, indicating shared object hijacking. ↗
- →Detect use of gcc to compile a shared object in a writable temp directory (e.g., /tmp) with -fPIC -shared flags by a low-privileged user, which is the exploit's payload compilation step. ↗
- →Look for the shared object constructor pattern calling setuid(0)/setgid(0) followed by execle, which is the privilege escalation payload template used by the exploit. ↗
- ·The exploit only affects Solaris versions 5.7 through 5.10 (Solaris 7 through 10). Solaris 10u11 and later are patched. Oracle Patch 25878798 addresses this CVE for Solaris 10 and 11.3. ↗
- ·The exploit requires gcc to be installed on the target system; without it the module returns CheckCode::Safe and will not proceed. ↗
- ·The exploit requires dtappgather and the chosen SUID binary to both be setuid; if either is not setuid the module aborts. ↗
CVSS provenance
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-j6c4-cg47-wc3x: Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Common Desktop Environment (CDE))
ghsa_unreviewed·2022-05-13·CVSS 7.8
CVE-2017-3622 [HIGH] GHSA-j6c4-cg47-wc3x: Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Common Desktop Environment (CDE))
Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Common Desktop Environment (CDE)). The supported version that is affected is 10. Easily "exploitable" vulnerability allows low privileged attacker with logon to the infrastructure where Solaris executes to compromise Solaris. Successful attacks of this vulnerability can result in takeover of Solaris. Note: CVE-2017-3622 is assigned for the "Extremeparr". CVSS 3.0 Base Score 7.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
VulnCheck
Oracle Sun Systems Products Suite Solaris Common Desktop Environment (CDE) Vulnerability
vulncheck·2017·CVSS 7.8
CVE-2017-3622 [HIGH] Oracle Sun Systems Products Suite Solaris Common Desktop Environment (CDE) Vulnerability
Oracle Sun Systems Products Suite Solaris Common Desktop Environment (CDE) Vulnerability
Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Common Desktop Environment (CDE)). The supported version that is affected is 10. Easily "exploitable" vulnerability allows low privileged attacker with logon to the infrastructure where Solaris executes to compromise Solaris. Successful attacks of this vulnerability can result in takeover of Solaris. Note: CVE-2017-3622 is assigned for the "Extremeparr". CVSS 3.0 Base Score 7.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Affected: Oracle Solaris
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use o
No detection rules found.
Exploit-DB
Solaris - 'EXTREMEPARR' dtappgather Privilege Escalation (Metasploit)
exploitdb·2018-09-25
CVE-2017-3622 Solaris - 'EXTREMEPARR' dtappgather Privilege Escalation (Metasploit)
Solaris - 'EXTREMEPARR' dtappgather Privilege Escalation (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule "Solaris 'EXTREMEPARR' dtappgather Privilege Escalation",
'Description' => %q{
This module exploits a directory traversal vulnerability in the
`dtappgather` executable included with Common Desktop Environment (CDE)
on unpatched Solaris systems prior to Solaris 10u11 which allows users
to gain root privileges.
dtappgather allows users to create a user-owned directory at any
location on the filesystem using the `DTUSERSESSION` environment
variable.
This module creates a directory in `/usr/lib/locale`, writes a shared
object to the directory, and runs the s
Metasploit
Solaris 'EXTREMEPARR' dtappgather Privilege Escalation
metasploit
Solaris 'EXTREMEPARR' dtappgather Privilege Escalation
Solaris 'EXTREMEPARR' dtappgather Privilege Escalation
This module exploits a directory traversal vulnerability in the `dtappgather` executable included with Common Desktop Environment (CDE) on unpatched Solaris systems prior to Solaris 10u11 which allows users to gain root privileges. dtappgather allows users to create a user-owned directory at any location on the filesystem using the `DTUSERSESSION` environment variable. This module creates a directory in `/usr/lib/locale`, writes a shared object to the directory, and runs the specified SUID binary with the shared object loaded using the `LC_TIME` environment variable. This module has been tested successfully on: Solaris 9u7 (09/04) (x86); Solaris 10u1 (01/06) (x86); Solaris 10u2 (06/06) (x86); Solaris 10u4 (08/07) (x86); Solaris 10u8 (
Qualys
Oracle Plugs Struts and Shadow Brokers hole along with 299 Total Vulnerabilities
blogs_qualys·2017-04-18·CVSS 7.8
[HIGH] Oracle Plugs Struts and Shadow Brokers hole along with 299 Total Vulnerabilities
Today Oracle released a total of 299 new security fixes across all product families. It is important to note that it fixed 25 instances of the infamous Apache Struts vulnerability which could allow a remote attacker to take complete control of the server running Struts. The struts fix was applied to 19 instances of Oracle Financial Services Applications along with WebCenter, WebLogic, Siebel, Oracle Communications, MySQL and Oracle Retail.
Oracle also released Patch 25878798 for Solaris 10 and 11.3 which fixed the second Shadow Brokers EXTREMEPARR vulnerability CVE-2017-3622. EXTREMEPARR has a CVSS Base Score of 7.8, and if successfully exploited allows a local privilege escalation in the ‘dtappgather’ component. The other Shadow Brokers vulnerability CVE-2017-3623 (a.k.a. “Ebbisland” or
Qualys
Oracle Plugs Struts and Shadow Brokers hole along with 299 Total Vulnerabilities | Qualys
blogs_qualys·2017-04-18·CVSS 7.8
[HIGH] Oracle Plugs Struts and Shadow Brokers hole along with 299 Total Vulnerabilities | Qualys
Today Oracle released a total of 299 new security fixes across all product families. It is important to note that it fixed 25 instances of the infamous Apache Struts vulnerability which could allow a remote attacker to take complete control of the server running Struts. The struts fix was applied to 19 instances of Oracle Financial Services Applications along with WebCenter, WebLogic, Siebel, Oracle Communications, MySQL and Oracle Retail.
Oracle also released Patch 25878798 for Solaris 10 and 11.3 which fixed the second Shadow Brokers EXTREMEPARR vulnerability CVE-2017-3622. EXTREMEPARR has a CVSS Base Score of 7.8, and if successfully exploited allows a local privilege escalation in the ‘dtappgather’ component. The other Shadow Brokers vulnerability CVE-2017-3623 (a.k.a. “Ebbisland” or
http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.htmlhttp://www.securityfocus.com/bid/97774http://www.securitytracker.com/id/1038292https://www.exploit-db.com/exploits/45479/http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.htmlhttp://www.securityfocus.com/bid/97774http://www.securitytracker.com/id/1038292https://www.exploit-db.com/exploits/45479/
2017-04-24
Published
Exploited in the wild