cbcvebase.
CVE-2017-3622
published 2017-04-24

CVE-2017-3622: Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Common Desktop Environment (CDE)). The supported version that is…

PriorityP274high7.8CVSS 3.0
AVLACLPRLUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
5.34%
91.6th percentile
Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Common Desktop Environment (CDE)). The supported version that is affected is 10. Easily "exploitable" vulnerability allows low privileged attacker with logon to the infrastructure where Solaris executes to compromise Solaris. Successful attacks of this vulnerability can result in takeover of Solaris. Note: CVE-2017-3622 is assigned for the "Extremeparr". CVSS 3.0 Base Score 7.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Affected

2 ranges
VendorProductVersion rangeFixed in
oraclesolaris
oracle_corporationsolaris_operating_system

Detection & IOCsextracted from sources · hover to see the quote

path/usr/dt/bin/dtappgather
path/usr/lib/locale
path/var/dt/appconfig/appmanager
commandDTUSERSESSION=.. /usr/dt/bin/dtappgather
commandLC_TIME=<locale_name> <suid_bin> & echo
processdtappgather
  • Monitor for the DTUSERSESSION environment variable being set to path traversal sequences (e.g., '..') when executing dtappgather, which is the core exploitation mechanism.
  • Alert on unexpected directory creation under /usr/lib/locale by non-root users, especially followed by placement of .so.2 or .so.3 shared object files, which indicates the privilege escalation payload staging.
  • Detect symlink creation pointing /var/dt/appconfig/appmanager to /usr/lib/locale, which is used to redirect dtappgather's directory creation into the locale path.
  • Monitor for SUID binaries (e.g., /usr/bin/at, /usr/bin/cancel, /usr/bin/chkey, /usr/bin/lp, /usr/lib/lp/bin/netpr) being executed with the LC_TIME environment variable set to a non-standard locale name, indicating shared object hijacking.
  • Detect use of gcc to compile a shared object in a writable temp directory (e.g., /tmp) with -fPIC -shared flags by a low-privileged user, which is the exploit's payload compilation step.
  • Look for the shared object constructor pattern calling setuid(0)/setgid(0) followed by execle, which is the privilege escalation payload template used by the exploit.
  • ·The exploit only affects Solaris versions 5.7 through 5.10 (Solaris 7 through 10). Solaris 10u11 and later are patched. Oracle Patch 25878798 addresses this CVE for Solaris 10 and 11.3.
  • ·The exploit requires gcc to be installed on the target system; without it the module returns CheckCode::Safe and will not proceed.
  • ·The exploit requires dtappgather and the chosen SUID binary to both be setuid; if either is not setuid the module aborts.

CVSS provenance

nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
vulncheck7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.