cbcvebase.
CVE-2019-3010
published 2019-10-16

CVE-2019-3010: Vulnerability in the Oracle Solaris product of Oracle Systems (component: XScreenSaver). The supported version that is affected is 11. Easily exploitable…

PriorityP182high8.8CVSS 3.1
AVLACLPRLUINSCCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-06-15
Exploited in the wild
EPSS
13.51%
96.0th percentile
Vulnerability in the Oracle Solaris product of Oracle Systems (component: XScreenSaver). The supported version that is affected is 11. Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of Oracle Solaris. CVSS 3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

Affected

2 ranges
VendorProductVersion rangeFixed in
oraclesolaris
oracle_corporationsolaris_operating_system

Detection & IOCsextracted from sources · hover to see the quote

path/tmp/getuid.so
path/usr/lib/secure/getuid.so
path/usr/lib/secure/64/getuid.so
path/tmp/getuid.c
filenamegetuid.so
command/usr/bin/xscreensaver -display :1 -log $LOG
commandLD_PRELOAD=$LOG su -
  • Monitor for creation of files named getuid.so in /tmp/ or /usr/lib/secure/ (including /usr/lib/secure/64/) on Solaris 11 systems — these are the exploit payload drop locations for CVE-2019-3010.
  • Detect xscreensaver invoked with the -log argument pointing to /usr/lib/secure/ paths, which is the trigger mechanism for the privilege escalation exploit.
  • Alert on LD_PRELOAD being set to a path under /usr/lib/secure/ combined with execution of su, as this is the final privilege escalation step of the exploit.
  • Detect compilation of a shared library in /tmp/ (e.g., gcc producing /tmp/getuid.so) followed by a copy to /usr/lib/secure/, which indicates exploit staging activity.
  • Monitor for xscreensaver processes spawning Xorg on display :1 by a non-root user, which is used to trigger the -log file write primitive in the exploit.
  • This module uses xscreensaver to create a log file in /usr/lib/secure/, overwrites the log file with a shared object, and executes the shared object using the LD_PRELOAD environment variable — hunt for this file-write-then-LD_PRELOAD pattern on Solaris.
  • ·The CVE-2019-3010 exploitation files (/tmp/getuid.so and /usr/lib/secure/getuid.so) are not unique to the DecisiveArchitect threat actor and may appear in other attack contexts.
  • ·As a temporary workaround, removing the setuid bit from xscreensaver may prevent exploitation but could also prevent the screensaver from functioning properly.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv2.04.6MEDIUMAV:L/AC:L/Au:N/C:P/I:P/A:P
vulncheck8.8HIGH
cisa8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.