CVE-1999-0786

Vulnerability

The dynamic linker in Solaris versions 2.6 and 2.5.1 is vulnerable to arbitrary file creation when a setuid application is profiled. If the LD_PROFILE environment variable is set, the linker creates a profiling buffer file, typically in /var/tmp. The vulnerability arises because the linker follows symbolic links when creating this buffer file, allowing an attacker to control its location and name [1]. This issue is related to Sun BugIDs 4150646 and 1241843.

Exploitation

A local user can exploit this vulnerability by creating a symbolic link in /var/tmp that points to a target file they wish to create, such as /.rhosts. They then set the LD_PROFILE environment variable to a shared object name (e.g., /usr/bin/ps) and execute a setuid program that uses the dynamic linker. The linker will follow the symbolic link, creating the target file with the .profile extension, effectively creating the file at the symlink's target location [1]. The provided exploit script demonstrates creating /.rhosts and then attempting to gain root access via rsh.

Impact

Successful exploitation allows a local user to create arbitrary files on the system. While the vulnerability cannot be used to overwrite existing files, the ability to create files like /.rhosts can lead to privilege escalation, potentially granting the attacker root access to the system [1].

Mitigation

This vulnerability was fixed in Solaris 2.5.1 and 2.6. The specific fixed versions and release dates are not detailed in the available references. Users should ensure they are running patched versions of Solaris. No workarounds are mentioned in the available references.