CVE-2010-1183
Oracle Solaris - Arbitrary File Write via Symlink Attack on /tmp/CLEANUP
Title source: llmExploitation Summary
EIP tracks 3 public exploits for CVE-2010-1183. PoCs published by Larry W. Cashdollar, Larry Cashdollar.
AI-analyzed exploit summary This exploit leverages a symbolic-link attack in Sun Connection Update Manager for Solaris to overwrite arbitrary files, leading to privilege escalation. It compiles a setuid root shell and waits for the vulnerable process to execute it during patching.
Description
Certain patch-installation scripts in Oracle Solaris allow local users to append data to arbitrary files via a symlink attack on the /tmp/CLEANUP temporary file, related to use of Update Manager.
Exploits (3)
This exploit leverages a symbolic-link attack in Sun Connection Update Manager for Solaris to overwrite arbitrary files, leading to privilege escalation. It compiles a setuid root shell and waits for the vulnerable process to execute it during patching.
This exploit leverages a local privilege escalation vulnerability in Solaris Recommended Patch Cluster 6/19 on x86 systems. It abuses a script execution flaw in the patch installation process to execute arbitrary commands as root by writing to /tmp/diskette_rc.d/rcs9.sh.
This exploit targets a race condition in Solaris 10 Patch 137097-01 by symlinking a predictable file path to /etc/passwd, allowing local privilege escalation. The script monitors for the 'inetd-upgrade' process and creates a symlink to overwrite the passwd file.