Vigil@nce: Solaris, privileges elevation via crontab
June 2008 by Vigil@nce
A local attacker can inject commands in the cron of other users.
– Gravity: 2/4
– Consequences: administrator access/rights, privileged
– access/rights, user access/rights
– Provenance: user shell
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 02/06/2008
– Identifier: VIGILANCE-VUL-7866
IMPACTED PRODUCTS
– OpenSolaris [confidential versions]
– Sun Solaris [confidential versions]
– Sun Trusted Solaris [confidential versions]
DESCRIPTION
The crontab utility is used by each user to alter the content of
his planned tasks.
However, during the usage of crontab, an attacker can use a race
to inject commands in user’s cron.
A local attacker can thus execute code with rights of crontab
users.
CHARACTERISTICS
– Identifiers: 237864, 6620661, VIGILANCE-VUL-7866
– Url: https://vigilance.aql.fr/tree/1/7866