Vigil@nce: Solaris, privilege elevation via nscd
December 2008 by Vigil@nce
SYNTHESIS
A local attacker can obtain information on passwords or elevate
his privileges via nscd.
Gravity: 2/4
Consequences: administrator access/rights, data reading
Provenance: user shell
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Creation date: 19/12/2008
IMPACTED PRODUCTS
– OpenSolaris
– Sun Solaris
DESCRIPTION
The nscd (Name Service Cache Daemon) daemon is used to cache
entries of passwd, group, hosts, etc. databases.
The /etc/nsswitch.conf file indicates the origin of databases to
use:
– files : local files
– nis/nisplus : NIS
– compat (for passwd/group) : local file, but if the entry
contains +/- uses NIS or LDAP (this choice depends on
passwd/group_compat)
– etc.
However, if the /etc/nsswitch.conf file contains "compat" for the
"passwd" database, the try_local2() function of
usr/src/cmd/nscd/nscd_switch.c returns true. The "shadow" database
is then associated to the incorrect source.
A local attacker can therefore obtain information stored in
another base via getspname(), or authenticate if he knows the
password.
CHARACTERISTICS
Identifiers: 242006, 6740382, BID-32921, CVE-2008-5699,
VIGILANCE-VUL-8347