J-Security Center

Latest Attack Object Updates
  • IDP Daily Update #1545
    posted: 11/19/09
  • NSM Daily Update #1545
    posted: 11/19/09
  • Deep Inspection 5.3r5 and above, 5.4, 6.0 #1545
    posted: 11/19/09
  • Deep Inspection 5.1 and 5.2 #1435
    posted: 11/19/09
  • Deep Inspection 5.0, 5.3r4 and below #1132
    posted: 03/28/08 (04/01/08 for 5.0)
  • Antivirus
    posted: 11/19/09

Title: Sun SMCBoot Insecure Temporary File Creation Directory Destruction Vulnerability

Severity: MODERATE

Description:

The Sun Management Center (SMC) is an integrated system management software package distributed by Sun. It is packaged with recent releases of the Solaris 8 operating system.

A problem in SMC makes it possible for a user with access to the local system to destroy system files. The problem is in the insecure creation of temporary files.

The smcboot program is started during the init level 2 phase of system boot. In a default installation, it is started after the inet services. inet services are started via the S72inetsvc file in the /etc/rc2.d directory, and smcboot started in the S90WBEM file of /etc/rc2.d.

The script that starts smcboot does not perform adequate checks prior to attempting to create a directory in /tmp. A directory is created in /tmp to store information for SMC using the smc$PORT name, where port is the TCP port the server listens on; 898 in a default installation. The script does not check for the existence of a previously smc$PORT directory. It is possible to create a symbolic link using the smc$PORT name, and link it to an arbitrary directory. As the smcboot program is run as root, this could result in the overwriting or destruction of files at the end of the symbolic link.

This problem makes it possible for a remote user to destroy root-owned files, and could lead to a denial of service.

Affected Products:

  • Sun SMC 2.0.0
  • Sun Solaris 8
  • Sun Solaris 8_x86

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.