Vulnerabilities > CVE-2017-3622 - Unspecified vulnerability in Oracle Solaris 10
Summary
Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Common Desktop Environment (CDE)). The supported version that is affected is 10. Easily "exploitable" vulnerability allows low privileged attacker with logon to the infrastructure where Solaris executes to compromise Solaris. Successful attacks of this vulnerability can result in takeover of Solaris. Note: CVE-2017-3622 is assigned for the "Extremeparr". CVSS 3.0 Base Score 7.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
Vulnerable Configurations
Part | Description | Count |
---|---|---|
OS | 1 |
Exploit-Db
description | Solaris - 'EXTREMEPARR' dtappgather Privilege Escalation (Metasploit). CVE-2017-3622. Local exploit for Solaris platform. Tags: Local |
file | exploits/solaris/local/45479.rb |
id | EDB-ID:45479 |
last seen | 2018-10-07 |
modified | 2018-09-25 |
platform | solaris |
port | |
published | 2018-09-25 |
reporter | Exploit-DB |
source | https://www.exploit-db.com/download/45479/ |
title | Solaris - 'EXTREMEPARR' dtappgather Privilege Escalation (Metasploit) |
type | local |
Metasploit
description | This module exploits a directory traversal vulnerability in the `dtappgather` executable included with Common Desktop Environment (CDE) on unpatched Solaris systems prior to Solaris 10u11 which allows users to gain root privileges. dtappgather allows users to create a user-owned directory at any location on the filesystem using the `DTUSERSESSION` environment variable. This module creates a directory in `/usr/lib/locale`, writes a shared object to the directory, and runs the specified SUID binary with the shared object loaded using the `LC_TIME` environment variable. This module has been tested successfully on: Solaris 9u7 (09/04) (x86); Solaris 10u1 (01/06) (x86); Solaris 10u2 (06/06) (x86); Solaris 10u4 (08/07) (x86); Solaris 10u8 (10/09) (x86); Solaris 10u9 (09/10) (x86). |
id | MSF:EXPLOIT/SOLARIS/LOCAL/EXTREMEPARR_DTAPPGATHER_PRIV_ESC |
last seen | 2020-05-28 |
modified | 2019-01-10 |
published | 2018-09-18 |
references | |
reporter | Rapid7 |
source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/solaris/local/extremeparr_dtappgather_priv_esc.rb |
title | Solaris 'EXTREMEPARR' dtappgather Privilege Escalation |
Nessus
NASL family Solaris Local Security Checks NASL id SOLARIS10_152649.NASL description The remote Solaris host is missing patch number 152649-02. It is, therefore, affected by a local privilege escalation vulnerability in the dtappgather binary due to improper handling of user-supplied arguments. A local attacker can exploit this, via a specially crafted command, to manipulate file permissions and create a user-owned directory anywhere on the system with root privileges. The attacker can then add shared objects to the folder and run setuid binaries with a library file, resulting in root privileges. EXTREMEPARR is one of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/08 by a group known as the Shadow Brokers. last seen 2020-06-01 modified 2020-06-02 plugin id 99756 published 2017-05-01 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99756 title Solaris 10 (sparc) : 152649-02 : dtappgather Arbitrary Directory Creation Local Privilege Escalation (EXTREMEPARR) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(99756); script_version("3.6"); script_cvs_date("Date: 2019/04/10 16:10:18"); script_cve_id("CVE-2017-3622"); script_bugtraq_id(97774); script_xref(name:"EDB-ID", value:"41871"); script_name(english:"Solaris 10 (sparc) : 152649-02 : dtappgather Arbitrary Directory Creation Local Privilege Escalation (EXTREMEPARR)"); script_summary(english:"Check for patch 152649-02."); script_set_attribute(attribute:"synopsis", value: "The remote host is missing Sun Security Patch number 152649-02."); script_set_attribute(attribute:"description", value: "The remote Solaris host is missing patch number 152649-02. It is, therefore, affected by a local privilege escalation vulnerability in the dtappgather binary due to improper handling of user-supplied arguments. A local attacker can exploit this, via a specially crafted command, to manipulate file permissions and create a user-owned directory anywhere on the system with root privileges. The attacker can then add shared objects to the folder and run setuid binaries with a library file, resulting in root privileges. EXTREMEPARR is one of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/08 by a group known as the Shadow Brokers."); script_set_attribute(attribute:"see_also", value:"https://getupdates.oracle.com/readme/152649-02"); # https://threatpost.com/record-oracle-patch-update-addresses-shadowbrokers-struts-2-vulnerabilities/125046/ script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1b55ae27"); # https://packetstormsecurity.com/files/142120/Solaris-x86-SPARC-EXTREMEPARR-dtappgather-Privilege-Escalation.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?32212782"); script_set_attribute(attribute:"solution", value: "You should install patch 152649-02 for your system to be up-to-date."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Solaris "EXTREMEPARR" dtappgather Privilege Escalation'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:sun:solaris"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/04/08"); script_set_attribute(attribute:"patch_publication_date", value:"2017/04/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/05/01"); script_set_attribute(attribute:"in_the_news", value:"true"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Solaris Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Solaris/showrev"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("solaris.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (solaris_check_patch(release:"5.10", arch:"sparc", patch:"152649-02", obsoleted_by:"", package:"SUNWdtdte", version:"1.6,REV=10.2004.12.17") < 0) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:solaris_get_report()); else security_hole(0); exit(0); } audit(AUDIT_HOST_NOT, "affected");
NASL family Solaris Local Security Checks NASL id SOLARIS10_X86_152650.NASL description The remote Solaris host is missing patch number 152650-02. It is, therefore, affected by a local privilege escalation vulnerability in the dtappgather binary due to improper handling of user-supplied arguments. A local attacker can exploit this, via a specially crafted command, to manipulate file permissions and create a user-owned directory anywhere on the system with root privileges. The attacker can then add shared objects to the folder and run setuid binaries with a library file, resulting in root privileges. EXTREMEPARR is one of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/08 by a group known as the Shadow Brokers. last seen 2020-06-01 modified 2020-06-02 plugin id 99757 published 2017-05-01 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99757 title Solaris 10 (x86) : 152650-02 : dtappgather Arbitrary Directory Creation Local Privilege Escalation (EXTREMEPARR)
Packetstorm
data source | https://packetstormsecurity.com/files/download/149509/extremeparr_dtappgather_priv_esc.rb.txt |
id | PACKETSTORM:149509 |
last seen | 2018-09-25 |
published | 2018-09-25 |
reporter | Brendan Coles |
source | https://packetstormsecurity.com/files/149509/Solaris-EXTREMEPARR-dtappgather-Privilege-Escalation.html |
title | Solaris EXTREMEPARR dtappgather Privilege Escalation |
References
- http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
- http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
- http://www.securityfocus.com/bid/97774
- http://www.securityfocus.com/bid/97774
- http://www.securitytracker.com/id/1038292
- http://www.securitytracker.com/id/1038292
- https://www.exploit-db.com/exploits/45479/
- https://www.exploit-db.com/exploits/45479/