Vulnerabilities > CVE-2017-3622 - Local Privilege Escalation vulnerability in Oracle Solaris 10

047910
CVSS 7.2 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
low complexity
oracle
nessus
exploit available
metasploit

Summary

Vulnerability in the Solaris component of Oracle Sun Systems Products Suite (subcomponent: Common Desktop Environment (CDE)). The supported version that is affected is 10. Easily "exploitable" vulnerability allows low privileged attacker with logon to the infrastructure where Solaris executes to compromise Solaris. Successful attacks of this vulnerability can result in takeover of Solaris. Note: CVE-2017-3622 is assigned for the "Extremeparr". CVSS 3.0 Base Score 7.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Vulnerable Configurations

Part Description Count
OS
Oracle
1

Exploit-Db

descriptionSolaris - 'EXTREMEPARR' dtappgather Privilege Escalation (Metasploit). CVE-2017-3622. Local exploit for Solaris platform. Tags: Local
fileexploits/solaris/local/45479.rb
idEDB-ID:45479
last seen2018-10-07
modified2018-09-25
platformsolaris
port
published2018-09-25
reporterExploit-DB
sourcehttps://www.exploit-db.com/download/45479/
titleSolaris - 'EXTREMEPARR' dtappgather Privilege Escalation (Metasploit)
typelocal

Metasploit

descriptionThis module exploits a directory traversal vulnerability in the `dtappgather` executable included with Common Desktop Environment (CDE) on unpatched Solaris systems prior to Solaris 10u11 which allows users to gain root privileges. dtappgather allows users to create a user-owned directory at any location on the filesystem using the `DTUSERSESSION` environment variable. This module creates a directory in `/usr/lib/locale`, writes a shared object to the directory, and runs the specified SUID binary with the shared object loaded using the `LC_TIME` environment variable. This module has been tested successfully on: Solaris 9u7 (09/04) (x86); Solaris 10u1 (01/06) (x86); Solaris 10u2 (06/06) (x86); Solaris 10u4 (08/07) (x86); Solaris 10u8 (10/09) (x86); Solaris 10u9 (09/10) (x86).
idMSF:EXPLOIT/SOLARIS/LOCAL/EXTREMEPARR_DTAPPGATHER_PRIV_ESC
last seen2020-05-28
modified2019-01-10
published2018-09-18
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/solaris/local/extremeparr_dtappgather_priv_esc.rb
titleSolaris 'EXTREMEPARR' dtappgather Privilege Escalation

Nessus

  • NASL familySolaris Local Security Checks
    NASL idSOLARIS10_152649.NASL
    descriptionThe remote Solaris host is missing patch number 152649-02. It is, therefore, affected by a local privilege escalation vulnerability in the dtappgather binary due to improper handling of user-supplied arguments. A local attacker can exploit this, via a specially crafted command, to manipulate file permissions and create a user-owned directory anywhere on the system with root privileges. The attacker can then add shared objects to the folder and run setuid binaries with a library file, resulting in root privileges. EXTREMEPARR is one of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/08 by a group known as the Shadow Brokers.
    last seen2020-06-01
    modified2020-06-02
    plugin id99756
    published2017-05-01
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99756
    titleSolaris 10 (sparc) : 152649-02 : dtappgather Arbitrary Directory Creation Local Privilege Escalation (EXTREMEPARR)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(99756);
      script_version("3.6");
      script_cvs_date("Date: 2019/04/10 16:10:18");
    
      script_cve_id("CVE-2017-3622");
      script_bugtraq_id(97774);
      script_xref(name:"EDB-ID", value:"41871");
    
      script_name(english:"Solaris 10 (sparc) : 152649-02 : dtappgather Arbitrary Directory Creation Local Privilege Escalation (EXTREMEPARR)");
      script_summary(english:"Check for patch 152649-02.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote host is missing Sun Security Patch number 152649-02.");
      script_set_attribute(attribute:"description", value:
    "The remote Solaris host is missing patch number 152649-02. It is,
    therefore, affected by a local privilege escalation vulnerability in
    the dtappgather binary due to improper handling of user-supplied
    arguments. A local attacker can exploit this, via a specially crafted
    command, to manipulate file permissions and create a user-owned
    directory anywhere on the system with root privileges. The attacker
    can then add shared objects to the folder and run setuid binaries with
    a library file, resulting in root privileges.
    
    EXTREMEPARR is one of multiple Equation Group vulnerabilities and
    exploits disclosed on 2017/04/08 by a group known as the Shadow
    Brokers.");
      script_set_attribute(attribute:"see_also", value:"https://getupdates.oracle.com/readme/152649-02");
      # https://threatpost.com/record-oracle-patch-update-addresses-shadowbrokers-struts-2-vulnerabilities/125046/
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1b55ae27");
      # https://packetstormsecurity.com/files/142120/Solaris-x86-SPARC-EXTREMEPARR-dtappgather-Privilege-Escalation.html
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?32212782");
      script_set_attribute(attribute:"solution", value:
    "You should install patch 152649-02 for your system to be up-to-date.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Solaris "EXTREMEPARR" dtappgather Privilege Escalation');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:sun:solaris");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/04/08");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/04/29");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/05/01");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Solaris Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Solaris/showrev");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("solaris.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    if (solaris_check_patch(release:"5.10", arch:"sparc", patch:"152649-02", obsoleted_by:"", package:"SUNWdtdte", version:"1.6,REV=10.2004.12.17") < 0) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:solaris_get_report());
      else security_hole(0);
      exit(0);
    }
    audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familySolaris Local Security Checks
    NASL idSOLARIS10_X86_152650.NASL
    descriptionThe remote Solaris host is missing patch number 152650-02. It is, therefore, affected by a local privilege escalation vulnerability in the dtappgather binary due to improper handling of user-supplied arguments. A local attacker can exploit this, via a specially crafted command, to manipulate file permissions and create a user-owned directory anywhere on the system with root privileges. The attacker can then add shared objects to the folder and run setuid binaries with a library file, resulting in root privileges. EXTREMEPARR is one of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/08 by a group known as the Shadow Brokers.
    last seen2020-06-01
    modified2020-06-02
    plugin id99757
    published2017-05-01
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99757
    titleSolaris 10 (x86) : 152650-02 : dtappgather Arbitrary Directory Creation Local Privilege Escalation (EXTREMEPARR)

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/149509/extremeparr_dtappgather_priv_esc.rb.txt
idPACKETSTORM:149509
last seen2018-09-25
published2018-09-25
reporterBrendan Coles
sourcehttps://packetstormsecurity.com/files/149509/Solaris-EXTREMEPARR-dtappgather-Privilege-Escalation.html
titleSolaris EXTREMEPARR dtappgather Privilege Escalation