vulnerability alert CVE-2009-2430

Solaris: privilege elevation via auditconfig

Synthesis of the vulnerability

A local attacker with a RBAC execution profile can use auditconfig to elevate his privileges.

Severity: 1/4. Creation date: 26/06/2009.

Description of the vulnerability

A user with the "Audit Control" RBAC profile is allowed to run the /usr/sbin/auditconfig command. This command is used to read and set audit parameters of the kernel. The "-setasid", "-setaudit" and "-setauid" arguments of auditconfig execute commands with an indicated session-ID, term-ID or audit-ID. However, the execit() function of the usr/src/cmd/auditconfig/auditconfig.c file uses the SHELL environment variable to launch the command. A local attacker can therefore change this environment variable to force auditconfig to execute his wanted command. A local attacker with a RBAC execution profile can thus use auditconfig to elevate his privileges.

Complete Vigil@nce bulletin

Access to the complete Vigil@nce bulletin

Characteristics

Title: Solaris: privilege elevation via auditconfig. Keywords: Audit Control RBAC SHELL Solaris audit-ID auditconfig elevation privilege session-ID term-ID. Identifiers: 262088, 6414737, BID-35501, CVE-2009-2430, VIGILANCE-VUL-8826.

Information sources

Publications and announces Source example: Security Vulnerability in the Solaris auditconfig(3M) Command May Allow Users With an Associated RBAC Profile to Gain Elevated Privileges

Solutions for this vulnerability

Patch or workaround

Supplements

Attack Exploit 0day or proof of concept

Computer vulnerabilities tracking service

The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.
The Vigil@nce vulnerability database contains several thousand vulnerabilities.
This bulletin is published by the Vigil@nce team, which tracks computer vulnerabilities impacting systems and applications.
Technology watch team on vulnerabilities