{"vuid":"VU#464817","idnumber":"464817","name":"Sun Solaris asppls(1M) vulnerable to arbitrary file overwriting via symlink redirection of temporary file","keywords":["Sun","Solaris","asppls(1M)","/tmp","tmp","temporary file","symlink","symbolic link"],"overview":"Sun Solaris asppls(1M) creates temporary files insecurely, leading to possible local root compromise.","clean_desc":"Sun Microsystems describes the function of asppls(1M) as follows: aspppd is the link manager for the asynchronous data link protocol specified in RFC1331, The Point-to-Point Protocol (PPP) for the Transmission of Multi-protocol Datagrams over Point-to-Point Links. It is a user level daemon that works in concert with the IP-Dialup driver (ipdcm) and PPP streams module ( ppp(7M)) to provide IP network services over an analog modem using dialed voice grade telephone lines. The link manager automates the process of connecting to a peer (remote) host when PPP service with that host is required. The connection process can be initiated either by sending an IP datagram to a (disconnected) peer host or by receiving a notification that a peer host desires to establish a connection. aspppls is the login service that connects the peer host machine to aspppd. aspppls is invoked by the serial port monitor when a peer machine logs into a PPP-enabled account. Its purpose is to cause the link manager to accept the incoming call. A flaw in asppls(1M) allows a local attacker to overwrite or create any file on a Solaris 8 host.","impact":"A local attacker may be able to elevate his or her privileges.","resolution":"Apply a patch.","workarounds":"Workaround The following workaround is taken from Sun Alert ID: 46903 If asynchronous PPP is not being used at the customer site, the setuid permissions on the aspppls(1M) binary could be removed via the following command run as root: # chmod u-s /usr/sbin/aspppls The asynchronous PPP packages could also be removed if asynchronous PPP is not being used via the following command run as root: # pkgrm SUNWapppr SUNWpppdu","sysaffected":"","thanks":"Thanks to Sun Microsystems for creating the security bulletin upon which this document is based. Kevin Kotas, of eSecurityOnline is credited with discovering this vulnerability.","author":"This document was written by Ian A Finlay.","public":["h","t","t","p",":","/","/","s","u","n","s","o","l","v","e",".","S","u","n",".","C","O","M","/","p","u","b","-","c","g","i","/","r","e","t","r","i","e","v","e",".","p","l","?","d","o","c","=","f","s","a","l","e","r","t","%","2","F","4","6","9","0","3"],"cveids":[""],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2002-09-20T14:27:17Z","publicdate":"2002-09-09T00:00:00Z","datefirstpublished":"2002-09-27T15:45:00Z","dateupdated":"2003-04-15T13:59:32Z","revision":11,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"5","cam_population":"5","cam_impact":"19","cam_easeofexploitation":"6","cam_attackeraccessrequired":"10","cam_scorecurrent":"2.1375","cam_scorecurrentwidelyknown":"2.671875","cam_scorecurrentwidelyknownexploited":"4.809375","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":2.1375,"vulnote":null}