CVE-1999-1122

Step 1: Malicious Backup Creation: The attacker crafts a malicious backup archive. This archive contains files with elevated permissions, such as a modified system binary (e.g., /bin/su) with the setuid bit set to root, or a new file with root ownership and permissions.

Step 2: Backup Upload/Access: The attacker places the malicious backup archive on the target system, or ensures it is accessible to the target system (e.g., via network share).

Step 3: Restore Execution: The attacker, with local access and potentially limited privileges, executes the restore command, specifying the malicious backup archive as the source. This typically requires the attacker to have some level of access to the system, or to trick an administrator into running the command.

Step 4: Permission Overwrite: The restore utility, due to the vulnerability, restores the files from the malicious backup, including the modified system binary or newly created files, with the attacker-specified permissions and ownership (root).

Step 5: Privilege Escalation: The attacker executes the modified system binary (e.g., /bin/su), which now has the setuid bit set, or interacts with the newly created files, gaining root privileges.

The vulnerability stems from a privilege escalation flaw within the restore utility in SunOS 4.0.3 and earlier. The restore utility, when invoked by a user with sufficient privileges, fails to properly sanitize or validate file permissions during the restoration of files from a backup. This allows a local user to craft a malicious backup archive containing files with elevated permissions (e.g., setuid root) and then use restore to overwrite existing system files. The root cause is a lack of input validation and improper handling of file ownership and permissions during the restore operation. The utility trusts the metadata within the backup archive without verifying its integrity, leading to the potential for arbitrary file creation and modification with elevated privileges.