Source: cve@mitre.org
/usr/5bin/su in SunOS 4.1.3 and earlier uses a search path that includes the current working directory (.), which allows local users to gain privileges via Trojan horse programs.
Local privilege escalation is possible on vulnerable SunOS systems due to a flaw in the su command's search path. By placing a malicious executable in the current working directory, an attacker can execute code with elevated privileges, potentially leading to system compromise.
Step 1: Preparation: The attacker identifies a user account with write access to a directory where the target user will execute su from. This could be a shared directory or the user's home directory if the attacker has gained initial access.
Step 2: Payload Creation: The attacker crafts a malicious executable (e.g., a shell script or compiled binary) designed to gain root privileges. This could involve setting the setuid bit, modifying system files, or creating a backdoor.
Step 3: Payload Placement: The attacker places the malicious executable in the directory identified in Step 1. The executable's name is chosen to match a command that su might execute (e.g., sh, bash, or a utility the target user might invoke).
Step 4: Triggering the Vulnerability: The target user executes the su command, attempting to switch to another user (e.g., root). The su command searches the current working directory for the specified command.
Step 5: Code Execution: Because the current working directory is in the search path, the malicious executable is found and executed with the privileges of the target user (e.g., root). This allows the attacker to gain control of the system.
The vulnerability stems from the su command's insecure search path. Specifically, it includes the current working directory ('.') when searching for the executable to run after the user authenticates. This allows an attacker to place a malicious program, named the same as a program su might execute (e.g., sh, bash), in a directory the target user has write access to. When the target user then uses su to switch to another user, the malicious program is executed instead of the legitimate one, granting the attacker elevated privileges. The root cause is a path traversal vulnerability combined with a lack of secure path handling, leading to arbitrary code execution.
While no specific APTs are directly linked to this CVE, it's a classic vulnerability that could be used by any attacker. It's a low-hanging fruit for initial access or privilege escalation. This vulnerability is not listed in CISA KEV as it is considered a legacy vulnerability.
Monitor system logs for unusual activity related to the su command, especially from unexpected locations.
Analyze process execution logs for suspicious processes spawned by su.
Check file system integrity for unexpected modifications to system binaries or user home directories.
Use file integrity monitoring (FIM) tools to detect changes to critical system files.
Network traffic analysis may reveal connections initiated by compromised processes.
Upgrade to a patched version of SunOS or a more modern operating system.
Remove the current working directory ('.') from the PATH environment variable for all users, especially the root user.
Implement a secure su alternative that does not include the current directory in the search path.
Regularly audit user accounts and permissions to identify and mitigate potential attack vectors.
Implement a least privilege model, restricting user access to only the resources they need.
Use file system permissions to restrict write access to critical system directories.
Implement a robust intrusion detection system (IDS) to monitor for suspicious activity.