CVE-1999-1424

Step 1: User Account Creation: A local user account is created on the vulnerable Solaris system. This can be a legitimate user account or a compromised one.

Step 2: NIS+ Password Table Access: The attacker leverages the AdminSuite's unsafe permissions to access the NIS+ password table. This is likely done through a local command or script that interacts with AdminSuite.

Step 3: Password Entry Modification: The attacker modifies their entry in the NIS+ password table. This could involve changing the UID (User ID) to 0, effectively granting root privileges, or altering other critical attributes such as the home directory or shell.

Step 4: Privilege Escalation: The attacker attempts to log in or execute commands that require root privileges. Because their entry in the NIS+ password table now reflects root access, these actions are successful, granting the attacker full control over the system.

The vulnerability stems from AdminSuite's improper handling of permissions when updating the NIS+ password table. Specifically, the software fails to adequately restrict access to the password table entries during user creation. This allows a local user to manipulate their entry in the NIS+ password table. The root cause is likely a flaw in the AdminSuite code that sets the permissions on the new user's password entry, granting excessive privileges. This could involve a default configuration that allows modification by non-root users, or a failure to properly sanitize user-supplied data before updating the NIS+ table. The lack of proper access controls allows a malicious user to modify their password entry, potentially setting their UID to 0 (root) or altering other critical attributes.