What is CVE-2001-1479?

CVE-2001-1479 is a publicly disclosed cybersecurity vulnerability with a LOW severity rating and CVSS score of 2.1.

How to search for CVE vulnerabilities?

You can search the 4nuxd CVE database using CVE IDs, vendor names, product names, or severity levels.

CVE-2001-1479

LOW2.1/ 10.0

Published: December 31, 2001 at 05:00 AM

Modified: April 3, 2025 at 01:03 AM

Source: cve@mitre.org

Vulnerability Description

smcboot in Sun SMC (Sun Management Center) 2.0 in Solaris 8 allows local users to delete arbitrary files via a symlink attack on /tmp/smc$SMC_PORT.

CVSS Metrics

Base Score

2.1

Severity

LOW

Vector String

AV:L/AC:L/Au:N/C:N/I:P/A:N

Weaknesses (CWE)

NVD-CWE-Other

Source: nvd@nist.gov

AI Security Analysis

01 // Technical Summary

Local privilege escalation is possible in Sun Management Center (SMC) 2.0 on Solaris 8 due to a symlink vulnerability, allowing attackers to delete arbitrary files. This could lead to system instability, denial of service, or further compromise of the affected system.

02 // Vulnerability Mechanism

Step 1: Target Selection: Identify a target file for deletion. This could be a sensitive system file like /etc/shadow, /etc/passwd, or a critical configuration file.

Step 2: Symlink Creation: Create a symbolic link named /tmp/smc$SMC_PORT (where $SMC_PORT is the port used by SMC, likely 161 or 1610) that points to the target file.

Step 3: Triggering smcboot: Trigger the smcboot process. This might involve interacting with the SMC service or restarting the SMC agent.

Step 4: Race Condition Exploitation: The smcboot process attempts to create a temporary file at /tmp/smc$SMC_PORT. Due to the race condition, it first attempts to delete the existing file at that location, which is now the symlink. This results in the deletion of the target file instead.

Step 5: Impact: The target file is deleted, potentially leading to system compromise or denial of service.

03 // Deep Technical Analysis

The vulnerability stems from a race condition within the smcboot process. This process, running with elevated privileges, creates a temporary file (/tmp/smc$SMC_PORT) and is susceptible to a symlink attack. An attacker can create a symbolic link pointing to a critical system file (e.g., /etc/shadow) before smcboot creates its temporary file. When smcboot attempts to create its temporary file, it inadvertently deletes the file pointed to by the symlink, leading to arbitrary file deletion. The flaw lies in the lack of proper input validation and secure file handling practices, specifically the failure to check the target of the symlink before deleting the file.