module
Solaris libnspr NSPR_LOG_FILE Privilege Escalation
| Disclosed |
|---|
| Oct 11, 2006 |
Disclosed
Oct 11, 2006
Description
This module exploits an arbitrary file write vulnerability in the
Netscape Portable Runtime library (libnspr) on unpatched Solaris systems
prior to Solaris 10u3 which allows users to gain root privileges.
libnspr versions prior to 4.6.3 allow users to specify a log file with
the `NSPR_LOG_FILE` environment variable. The log file is created with
the privileges of the running process, resulting in privilege escalation
when used in combination with a SUID executable.
This module writes a shared object to the trusted library directory
`/usr/lib/secure` and runs the specified SUID binary with the shared
object loaded using the `LD_LIBRARY_PATH` environment variable.
This module has been tested successfully with libnspr version 4.5.1
on Solaris 10u1 (01/06) (x86) and Solaris 10u2 (06/06) (x86).
Netscape Portable Runtime library (libnspr) on unpatched Solaris systems
prior to Solaris 10u3 which allows users to gain root privileges.
libnspr versions prior to 4.6.3 allow users to specify a log file with
the `NSPR_LOG_FILE` environment variable. The log file is created with
the privileges of the running process, resulting in privilege escalation
when used in combination with a SUID executable.
This module writes a shared object to the trusted library directory
`/usr/lib/secure` and runs the specified SUID binary with the shared
object loaded using the `LD_LIBRARY_PATH` environment variable.
This module has been tested successfully with libnspr version 4.5.1
on Solaris 10u1 (01/06) (x86) and Solaris 10u2 (06/06) (x86).
Rapid7 Labs
2026 Global Threat Landscape Report
The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.