Vulnerability Name:

CVE-2009-3706 (CCN-53786)

Assigned:2009-10-15
Published:2009-10-15
Updated:2009-10-16
Summary:Unspecified vulnerability in the ZFS filesystem in Sun Solaris 10, and OpenSolaris snv_100 through snv_117, allows local users to bypass intended limitations of the file_chown_self privilege via certain uses of the chown system call.
Per: http://sunsolve.sun.com/search/document.do?assetkey=1-66-265908-1

1. Impact

A security vulnerability in the ZFS file system in OpenSolaris and Solaris 10 systems with patches 137137-09 (SPARC) or 137138-09 (x86) installed may allow a local unprivileged user with the 'file_chown_self' privilege to take ownership of files belonging to another user.
Per: http://sunsolve.sun.com/search/document.do?assetkey=1-66-265908-1

"
Notes:

1. Solaris 8 and 9 are not impacted by this issue.

2. OpenSolaris distributions may include additional bug fixes above and beyond the build from which it was derived. The base build can be derived as follows:

$ uname -v
snv_86

3. This issue only affects systems with ZFS file systems where local users have been granted the {PRIV_FILE_CHOWN_SELF} (see chown(2)) privilege which allows them to modify ownership of files where the ownership matches the user's current effective user ID. If the default operating system configuration option '{_POSIX_CHOWN_RESTRICTED}' has been disabled then the 'file_chown_self' privilege is asserted in the inheritable set of all processes unless overridden by policy.conf(4) or user_attr(4)."
CVSS v3 Severity:2.8 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:4.4 Medium (CVSS v2 Vector: AV:L/AC:M/Au:N/C:P/I:P/A:P)
3.2 Low (Temporal CVSS v2 Vector: AV:L/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
1.7 Low (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:N/I:P/A:N)
1.3 Low (CCN Temporal CVSS v2 Vector: AV:L/AC:L/Au:S/C:N/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-noinfo
Vulnerability Consequences:Bypass Security
References:Source: MITRE
Type: CNA
CVE-2009-3706

Source: CCN
Type: SA37010
Sun Solaris ZFS File Ownership Modification Security Issue

Source: SECUNIA
Type: Vendor Advisory
37010

Source: CONFIRM
Type: Patch
http://sunsolve.sun.com/search/document.do?assetkey=1-21-141444-09-1

Source: CCN
Type: Sun Alert ID: 265908
A Security Vulnerability in the ZFS Filesystem May Allow An Unprivileged User to Take Ownership of Files Belonging to Another User

Source: SUNALERT
Type: Patch, Vendor Advisory
265908

Source: CCN
Type: OSVDB ID: 59049
ZFS Filesystem on Solaris file_chown_self Privilege Local Restriction Bypass

Source: BID
Type: UNKNOWN
36702

Source: CCN
Type: BID-36702
Sun Solaris ZFS Filesystem Security Bypass Vulnerability

Source: VUPEN
Type: Vendor Advisory
ADV-2009-2917

Source: XF
Type: UNKNOWN
solaris-zfs-security-bypass(53786)

Vulnerable Configuration:Configuration 1:
  • cpe:/o:sun:opensolaris:snv_100:*:sparc:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:snv_101:*:sparc:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:snv_102:*:sparc:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:snv_103:*:sparc:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:snv_104:*:sparc:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:snv_105:*:sparc:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:snv_106:*:sparc:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:snv_107:*:sparc:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:snv_108:*:sparc:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:snv_109:*:sparc:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:snv_110:*:sparc:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:snv_111:*:sparc:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:snv_112:*:sparc:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:snv_113:*:sparc:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:snv_114:*:sparc:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:snv_115:*:sparc:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:snv_116:*:sparc:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:snv_117:*:sparc:*:*:*:*:*
  • OR cpe:/o:sun:solaris:10:*:sparc:*:*:*:*:*
  • OR cpe:/o:sun:solaris:10.0:*:sparc:*:*:*:*:*

    • Configuration 2:
  • cpe:/o:sun:opensolaris:snv_100:*:x86:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:snv_101:*:x86:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:snv_102:*:x86:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:snv_103:*:x86:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:snv_104:*:x86:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:snv_105:*:x86:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:snv_106:*:x86:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:snv_107:*:x86:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:snv_108:*:x86:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:snv_109:*:x86:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:snv_110:*:x86:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:snv_111:*:x86:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:snv_112:*:x86:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:snv_113:*:x86:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:snv_114:*:x86:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:snv_115:*:x86:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:snv_116:*:x86:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:snv_117:*:x86:*:*:*:*:*
  • OR cpe:/o:sun:solaris:10:*:x86:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/o:sun:solaris:10::sparc:*:*:*:*:*
  • OR cpe:/o:sun:solaris:10::x86:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:build_snv_100::x86:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:build_snv_100::sparc:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:build_snv_102::sparc:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:build_snv_102::x86:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:build_snv_104::sparc:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:build_snv_104::x86:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:build_snv_101::x86:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:build_snv_101::sparc:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:build_snv_105::sparc:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:build_snv_105::x86:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:build_snv_103::sparc:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:build_snv_103::x86:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:build_snv_106::sparc:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:build_snv_106::x86:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:build_snv_107::sparc:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:build_snv_107::x86:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:build_snv_108::sparc:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:build_snv_109::sparc:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:build_snv_110::sparc:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:build_snv_108::x86:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:build_snv_109::x86:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:build_snv_110::x86:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:build_snv_111::sparc:*:*:*:*:*
  • OR cpe:/o:sun:opensolaris:build_snv_111::x86:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    sun opensolaris snv_100
    sun opensolaris snv_101
    sun opensolaris snv_102
    sun opensolaris snv_103
    sun opensolaris snv_104
    sun opensolaris snv_105
    sun opensolaris snv_106
    sun opensolaris snv_107
    sun opensolaris snv_108
    sun opensolaris snv_109
    sun opensolaris snv_110
    sun opensolaris snv_111
    sun opensolaris snv_112
    sun opensolaris snv_113
    sun opensolaris snv_114
    sun opensolaris snv_115
    sun opensolaris snv_116
    sun opensolaris snv_117
    sun solaris 10
    sun solaris 10.0
    sun opensolaris snv_100
    sun opensolaris snv_101
    sun opensolaris snv_102
    sun opensolaris snv_103
    sun opensolaris snv_104
    sun opensolaris snv_105
    sun opensolaris snv_106
    sun opensolaris snv_107
    sun opensolaris snv_108
    sun opensolaris snv_109
    sun opensolaris snv_110
    sun opensolaris snv_111
    sun opensolaris snv_112
    sun opensolaris snv_113
    sun opensolaris snv_114
    sun opensolaris snv_115
    sun opensolaris snv_116
    sun opensolaris snv_117
    sun solaris 10
    sun solaris 10
    sun solaris 10
    sun opensolaris build_snv_100
    sun opensolaris build_snv_100
    sun opensolaris build_snv_102
    sun opensolaris build_snv_102
    sun opensolaris build_snv_104
    sun opensolaris build_snv_104
    sun opensolaris build_snv_101
    sun opensolaris build_snv_101
    sun opensolaris build_snv_105
    sun opensolaris build_snv_105
    sun opensolaris build_snv_103
    sun opensolaris build_snv_103
    sun opensolaris build_snv_106
    sun opensolaris build_snv_106
    sun opensolaris build_snv_107
    sun opensolaris build_snv_107
    sun opensolaris build_snv_108
    sun opensolaris build_snv_109
    sun opensolaris build_snv_110
    sun opensolaris build_snv_108
    sun opensolaris build_snv_109
    sun opensolaris build_snv_110
    sun opensolaris build_snv_111
    sun opensolaris build_snv_111