77 lines
3.3 KiB
Plaintext
77 lines
3.3 KiB
Plaintext
ZDDDDDDDDDDDDDDDDDD? IMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM; ZDDDDDDDDDDDDDDDDDD?
|
|
3 Founded By: 3 : Network Information Access : 3 Mother Earth BBS 3
|
|
3 Guardian Of Time 3D: 15AUG90 :D3 <DOWN> 3
|
|
3 Judge Dredd 3 : Judge Dredd : 3 UNAVAILIBLE 3
|
|
@DDDDDDDDDBDDDDDDDDY : File 45 : @DDDDDDDDDBDDDDDDDDY
|
|
3 HMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM< 3
|
|
3IMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM;3
|
|
@6 CERT Advisory: SunView selection_svc Vulnerability GY
|
|
HMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM<
|
|
|
|
CA-90:05 CERT Advisory
|
|
August 14, 1990
|
|
SunView selection_svc vulnerability
|
|
-----------------------------------------------------------------------------
|
|
|
|
Sun has recently released a patch for a security hole in SunView.
|
|
This problem affects SunView running on all versions of SunOS (3.5 and
|
|
before, 4.0, 4.0.1, 4.0.3, and 4.1) and all platforms (Sun3, Sun4,
|
|
386i). This vulnerability allows any remote system to read selected
|
|
files from the workstation running SunView. As noted below in the
|
|
IMPACT section, the files that can be read are limited.
|
|
|
|
This vulnerability is in the SunView (aka SunTools) selection_svc
|
|
facility and can be exploited while SunView is in use; however, as
|
|
noted below in the IMPACT section, this bug may be exploitable after
|
|
the user quits using Sunview. This problem cannot be exploited while
|
|
X11 is in use (unless the user runs X11 after running Sunview; see the
|
|
IMPACT section). This problem is specific to Sun's SunView software;
|
|
to our knowledge, this problem does NOT affect other vendor platforms
|
|
or software.
|
|
|
|
OBTAINING THE PATCH
|
|
|
|
To obtain the patch, please call your local Sun Answer Center
|
|
(in the USA, it's 1-800-USA-4SUN), and ask for patch number 100085-01.
|
|
You can also reference Sun Bug ID 1039576.
|
|
|
|
The patch is available for SunOS 4.0.1, 4.0.3 and SunOS 4.1, on Sun3,
|
|
Sun4, and 386i architectures. Contact Sun for further details.
|
|
|
|
|
|
IMPACT
|
|
|
|
On Sun3 and Sun4 systems, a remote system can read any file that is
|
|
readable to the user running SunView. On the 386i, a remote system
|
|
can read any file on the workstation running SunView regardless of
|
|
protections. Note that if root runs Sunview, all files are
|
|
potentially accessible by a remote system.
|
|
|
|
If the password file with the encrypted passwords is world readable,
|
|
an intruder can take the password file and attempt to guess passwords.
|
|
In the CERT/CC's experience, most systems have at least one password
|
|
that can be guessed.
|
|
|
|
Sunview does not kill the selection_svc process when the user quits
|
|
from Sunview. Thus, unless the process is killed, remote systems can
|
|
still read files that were readable to the last user that ran Sunview.
|
|
Under these circumstances, once a user has run Sunview, start using
|
|
another window system (such as X11), or even logoff, but still have
|
|
files accessible to remote systems. However, even though
|
|
selection_svc is not killed when Sunview exits, the patch still solves
|
|
the security problem and prevents remote access.
|
|
|
|
|
|
CONTACT INFORMATION
|
|
|
|
For further questions, please contact your Sun answer center or send
|
|
mail to security-features@sun.com.
|
|
|
|
Thanks to Peter Shipley for discovering, documenting, and helping
|
|
resolve this problem.
|
|
|
|
[OTHER WORLD BBS]
|
|
|
|
|
|
|