92 lines
3.6 KiB
Plaintext
92 lines
3.6 KiB
Plaintext
|
|
-----BEGIN PGP SIGNED MESSAGE-----
|
|
|
|
|
|
|
|
CA-90:05 CERT Advisory
|
|
August 14, 1990
|
|
SunView selection_svc vulnerability
|
|
- -----------------------------------------------------------------------------
|
|
|
|
Sun has recently released a patch for a security hole in SunView.
|
|
This problem affects SunView running on all versions of SunOS (3.5 and
|
|
before, 4.0, 4.0.1, 4.0.3, and 4.1) and all platforms (Sun3, Sun4,
|
|
386i). This vulnerability allows any remote system to read selected
|
|
files from the workstation running SunView. As noted below in the
|
|
IMPACT section, the files that can be read are limited.
|
|
|
|
This vulnerability is in the SunView (aka SunTools) selection_svc
|
|
facility and can be exploited while SunView is in use; however, as
|
|
noted below in the IMPACT section, this bug may be exploitable after
|
|
the user quits using Sunview. This problem cannot be exploited while
|
|
X11 is in use (unless the user runs X11 after running Sunview; see the
|
|
IMPACT section). This problem is specific to Sun's SunView software;
|
|
to our knowledge, this problem does NOT affect other vendor platforms
|
|
or software.
|
|
|
|
OBTAINING THE PATCH
|
|
|
|
To obtain the patch, please call your local Sun Answer Center
|
|
(in the USA, it's 1-800-USA-4SUN), and ask for patch number 100085-01.
|
|
You can also reference Sun Bug ID 1039576.
|
|
|
|
The patch is available for SunOS 4.0.1, 4.0.3 and SunOS 4.1, on Sun3,
|
|
Sun4, and 386i architectures. Contact Sun for further details.
|
|
|
|
|
|
IMPACT
|
|
|
|
On Sun3 and Sun4 systems, a remote system can read any file that is
|
|
readable to the user running SunView. On the 386i, a remote system
|
|
can read any file on the workstation running SunView regardless of
|
|
protections. Note that if root runs Sunview, all files are
|
|
potentially accessible by a remote system.
|
|
|
|
If the password file with the encrypted passwords is world readable,
|
|
an intruder can take the password file and attempt to guess passwords.
|
|
In the CERT/CC's experience, most systems have at least one password
|
|
that can be guessed.
|
|
|
|
Sunview does not kill the selection_svc process when the user quits
|
|
from Sunview. Thus, unless the process is killed, remote systems can
|
|
still read files that were readable to the last user that ran Sunview.
|
|
Under these circumstances, once a user has run Sunview, start using
|
|
another window system (such as X11), or even logoff, but still have
|
|
files accessible to remote systems. However, even though
|
|
selection_svc is not killed when Sunview exits, the patch still solves
|
|
the security problem and prevents remote access.
|
|
|
|
|
|
CONTACT INFORMATION
|
|
|
|
For further questions, please contact your Sun answer center or send
|
|
mail to security-features@sun.com.
|
|
|
|
Thanks to Peter Shipley for discovering, documenting, and helping
|
|
resolve this problem.
|
|
- -----------------------------------------------------------------------------
|
|
|
|
Computer Emergency Response Team/Coordination Center (CERT/CC)
|
|
Software Engineering Institute
|
|
Carnegie Mellon University
|
|
Pittsburgh, PA 15213-3890
|
|
|
|
Internet: cert@cert.org
|
|
Telephone: 412-268-7090 24-hour hotline: CERT personnel answer
|
|
7:30a.m.-6:00p.m. EST, on call for
|
|
emergencies other hours.
|
|
|
|
Past advisories and other information are available for anonymous ftp
|
|
from cert.org (192.88.209.5).
|
|
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: 2.6.2
|
|
|
|
iQCVAwUBMaMwgnVP+x0t4w7BAQGvegP/dQJU1tDlKDs4qqZjvglPAQQyzghECLdg
|
|
3mrBt11VkyT+1mQwvwTDYq1Vm0UD517kTnp5lAt0aIwSYni9vJ5s16fu5qyHuCzg
|
|
DnT9o3xcJZsATaGhUvVmZ80lqpEc1+7uno7+n6Tv3f+ENMdAqC0zC+Tn2RRcKGP6
|
|
4fNbvV3ORC0=
|
|
=+ie9
|
|
-----END PGP SIGNATURE-----
|
|
|