222 lines
7.4 KiB
Plaintext
222 lines
7.4 KiB
Plaintext
|
|
-----BEGIN PGP SIGNED MESSAGE-----
|
|
|
|
CA-90:12 CERT Advisory
|
|
December 20, 1990
|
|
SunOS TIOCCONS Vulnerability
|
|
|
|
- -------------------------------------------------------------------------
|
|
|
|
The following information was sent to us from Sun Microsystems. It
|
|
contains availability information regarding a fix for a vulnerability
|
|
in SunOS 4.1 and SunOS 4.1.1. (A version for SunOS 4.0.3 is currently
|
|
in testing and should be available shortly.) For more information,
|
|
please contact Sun Microsystems at 1-800-USA-4SUN.
|
|
|
|
- -------------------------------------------------------------------------
|
|
|
|
SUN MICROSYSTEMS SECURITY BULLETIN:
|
|
|
|
This information is only to be used for the purpose of alerting
|
|
customers to problems. Any other use or re-broadcast of this
|
|
information without the express written consent of Sun Microsystems
|
|
shall be prohibited.
|
|
|
|
Sun expressly disclaims all liability for any misuse of this information
|
|
by any third party.
|
|
- -------------------------------------------------------------------------
|
|
|
|
These patches are available through your local Sun answer centers
|
|
worldwide. As well as through anonymous ftp to ftp.uu.net in the
|
|
~ftp/sun-dist directory.
|
|
|
|
Please refer to the BugID and PatchID when requesting patches from Sun
|
|
answer centers.
|
|
|
|
NO README information will be posted in the patch on UUNET. Please refer
|
|
the the information below for patch installation instructions.
|
|
|
|
- -------------------------------------------------------------------------
|
|
|
|
Sun Bug ID : 1008324
|
|
Synopsis : TIOCCONS redirection of console input/output is a security
|
|
violation.
|
|
Sun Patch ID : for SunOS 4.1, SunOS 4.1_PSR_A 100187-01
|
|
Sun Patch ID : for SunOS 4.1.1 100188-01
|
|
Available for: Sun3, Sun3x, Sun4 Sun4c
|
|
SunOS 4.1, SunOS 4.1_PSR_A, SunOS 4.1.1
|
|
Checksum of compressed tarfile on ftp.uu.net:~ftp/sun-dist
|
|
|
|
sum of SunOS 4.1 tarfile 100187-01.tar.Z : 14138 142
|
|
sum of SunOS 4.1.1 tarfile 100188-01.tar.Z: 24122 111
|
|
|
|
- --------------------------------------------------------------------------
|
|
|
|
README information follows:
|
|
|
|
Patch-ID# 100188-01
|
|
Keywords: TIOCCONS
|
|
Synopsis: SunOS 4.1.1: TIOCCONS redirection of console is a security violation.
|
|
Date: 17/Dec/90
|
|
|
|
SunOS release: 4.1.1
|
|
|
|
Unbundled Product:
|
|
|
|
Unbundled Release:
|
|
|
|
Topic:
|
|
|
|
BugId's fixed with this patch: 1008324
|
|
|
|
Architectures for which this patch is available: sun3 sun3x sun4 sun4c
|
|
|
|
Patches which may conflict with this patch:
|
|
|
|
Obsoleted by: Next major release of SunOS
|
|
|
|
Problem Description: TIOCCONS can be used to re-direct console output/input
|
|
away from "console"
|
|
|
|
|
|
Patch contains kernel object modules for:
|
|
|
|
/sys/sun?/OBJ/cons.o
|
|
/sys/sun?/OBJ/zs_async.o
|
|
/sys/sun?/OBJ/mcp_async.o
|
|
/sys/sun?/OBJ/mti.o
|
|
|
|
Where sun? is one of sun4, sun4c, sun3, sun3x, sun4/490-4.1_PSR_A
|
|
|
|
NOTE: The sun4c does not use mti.o nor mcp_async.o since this architecture
|
|
does not have VME slots and therefore cannot use the ALM-2 Asynchronous Line
|
|
Multiplexor or Systech MTI-800/1600. So those modules are not needed.
|
|
|
|
The fix consists of adding permission checking to setcons, the routine
|
|
that does the work of console redirection, and changing its callers to
|
|
supply additional information required for the check and to see whether
|
|
or not the check succeeded. Setcons now uses uid and gid information
|
|
supplied to it as new arguments to perform a VOP_ACCESS call for VREAD
|
|
permission on the console. If the caller doesn't have permission to
|
|
read from the console, setcons rejects the redirection attempt.
|
|
|
|
|
|
INSTALL:
|
|
|
|
AS ROOT:
|
|
save aside the object modules from the FCS tapes as a precaution:
|
|
|
|
# mv /sys/sun?/OBJ/cons.o /sys/sun?/OBJ/cons.o.orig
|
|
# mv /sys/sun?/OBJ/tty_pty.o /sys/sun?/OBJ/tty_pty.o.orig
|
|
# mv /sys/sun?/OBJ/zs_async.o /sys/sun?/OBJ/zs_async.o.orig
|
|
# mv /sys/sun?/OBJ/mcp_async.o /sys/sun?/OBJ/mcp_async.o.orig
|
|
# mv /sys/sun?/OBJ/mti.o /sys/sun?/OBJ/mti.o.orig
|
|
|
|
copy the new ".o" files to the OBJ directory:
|
|
|
|
# cp sun?/*.o /sys/sun?/OBJ/
|
|
|
|
build and install a new kernel:
|
|
rerun /etc/config <kernel-name> and do a "make" for the new kernel
|
|
Please refer to the System and Network Administration Manual for details
|
|
on how to configure and install a custom kernel.
|
|
|
|
|
|
|
|
- -------------------------------------------------------------------------
|
|
Patch-ID# 100187-01
|
|
Keywords: TIOCCONS
|
|
Synopsis: SunOS 4.1 4.1_PSR_A: TIOCCONS redirection of console is a security
|
|
violation.
|
|
Date: 17/Dec/90
|
|
|
|
SunOS release: 4.1 4.1_PSR_A
|
|
|
|
Unbundled Product:
|
|
|
|
Unbundled Release:
|
|
|
|
Topic:
|
|
|
|
BugId's fixed with this patch: 1008324
|
|
|
|
Architectures for which this patch is available: sun3 sun3x sun4 sun4c
|
|
sun4-490_4.1_PSR_A
|
|
|
|
Patches which may conflict with this patch:
|
|
|
|
Obsoleted by: Next major release of SunOS
|
|
|
|
Problem Description: TIOCCONS can be used to re-direct console output/input
|
|
away from "console"
|
|
|
|
|
|
Patch contains kernel object modules for:
|
|
|
|
/sys/sun?/OBJ/cons.o
|
|
/sys/sun?/OBJ/zs_async.o
|
|
/sys/sun?/OBJ/mcp_async.o
|
|
/sys/sun?/OBJ/mti.o
|
|
|
|
Where sun? is one of sun4, sun4c, sun3, sun3x, sun4/490-4.1_PSR_A
|
|
|
|
NOTE: The sun4c does not use mti.o nor mcp_async.o since this architecture
|
|
does not have VME slots and therefore cannot use the ALM-2 Asynchronous Line
|
|
Multiplexed or Systech MTI-800/1600. So those modules are not needed.
|
|
|
|
|
|
The fix consists of adding permission checking to setcons, the routine
|
|
that does the work of console redirection, and changing its callers to
|
|
supply additional information required for the check and to see whether
|
|
or not the check succeeded. Setcons now uses uid and gid information
|
|
supplied to it as new arguments to perform a VOP_ACCESS call for VREAD
|
|
permission on the console. If the caller doesn't have permission to
|
|
read from the console, setcons rejects the redirection attempt.
|
|
|
|
|
|
INSTALL:
|
|
|
|
AS ROOT:
|
|
save aside the object modules from the FCS tapes as a precaution:
|
|
|
|
# mv /sys/sun?/OBJ/cons.o /sys/sun?/OBJ/cons.o.orig
|
|
# mv /sys/sun?/OBJ/tty_pty.o /sys/sun?/OBJ/tty_pty.o.orig
|
|
# mv /sys/sun?/OBJ/zs_async.o /sys/sun?/OBJ/zs_async.o.orig
|
|
# mv /sys/sun?/OBJ/mcp_async.o /sys/sun?/OBJ/mcp_async.o.orig
|
|
# mv /sys/sun?/OBJ/mti.o /sys/sun?/OBJ/mti.o.orig
|
|
|
|
copy the new ".o" files to the OBJ directory:
|
|
|
|
# cp sun?/*.o /sys/sun?/OBJ/
|
|
|
|
build and install a new kernel:
|
|
rerun /etc/config <kernel-name> and do a "make" for the new kernel
|
|
Please refer to the System and Network Administration Manual for details
|
|
on how to configure and install a custom kernel.
|
|
|
|
- -------------------------------------------------------------------------
|
|
Computer Emergency Response Team/Coordination Center (CERT/CC)
|
|
Software Engineering Institute
|
|
Carnegie Mellon University
|
|
Pittsburgh, PA 15213-3890
|
|
|
|
Internet E-mail: cert@cert.org
|
|
Telephone: 412-268-7090 24-hour hotline:
|
|
CERT personnel answer 7:30a.m.-6:00p.m. EST, on call for
|
|
emergencies during other hours.
|
|
|
|
Past advisories and other information are available for anonymous ftp
|
|
from cert.org (192.88.209.5).
|
|
|
|
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: 2.6.2
|
|
|
|
iQCVAwUBMaMwlnVP+x0t4w7BAQGHJAP/YwH65RfH9xpTMUFuozVZAaaaHRdZH12Q
|
|
kTNtwhoGvTmi0u7iR8Z2BYv1+JBNCCQZEwDAxtJRwhk/3guSa0RdF2T4QDznOInC
|
|
+A1jiPMLY25PAcE/FV1euVLRrGwjEGmPWa7ODpgZoqBGzlVNpAuqZAtOKrBOdHS3
|
|
Efm0EF9qsEg=
|
|
=DUGa
|
|
-----END PGP SIGNATURE-----
|
|
|