100 lines
3.6 KiB
Plaintext
100 lines
3.6 KiB
Plaintext
|
|
-----BEGIN PGP SIGNED MESSAGE-----
|
|
|
|
=============================================================================
|
|
CA-93:18 CERT Advisory
|
|
December 15, 1993
|
|
SunOS/Solbourne loadmodule and modload Vulnerability
|
|
- -----------------------------------------------------------------------------
|
|
*** This advisory supersedes CA-91.22. ***
|
|
|
|
The CERT Coordination Center has received information concerning a
|
|
vulnerability in /usr/etc/modload and $OPENWINHOME/bin/loadmodule in Sun
|
|
Microsystems, Inc. SunOS 4.1.1, 4.1.2, 4.1.3, and 4.1.3c and OpenWindows 3.0
|
|
on all sun4 and Solbourne Computer, Inc. architectures. The problem does not
|
|
exist in Solaris 2.x, Solaris x86, and sun3 architectures (OpenWindows 3.0
|
|
was not released for the sun3 architecture).
|
|
|
|
Sun has produced a patch for these vulnerabilities for sun4 architectures.
|
|
It is available through your local Sun Answer Center as well as through
|
|
anonymous FTP from the ftp.uu.net system in the /systems/sun/sun-dist
|
|
directory or from the ftp.eu.net system in the /sun/fixes directory.
|
|
|
|
Solbourne has announced a workaround that is included below.
|
|
|
|
- -----------------------------------------------------------------------------
|
|
|
|
I. Description
|
|
|
|
loadmodule(8) and modload(8) can be exploited to execute a user's
|
|
program using the effective UID of root.
|
|
|
|
II. Impact
|
|
|
|
This vulnerability allows a local user to gain root access.
|
|
|
|
III. Solution
|
|
|
|
A. SunOS Solution
|
|
|
|
Obtain and install the appropriate patches according to the
|
|
instructions included with the patches.
|
|
|
|
Module Patch ID Filename
|
|
---------- --------- ---------------
|
|
loadmodule 100448-02 100448-02.tar.Z
|
|
|
|
BSD Checksum = 19410 5
|
|
MD5 Checksum = 0215910cf65e055ed3042070bd961a22
|
|
|
|
modload 101200-02 101200-02.tar.Z
|
|
|
|
BSD Checksum = 41677 28
|
|
MD5 Checksum = 626ab2917204eb6e6eb5f165cca3e908
|
|
|
|
|
|
B. Solbourne Solution
|
|
|
|
Solbourne systems do not support the "loadmodule" functionality.
|
|
This vulnerability can be fixed on Solbourne systems by removing
|
|
the setuid bit:
|
|
|
|
chmod 0755 /usr/openwin/bin/loadmodule
|
|
|
|
The modload program does not need to replaced or changed.
|
|
|
|
- ---------------------------------------------------------------------------
|
|
The CERT Coordination Center wishes to thank Sun Microsystems, Inc.
|
|
and Solbourne Computers, Inc. for their support in responding to this
|
|
problem.
|
|
- ---------------------------------------------------------------------------
|
|
|
|
If you believe that your system has been compromised, contact the CERT
|
|
Coordination Center or your representative in Forum of Incident
|
|
Response and Security Teams (FIRST).
|
|
|
|
Internet E-mail: cert@cert.org
|
|
Telephone: 412-268-7090 (24-hour hotline)
|
|
CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),
|
|
and are on call for emergencies during other hours.
|
|
|
|
CERT Coordination Center
|
|
Software Engineering Institute
|
|
Carnegie Mellon University
|
|
Pittsburgh, PA 15213-3890
|
|
|
|
Past advisories, information about FIRST representatives, and other
|
|
information related to computer security are available for anonymous
|
|
FTP from info.cert.org.
|
|
|
|
-----BEGIN PGP SIGNATURE-----
|
|
Version: 2.6.2
|
|
|
|
iQCVAwUBMiX62XVP+x0t4w7BAQEtrwQAw+hwpUyR+nszCt7MRo6gX9Yjd+eHRjBx
|
|
4HNf23p0q5fB0zdZnQTPFaMf225rwFZUE6U1bhr50UtY6ZEq+eYK/VaVFjxSqiSp
|
|
toCzuue01L227M5TN1uBeOhqWm9QOMEhRG0QFnvRBeOgJlFlbBxlV86HQfYEJ3cV
|
|
hpdTW7ZngUs=
|
|
=0z80
|
|
-----END PGP SIGNATURE-----
|
|
|