home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Forum of Incident Response & Security Teams
/
Forum_of_Incident_Response_and_Security_Teams_FIRST_October_1994.iso
/
teaminfo
/
nasirc
/
nasa9309.txt
< prev
next >
Wrap
Text File
|
1994-07-02
|
7KB
|
159 lines
NASIRC BULLETIN #93-09 December 14, 1993
SunOS Security vulnerability in /usr/etc/modload and
$OPENWINHOME/bin/loadmodule
===========================================================================
__ __ __ ___ ___ ____ ____
/_/\ /_/| /_/ / _/\ /_/| / __/ \ / __/\
| |\ \| || / \ \ | /\/ | || | /\ \/ | | \/
| ||\ \ || / /\ \ \ \ \ | || |_\/ /\ | |
| || \ \|| / /--\ \ \ /\_\\ | || | |\ \ \ | \_/\
|_|/ \_|//_/ \_\/ \/__/ |_|/ |_| \_\/ \___\/
NASA Automated Systems Incident Response Capability
===========================================================================
NASIRC has learned of security vulnerabilities that exist within SunOS
pertaining to /usr/etc/modload and $OPENWINHOME/bin/loadmodule. In order to
prevent a system from being vulnerable to compromise, it is important that
SunOS sites install both patches described below, since patching only
loadmodule will not close the system security vulnerability.
These security vulnerabilities do not exist in Solaris 2.x or in Sun 3
architecture or any other verions of open windows.
Patch information on /usr/openwin/bin/loadmodule:
------------------------------------------------
A vulnerability exists in /usr/openwin/bin/loadmodule which could
allow root access via the manipulation of environmental variables.
The program is a suid root program that calls /usr/etc/modload as
part of it's operation. An individual must be able to execute a shell
script on the system to exploit this vulnerability. The recently
discussed Sendmail vulnerability (refer to NASIRC Bulletin # 93-06),
could allow an attacker to execute such a script without having to
physically login to your system. The individual only needs to know
basic UNIX commands to exploit this particular vulnerability.
Patch ID: 100448-02 (SunOS 4.1.x, Open Windows version 3.0 only)
Checksum: 19410 5 100448-02.tar.Z
*NOTE*: The modload patch, described below, must also be installed to
close these security vulnerabilities.
Patch information from Sun on /usr/etc/modload:
----------------------------------------------
A vulnerability exists within /usr/etc/modload that allows root access
via the manipulation of environmental variables. This process is
called via /usr/openwin/bin/loadmodule during normal operation.
Since /usr/openwin/bin/loadmodule is a suid root process, this called
process /usr/etc/modload must also be patched to secure all known
bugs.
Patch ID: 101200-01 (SunOS 4.1.1, 4.1.2, 4.1.3 and 4.1.3C)
Checksum: 47050 29 101200-02.tar.Z
*NOTE*: The loadmodule patch described above must also be installed to
close this security vulnerability.
ADDITIONAL INFORMATION:
----------------------
One indicator that shows that the hole might have been exploited is to
check the system for /var/tmp/modload.out.
You might also want to run COPS or similar system-integrity checking
software after applying the patches to make sure no unauthorized
setuid scripts were created.
All SunOS security patches are available to customers who do not have
support contract, via anonymous ftp:
- In the US, from /systems/sun/sun-dist on ftp.uu.net
- In Europe, from ~ftp/sun/fixes on ftp.eu.net
Patches announced by Sun are uploaded to these two sites just before
the release of a bulletin and are seldom updated. In contrast, the
"supported" patch databases are refreshed nightly and will often
contain newer versions of a patch incorporating changes which are not
security-related.
If you require assistance obtaining or installing these patches, contact
the NASIRC helpdesk.
Security checklists, toolkits and guidance are available from the NASIRC
online archives which are available to the NASA community via anonymous FTP
from NASIRC.NASA.GOV. You will be required to enter your valid e-mail
address. Contact the NASIRC Helpdesk for more information and assistance
with toolkits or security measures.
NASIRC ACKNOWLEDGES: Jim Simmons of the University of Arizona for
bringing this vulnerability to our attention. We would like to formally
thank Mark Graff of SUN Microsystems for his assistance with coordinating
this alert and providing patch and security information about these
vulnerabilities. A special thank you to Rob Jensen, Goddard Space Flight
Center, for providing technical assistance.
==================================================================
For further assistance, please contact the NASIRC Helpdesk:
Phone: 1-800-7-NASIRC Fax: 1-301-441-1853
Internet Email: nasirc@nasa.gov
24 Hour/Emergency Pager: 1-800-759-7243/Pin:5460866
==================================================================
This bulletin may be forwarded without restrictions to sites and
system administrators within the NASA community
-----------------
PLEASE NOTE: Users outside of the NASA community may receive NASIRC
bulletins. If you are not part of the NASA community, please contact
your agency's response team to report incidents. Your agency's team
will coordinate with NASIRC, who will ensure the proper internal
NASA team(s) are notified. NASIRC is a member of the Forum of Incident
Response and Security Teams (FIRST), a world-wide organization which
provides for coordination between incident response teams in handling
computer-security-related issues.
A list of FIRST member organizations and their constituencies can be
obtained by sending email to docserver@first.org with an empty subject
line and a message body containing the line: send first-contacts.
===========================================================================
HOW TO INSTALL THE PATCHES TO
/usr/etc/modload and /usr/openwin/bin/loadmodule
INSTALL /usr/etc/modload patch:
------------------------------
As root:
Make a backup copy of the files to be installed:
mv /usr/kvm/etc/modload /usr/kvm/modload.orig
Now install the patched files:
cp sun4/modload /usr/kvm/modload
chmod 755 /usr/kvm/modload
NOTE: You need to make sure that you set the file protection
correctly on /usr/kvm/modload.orig by doing the following:
chmod 400 /usr/kvm/modload.orig
INSTALL /usr/bin/loadmodule:
---------------------------
As root, make a backup copy of loadmodule and then copy over the
patched version:
mv $OPENWINHOME/bin/loadmodule $OPENWINHOME/bin/loadmodule.orig
chmod 400 $OPENWINHOME/bin/loadmodule.orig
cp sun4/loadmodule $OPENWINHOME/bin/loadmodule
chown root $OPENWINHOME/bin/loadmodule
chmod 4755 $OPENWINHOME/bin/loadmodule