home *** CD-ROM | disk | FTP | other *** search
-
- -----BEGIN PGP SIGNED MESSAGE-----
-
- =============================================================================
- CERT(sm) Advisory CA-96.16
- Original issue date: August 5, 1996
- Last revised: August 30, 1996
- Removed references to the advisory README file.
-
- A complete revision history is at the end of this file.
-
- Topic: Vulnerability in Solaris admintool
- - -----------------------------------------------------------------------------
-
- The text of this advisory was originally released on July 30, 1996, as
- AUSCERT Advisory AL-96.03, developed by the Australian Computer Emergency
- Response Team. Because of the seriousness of the problem, we are reprinting
- the AUSCERT advisory here with their permission. Only the contact
- information at the end has changed: AUSCERT contact information has been
- replaced with CERT/CC contact information.
-
- We will update this advisory as we receive additional information.
- Please check advisory files regularly for updates that relate to your site.
-
- =============================================================================
-
- AUSCERT has received a report of a vulnerability in the Sun Microsystems
- Solaris 2.x distribution involving the program admintool. This program is
- used to provide a graphical user interface to numerous system administration
- tasks.
-
- This vulnerability may allow a local user to gain root privileges.
-
- Exploit details involving this vulnerability have been made publicly
- available.
-
- At this stage, AUSCERT is not aware of any official patches. AUSCERT
- recommends that sites take the actions suggested in Section 3 until official
- patches are available.
-
- - -----------------------------------------------------------------------------
-
- 1. Description
-
- admintool is a graphical user interface that enables an administrator to
- perform several system administration tasks on a system. These tasks
- include the ability to manage users, groups, hosts and other services.
-
- To help prevent different users updating system files simultaneously,
- admintool uses temporary files as a locking mechanism. The handling of
- these temporary files is not performed in a secure manner, and hence it
- may be possible to manipulate admintool into creating or writing to
- arbitrary files on the system. These files are accessed with the
- effective uid of the process executing admintool.
-
- In Solaris 2.5, admintool is set-user-id root by default. That is, all
- file accesses are performed with the effective uid of root. An effect
- of this is that the vulnerability will allow access to any file on the
- system. If the vulnerability is exploited to try and create a file that
- already exists, the contents of that file will be deleted. If the file
- does not exist, it will be created with root ownership and be world
- writable.
-
- In earlier versions of Solaris 2.x, admintool is not set-user-id root
- by default. In this case, admintool runs only with the privileges of
- the user executing it. However, local users may wait for a specific user
- to execute admintool, exploiting the vulnerability to create or write
- files with that specific users' privileges. Again, files created in this
- manner will be world writable.
-
- 2. Impact
-
- A local user may be able to create or write to arbitrary files on the
- system. This can be leveraged to gain root privileges.
-
- 3. Workarounds/Solution
-
- Currently, AUSCERT is not aware of any official patches which address
- this vulnerability. When official patches are made available, AUSCERT
- suggests that they be installed.
-
- Until official patches are available sites are encouraged to
- completely prevent execution of admintool by any user (including root).
-
- # chmod 400 /usr/bin/admintool
- # ls -l /usr/bin/admintool
- -r-------- 1 root sys 303516 Oct 27 1995 /usr/bin/admintool
-
- Note that if only the setuid permissions are removed, it is still possible
- for users to gain privileges when admintool is executed as root.
-
- AUSCERT recommends that, where possible, admintool should not be used at
- all until official patches are available. In the interim, system
- administrators should perform administration tasks by using the command
- line equivalents. More details on performing these tasks may be found
- in the Sun documentation set.
-
- - -----------------------------------------------------------------------------
- AUSCERT wishes to thank Brian Meilak (QUT), Marek Krawus (UQ), Leif
- Hedstrom, Kim Holburn and Michael James for their assistance in this matter.
- - -----------------------------------------------------------------------------
-
- If you believe that your system has been compromised, contact the CERT
- Coordination Center or your representative in the Forum of Incident
- Response and Security Teams (FIRST).
-
- We strongly urge you to encrypt any sensitive information you send by email.
- The CERT Coordination Center can support a shared DES key and PGP. Contact
- the CERT staff for more information.
-
- Location of CERT PGP key
- ftp://info.cert.org/pub/CERT_PGP.key
-
- CERT Contact Information
- - ------------------------
- Email cert@cert.org
-
- Phone +1 412-268-7090 (24-hour hotline)
- CERT personnel answer 8:30-5:00 p.m. EST
- (GMT-5)/EDT(GMT-4), and are on call for
- emergencies during other hours.
-
- Fax +1 412-268-6989
-
- Postal address
- CERT Coordination Center
- Software Engineering Institute
- Carnegie Mellon University
- Pittsburgh PA 15213-3890
- USA
-
- CERT publications, information about FIRST representatives, and other
- security-related information are available for anonymous FTP from
- http://www.cert.org/
- ftp://info.cert.org/pub/
-
- CERT advisories and bulletins are also posted on the USENET newsgroup
- comp.security.announce
-
- To be added to our mailing list for CERT advisories and bulletins, send your
- email address to
- cert-advisory-request@cert.org
-
-
-
- CERT is a service mark of Carnegie Mellon University.
-
- This file:
- ftp://info.cert.org/pub/cert_advisories/CA-96.16.Solaris_admintool_vul
- http://www.cert.org
- click on "CERT Advisories"
-
-
- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- Revision history
-
- Aug. 30, 1996 Removed references to CA-96.16.README.
- Beginning of the advisory - removed AUSCERT advisory header
- to avoid confusion.
-
-
-
-
- -----BEGIN PGP SIGNATURE-----
- Version: 2.6.2
-
- iQCVAwUBMiTD0nVP+x0t4w7BAQGY4wQA2imvW2Q4ZY/eG9bbxLPXCv1gZTvgxb9G
- s1Ib/wPzc0+OmJPi1OHPmwVKkW20soAKaTZ1UKv3SJmlXoQ6aYg2FZFLOXNli8Hc
- N3ylOInJ+oF4pYkME3AxUq03kXt/iwY+7Q7yPB/lYUTmx9Hm8+WygmXuDgwV8vuT
- kt0PMOE1/Fs=
- =Tgmc
- -----END PGP SIGNATURE-----
-
-