Date: 04 June 1997
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AA-97.06 AUSCERT Advisory
Solaris ffbconfig Buffer Overrun Vulnerability
13 February 1997
Last Revised: 04 June 1997
Added SUN Security bulletin in Appendix A
- ---------------------------------------------------------------------------
AUSCERT has received information that a vulnerability exists in
ffbconfig(1m), distributed under Solaris 2.5 and 2.5.1.
This vulnerability may allow local users to gain root privileges.
Exploit information involving this vulnerability has been made publicly
available.
Vendor patches have been released addressing this vulnerability.
AUSCERT recommends that sites take the steps outlined in section 3 as soon
as possible.
This advisory will be updated as more information becomes available.
- ---------------------------------------------------------------------------
1. Description
ffbconfig is a program used to configure the Fast Frame Buffer (FFB)
Graphics Accelerator, and is part of the FFB Configuration Software
package, SUNWffbcf. This software is only of use if the FFB Graphics
accelerator card is installed. If the device /dev/fbs/ffb0 exists,
it may indicate that the card is installed.
Due to insufficient bounds checking on arguments which are supplied
by users, it is possible to overwrite the internal stack space of the
ffbconfig program while it is executing. By supplying a carefully
designed argument to the ffbconfig program, intruders may be able to
force ffbconfig to execute arbitrary commands. As ffbconfig is setuid
root, this may allow intruders to run arbitrary commands with root
privileges.
ffbconfig was first released under Solaris 2.5 and 2.5.1, and this
vulnerability is known to affect both these releases.
Sites can determine if this package is installed by checking for the
SUNWffbcf package:
% /usr/bin/pkginfo -l SUNWffbcf
ffbconfig is installed by default in /usr/sbin. Sites are encouraged
to check for the presence of this program regardless of the version
of Solaris installed.
Exploit information involving this vulnerability has been made publicly
available.
2. Impact
Local users may gain root privileges.
3. Workarounds/Solution
Official vendor patches have been released by Sun Microsystems which
address this vulnerability (Section 3.3).
If the patches recommended by Sun Microsystems cannot be applied,
AUSCERT recommends that sites prevent the exploitation of this
vulnerability in ffbconfig by immediately applying the workaround
given in Section 3.1. If the SUNWffbcf package is not required, it is
recommended that sites remove it from their systems (Section 3.2).
3.1 Remove setuid and non-root execute permissions
To prevent the exploitation of the vulnerability described in this
advisory, AUSCERT recommends that the setuid permissions be removed
from the ffbconfig program immediately. As ffbconfig will no longer
work for non-root users, it is recommended that the execute permissions
also be removed.
# ls -l /usr/sbin/ffbconfig
-r-sr-xr-x 1 root bin 31436 Oct 14 1995 /usr/sbin/ffbconfig
# chmod 500 /usr/sbin/ffbconfig
# ls -l /usr/sbin/ffbconfig
-r-x------ 1 root bin 31436 Oct 14 1995 /usr/sbin/ffbconfig
3.2 Remove the SUNWffbcf package
If the FFB graphics accelerator card is not installed, the SUNWffbcf
package will not be required and sites are encouraged to remove it
completely from their systems. This can be done by running, as root,
the command:
# /usr/sbin/pkgrm SUNWffbcf
There are also a number of other packages which are also associated
with the FFB Graphics Accelerator:
SUNWffb FFB System Software (Device Driver)
SUNWffbmn On-Line FFB Manual Pages
SUNWffbw FFB Window System Support
SUNWffbxg FFB XGL support
Although there is nothing to suggest that these packages contain
vulnerabilities, if you do not require their functionality, you may
also wish to remove them with the /usr/sbin/pkgrm command.
3.3 Install vendor patches
Sun Microsystems has released patches which address the vulnerability
described in this advisory. AUSCERT recommends that sites apply theses
patches as soon as possible.
Operating System Patch MD5 Checksum
~~~~~~~~~~~~~~~~ ~~~~~ ~~~~~~~~~~~~
Solaris 2.5 103076-09.tar.Z 0a8aa3c106c4f09448220c1b0b714cd1
Solaris 2.5.1 103796-09.tar.Z 4994176b4c03215bd2707b87921c5096
These patches can be retrieved from:
ftp://sunsolve1.sun.com.au/pub/patches/
ftp://ftp.auscert.org.au/pub/mirrors/sunsolve1.sun.com/
Sun Microsystems has also released a security bulletin containing
information on the above patches. The original release of this bulletin
has been appended in Appendix A.
4. Additional measures
Most Unix systems ship with numerous programs which have setuid or
setgid privileges. Often the functionality supplied by these
privileged programs is not required by many sites. The large number
of privileged programs that are shipped by default are to cater for
all possible uses of the system.
AUSCERT encourages sites to examine all the setuid/setgid programs
and determine the necessity of each program. If a program does not
absolutely require the setuid/setgid privileges to operate (for
example, it is only run by the root user), the setuid/setgid
privileges should be removed. Furthermore, if a program is not
required at your site, then all execute permissions should be removed.
A sample command to find all setuid/setgid programs is (run as root):
# find / ( -perm -4000 -o -perm -2000 ) -type f -exec ls -l {} ;
It is AUSCERT's experience that many vulnerability are being discovered
in setuid/setgid programs which are not necessary for the correct
operation of most systems. Sites can increase their security by
removing unnecessary setuid/setgid programs.
For example, the functionality provided by the ffbconfig program is
not needed by many sites. If sites had previously disabled this
program, they would not have been susceptible to this latest
vulnerability.
.........................................................................
Appendix A
- ---------------------- BEGIN SUN SECURITY BULLETIN ----------------------
______________________________________________________________________________
Sun Microsystems, Inc. Security Bulletin
Bulletin Number: #00140
Date: 14 May 1997
Cross-Ref: AUSCERT AA-97.06
Title: Vulnerability in ffbconfig
______________________________________________________________________________
Permission is granted for the redistribution of this Bulletin, so long as
the Bulletin is not edited and is attributed to Sun Microsystems. Portions
may also be excerpted for re-use in other security advisories so long as
proper attribution is included.
Any other use of this information without the express written consent of
Sun Microsystems is prohibited. Sun Microsystems expressly disclaims all
liability for any misuse of this information by any third party.
______________________________________________________________________________
1. Bulletins Topics
Sun announces the release of patches for Solaris 2.5.1 (SunOS 5.5.1) and
Solaris 2.5 (SunOS 5.5) that relate to vulnerabilities in the ffbconfig
program, which can result in root access if exploited.
Sun strongly recommends that you install these patches immediately on
every affected system. Exploitation information for ffbconfig is publicly
available.
2. Who is Affected
Vulnerable: SunOS versions 5.5.1 and 5.5 SPARC running the Creator
FFB Graphics Accelerator.
See section 4. Understanding the Vulnerability, for a way
to test if a system is affected.
Not vulnerable: All other supported versions of SunOS
This vulnerability does not exist in the upcoming release of Solaris 2.6.
3. What to Do
Install the patches listed in 5.
4. Understanding the Vulnerability
The ffbconfig program configures the Creator Fast Frame Buffer (FFB)
Graphics Accelerator, which is part of the FFB Configuration Software
Package, SUNWffbcf. This software is used when the FFB Graphics accelerator
card is installed. Due to insufficient bounds checking on arguments, it is
possible to overwrite the internal stack space of the ffbconfig program.
If exploited, this vulnerability can be used to gain root access on
attacked systems.
To test if a system is vulnerable, run the following command to check for
the presence of SUNWffbcf package which is installed when the FFB Graphics
accelerator card is present:
/usr/bin/pkginfo -l SUNWffbcf
If it is not present, you will get an error message stating that SUNWffbcf
was not found. If it is present, ffbconfig is installed in /usr/sbin.
5. List of Patches
The vulnerability relating to ffbconfig is fixed by the following patches:
OS version Patch ID
---------- --------
SunOS 5.5.1 103796-09
SunOS 5.5 103076-09
The above-mentioned patches are listed in the Graphics section under
Unbundled Products at
ftp://sunsolve1.sun.com/pub/patches/patches.html.
6. Checksum Table
The checksum table below shows the BSD checksums (SunOS 5.x: /usr/ucb/sum),
SVR4 checksums (SunOS 5.x: /usr/bin/sum), and the MD5 digital signatures
for the above-mentioned patches that are available from:
ftp://sunsolve1.sun.com/pub/patches/patches.html
These checksums may not apply if you obtain patches from your answer
centers.
File Name BSD SVR4 MD5
- --------------- --------- --------- --------------------------------
103796-09.tar.Z 37854 2479 55959 4957 4994176B4C03215BD2707B87921C5096
103076-09.tar.Z 33438 2435 42064 4869 0A8AA3C106C4F09448220C1B0B714CD1
______________________________________________________________________________
Sun acknowledges with thanks CERT/CC and AUSCERT for their assistance in the
preparation of this bulletin.
Sun, CERT/CC, and AUSCERT are members of FIRST, the Forum of Incident Response
and Security Teams. For more information about FIRST, visit the FIRST web site
at "http://www.first.org/".
______________________________________________________________________________
APPENDICES
A. Patches listed in this security bulletin are available to all Sun customers
via World Wide Web at:
ftp://sunsolve1.sun.com/pub/patches/patches.html
Customers with Sun support contracts can also obtain patches from local
Sun answer centers and SunSITEs worldwide.
B. To report or inquire about a security problem with Sun software, contact
one or more of the following:
- Your local Sun answer centers
- Your representative computer security response team, such as CERT
- Sun Security Coordination Team. Send email to:
security-alert@sun.com
C. To receive information or subscribe to our CWS (Customer Warning System)
mailing list, send email to:
security-alert@sun.com
with a subject line (not body) containing one of the following commands:
Command Information Returned/Action Taken
------- ---------------------------------
HELP An explanation of how to get information
LIST A list of current security topics
QUERY [topic] The mail containing the question is relayed to
the Security Coordination Team for response.
REPORT [topic] The mail containing the text is treated as a
security report and forwarded to the Security
Coordination Team. We do not recommend that detailed
problem descriptions be sent in plain text.
SEND topic A short status summary or bulletin. For example, to
retrieve a Security Bulletin #00138, supply the
following in the subject line (not body):
SEND #138
SUBSCRIBE Sender is added to our mailing list. To subscribe,
supply the following in the subject line (not body):
SUBSCRIBE cws your-email-address
Note that your-email-address should be substituted
by your email address.
UNSUBSCRIBE Sender is removed from our mailing list.
______________________________________________________________________________
- ---------------------- END SUN SECURITY BULLETIN --------------------------
...........................................................................
- ---------------------------------------------------------------------------
AUSCERT thanks Brian Meilak (Queensland University of Technology), Sun
Microsystems and DFN-CERT for their assistance in this matter.
- ---------------------------------------------------------------------------
The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate. However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual
system should be considered before application in conjunction with local
policies and procedures. AUSCERT takes no responsibility for the
consequences of applying the contents of this document.
If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AUSCERT is located at The University of Queensland within the Prentice
Centre. AUSCERT is a full member of the Forum of Incident Response and
Security Teams (FIRST).
AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT
Advisories, and other computer security information.
AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 4477
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
Prentice Centre
Brisbane
Qld. 4072.
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
04 Jun, 1997 Sun Microsystems has released a security bulletin
addressing the vulnerability described in this advisory.
This has been appended in Appendix A. Section 3 has been
modified to include this information.
12 May, 1997 Changed Section 3 to include vendor patch information.
13 Feb, 1997 Updated acknowledgment section
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBM5VbICh9+71yA2DNAQH+EQQAlIyV80UAsLb7p75gp58mZvP8252oNKly
tPN9Gz0Py5BdrbQYuUC9bZXkeWt2a0q8Ux59dq8Vwc47UyBckD2SjurSB+YpI2ZG
LP7vm3wY2amgqFPcWsJfemiAUw55qw0Zxy0aw32pmREGfUZR/RgIBvnq3i6v9IM5
qKFVH10k4ks=
=aC1V
-----END PGP SIGNATURE-----
|