Date: 14 May 1997
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AA-97.10 AUSCERT Advisory
Solaris 2.x eject Buffer Overrun Vulnerability
14 March 1997
Last Revised: 14 May 1997
Updated information on obtaining pre-compiled versions of
the wrapper.
Updated information on obtaining overflow_wrapper.c.
A complete revision history is at the end of this file.
- -----------------------------------------------------------------------------
AUSCERT has received information that a vulnerability exists in eject(1),
distributed under Solaris 2.4, 2.5 and 2.5.1. Earlier versions may be
vulnerable.
This vulnerability may allow local users to gain root privileges.
Exploit information involving this vulnerability has been made publicly
available.
Vendor patches have been released by Sun Microsystems addressing this
vulnerability.
AUSCERT recommends that sites take the steps outlined in section 3 as soon
as possible.
This advisory will be updated as more information becomes available.
- -----------------------------------------------------------------------------
1. Description
eject(1) is a program used for those removable media devices that do
not have a manual eject button, or for those that do, but are managed
by Volume Management.
Due to insufficient bounds checking on arguments which are supplied
by users, it is possible to overwrite the internal stack space of the
eject program while it is executing. By supplying a carefully designed
argument to the eject program, intruders may be able to force eject
to execute arbitrary commands. As eject is setuid root, this may
allow intruders to run arbitrary commands with root privileges.
Sites can determine if this program is installed by using:
% ls -l /usr/bin/eject
eject is installed by default in /usr/bin. Sites are encouraged to
check for the presence of this program regardless of the version of
Solaris installed.
Exploit information involving this vulnerability has been made publicly
available.
2. Impact
Local users may gain root privileges.
3. Workarounds/Solution
Official vendor patches have been released by Sun Microsystems which
address this vulnerability (Section 3.1).
If the patches recommended by Sun Microsystems cannot be applied,
AUSCERT recommends that sites prevent the exploitation of this
vulnerability in eject by immediately applying the workaround given
in Section 3.2 on machines that normally run the Volume Management
daemon, vold(1). This will maintain the default eject functionality.
To maintain the default functionality of eject on sites that are not
running vold AUSCERT recommends applying the workaround given in
Section 3.3.
3.1 Install vendor patches
Sun Microsystems has released a security bulletin, containing patch
information, addressing the vulnerability described in this advisory.
The original release of this bulletin has been appended in Appendix A.
AUSCERT recommends that sites apply the patches given in this bulletin
immediately.
3.2 Remove setuid permission
To prevent the exploitation of the vulnerability described in this
advisory, AUSCERT recommends that the setuid permissions be removed
from the eject program immediately. Sites running vold will maintain
the default functionality of eject when run by non-root users.
# ls -l /usr/bin/eject
-r-sr-xr-x 1 root other 5804 Mar 14 09:47 /usr/bin/eject
# chmod 555 /usr/bin/eject
# ls -l /usr/bin/eject
-r-xr-xr-x 1 root other 5804 Mar 14 09:47 /usr/bin/eject
3.3 Install eject wrapper
AUSCERT has developed a wrapper to help prevent programs from being
exploited using the vulnerability described in this advisory. Sites
which have a C compiler can obtain the source, compile and install
this wrapper. Please contact AUSCERT directly if pre-compiled binaries
of the wrapper are required.
AUSCERT recommends the installation of eject wrapper only on sites
that are not running vold and where the security patches released by
Sun Microsystems are unable to be installed.
The source for the wrapper, including installation instructions, can
be found at:
ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper/
overflow_wrapper.c
This wrapper replaces the eject program and checks the length of the
command line arguments which are passed to it. If an argument exceeds
a certain predefined value (MAXARGLEN), the wrapper exits without
executing the eject command. The wrapper program can also be
configured to syslog any failed attempts to execute eject with
arguments exceeding MAXARGLEN. For further instructions on using this
wrapper, please read the comments at the top of overflow_wrapper.c.
When compiling overflow_wrapper.c for use with eject, AUSCERT
recommends defining MAXARGLEN to be 32.
The MD5 checksum for the current version of overflow_wrapper.c can
be retrieved from:
ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper/CHECKSUM
4. Additional measures
Most Unix systems ship with numerous programs which have setuid or
setgid privileges. Often the functionality supplied by these
privileged programs is not required by many sites. The large number
of privileged programs that are shipped by default are to cater for
all possible uses of the system.
AUSCERT encourages sites to examine all the setuid/setgid programs
and determine the necessity of each program. If a program does not
absolutely require the setuid/setgid privileges to operate (for
example, it is only run by the root user), the setuid/setgid
privileges should be removed. Furthermore, if a program is not
required at your site, then all execute permissions should be removed.
A sample command to find all setuid/setgid programs is (run as root):
# find / ( -perm -4000 -o -perm -2000 ) -type f -exec ls -l {} ;
It is AUSCERT's experience that many vulnerability are being discovered
in setuid/setgid programs which are not necessary for the correct
operation of most systems. Sites can increase their security by
removing unnecessary setuid/setgid programs.
For example, the functionality provided by the eject program is not
needed by many sites. If sites had previously disabled this program,
they would not have been susceptible to this latest vulnerability.
..............................................................................
Appendix A
- ----------------------BEGIN SUN SECURITY BULLETIN ----------------------------
=============================================================================
SUN MICROSYSTEMS SECURITY BULLETIN: #00138, 17 APRIL 1997
=============================================================================
BULLETIN TOPICS
In this bulletin Sun announces the release of security-related patches
for Solaris 2.5 (SunOS 5.5) and Solaris 2.5.1 (SunOS 5.5.1). These patches
relate to vulnerabilities in the volume management library, libvolmgt.so.1,
which can result in root access if exploited. The programs eject and fdformat
dynamically link the libvolmgt.so.1 library.
Sun estimates that patches for Solaris 2.3 (SunOS 5.3) and Solaris 2.4
(SunOS 5.4) for the same vulnerabilities will be available within 1 week of
the date of this bulletin.
Sun strongly recommends that you install these patches immediately on
every affected system. Exploitation scripts for eject and fdformat were made
public last month.
I. Who is Affected, and What to Do
II. Understanding the Vulnerabilities
III. List of Patches
IV. Checksum Table
APPENDICES
A. How to obtain Sun security patches
B. How to report or inquire about Sun security problems
C. How to obtain Sun security bulletins or short status updates
Sun acknowledges with thanks the CERT Coordination Center (Carnegie
Mellon University) and AUSCERT for their assistance in the preparation of
this bulletin.
Sun, CERT/CC, and AUSCERT are members of FIRST, the Forum of Incident
Response and Security Teams. For more information about FIRST, visit
the FIRST web site at "http://www.first.org/".
Keywords: eject, fdformat, volume management
Patchlist: 104776-01, 104777-01
103024-02, 103044-02
101907-14, 101908-14, 101331-07
Cross-Ref:
-----------
Permission is granted for the redistribution of this Bulletin, so long
as the Bulletin is not edited and is attributed to Sun Microsystems.
Portions may also be excerpted for re-use in other security advisories
so long as proper attribution is included.
Any other use of this information without the express written consent
of Sun Microsystems is prohibited. Sun Microsystems expressly disclaims
all liability for any misuse of this information by any third party.
=============================================================================
SUN MICROSYSTEMS SECURITY BULLETIN: #00138, 17 APRIL 1997
=============================================================================
I. Who is Affected, and What to Do
SunOS versions 5.3, 5.4, 5.5, 5.5_x86, 5.5.1, and 5.5.1_x86 are vulnerable.
SunOS versions 4.1.3_U1 and 4.1.4 are not vulnerable.
Install the patches listed in III. for SunOS versions 5.5, 5.5_x86, 5.5.1,
and 5.5.1_x86.
Sun estimates that patches for SunOS 5.4, SunOS 5.4_x86, and 5.3 will be
released within 1 week from the date of this bulletin. In the meantime,
Sun recommends, as a workaround, that setuid permission be removed from
the eject and fdformat programs by using commands such as the following:
chmod 555 /usr/bin/eject
chmod 555 /usr/bin/fdformat
The same vulnerabilities have been fixed in the upcoming release of
Solaris 2.6.
II. Understanding the Vulnerabilities
A. eject Buffer Overflow Vulnerability
Removable media devices that do not have an eject button or removable media
devices that are managed by Volume Management use the eject program. Due to
insufficient bounds checking on arguments in the volume management library,
libvolmgt.so.1, it is possible to overwrite the internal stack space of the
eject program. If exploited, this vulnerability can be used to gain root
access on attacked systems.
B. fdformat Buffer Overflow Vulnerability
The fdformat program formats diskettes and PCMCIA memory cards. The program
also uses the same volume management library, libvolmgt.so.1, and is exposed
to the same vulnerability as the eject program.
III. List of Patches
The vulnerabilities relating to eject and fdformat in the volume management
library are fixed by the following patches:
OS version Patch ID
---------- --------
SunOS 5.5.1 104776-01
SunOS 5.5.1_x86 104777-01
SunOS 5.5 103024-02
SunOS 5.5_x86 103044-02
SunOS 5.4 101907-14 (to be released in 1 week)
SunOS 5.4_x86 101908-14 (to be released in 1 week)
SunOS 5.3 101331-07 (to be released in 1 week)
IV. Checksum Table
In the checksum table we show the BSD and SVR4 checksums and MD5 digital
signatures for the compressed tar archives.
File BSD SVR4 MD5
Name Checksum Checksum Digital Signature
- --------------- --------- --------- --------------------------------
104776-01.tar.Z 01572 121 22359 241 21E84190D22646A7A7C330D2C88AF1A9
104777-01.tar.Z 16759 122 5357 243 7D1E7640C98E308CB829B3C0754291CC
103024-02.tar.Z 04867 121 18968 241 F9451B9BE28389EC4A5B7B79E8B04B44
103044-02.tar.Z 26729 121 63537 241 D3FB1C1AD4CF72422F6002E56D357988
The checksums shown above are from the BSD-based checksum (on 4.1.x,
/bin/sum; on SunOS 5.x, /usr/ucb/sum) and from the SVR4 version on
on SunOS 5.x (/usr/bin/sum).
APPENDICES
A. How to obtain Sun security patches
1. If you have a support contract
Customers with Sun support contracts can obtain any patches listed
in this bulletin (and any other patches--and a list of patches) from:
- SunSolve Online
- Local Sun answer centers, worldwide
- SunSITEs worldwide
The patches are available via World Wide Web at http://sunsolve.sun.com.
You should also contact your answer center if you have a support
contract and:
- You need assistance in installing a patch
- You need additional patches
- You want an existing patch ported to another platform
- You believe you have encountered a bug in a Sun patch
- You want to know if a patch exists, or when one will be ready
2. If you do not have a support contract
Customers without support contracts may now obtain security patches,
"recommended" patches, and patch lists via SunSolve Online.
Sun does not furnish patches to any external distribution sites
other than the ones mentioned here. The ftp.uu.net and ftp.eu.net
sites are no longer supported.
3. About the checksums
So that you can quickly verify the integrity of the patch files
themselves, we supply in each bulletin checksums for the tar archives.
Occasionally, you may find that the listed checksums do not match
the patches on the SunSolve or SunSite database. This does not
necessarily mean that the patch has been tampered with. More likely,
a non-substantive change (such as a revision to the README file)
has altered the checksum of the tar file. The SunSolve patch database
is refreshed nightly, and will sometimes contain versions of a patch
newer than the one on which the checksums were based.
In the future we may provide checksum information for the
individual components of a patch as well as the compressed archive
file. This would allow customers to determine, if need be, which
file(s) have been changed since we issued the bulletin containing
the checksums.
In the meantime, if you would like assistance in verifying the
integrity of a patch file please contact this office or your local
answer center.
B. How to report or inquire about Sun security problems
If you discover a security problem with Sun software or wish to
inquire about a possible problem, contact one or more of the
following:
- Your local Sun answer centers
- Your representative computer security response team, such as CERT
- This office. Address postal mail to:
Sun Security Coordinator
MS MPK17-103
2550 Garcia Avenue
Mountain View, CA 94043-1100
Email: security-alert@sun.com
We strongly recommend that you report problems to your local Answer
Center. In some cases they will accept a report of a security bug
even if you do not have a support contract. An additional notification
to the security-alert alias is suggested but should not be used as your
primary vehicle for reporting a bug.
C. How to obtain Sun security bulletins or short status updates
1. Subscription information
Sun Security Bulletins are available free of charge as part of
our Customer Warning System. It is not necessary to have a Sun
support contract in order to receive them.
To receive information or to subscribe or unsubscribe from our
mailing list, send mail to security-alert@sun.com with a subject
line containing one of the following commands.
Subject Information Returned/Action Taken
------- ---------------------------------
HELP An explanation of how to get information
LIST A list of current security topics
QUERY [topic] The mail containing the question is relayed to
a Security Coordinator for a response.
REPORT [topic] The mail containing the text is treated as a
security bug report and forwarded to a Security
Coordinator for handling. Please note that this
channel of communications does not supersede
the use of Sun Solution Centers for this
purpose. Note also that we do not recommend
that detailed problem descriptions be sent in
plain text.
SEND topic Summary of the status of selected topic. (To
retrieve a Sun Security Bulletin, supply the
number of the bulletin, as in "SEND #103".)
SUBSCRIBE Sender is added to the CWS (Customer
Warning System) list. The subscribe feature
requires that the sender include on the subject
line the word "cws" and the reply email
address. So the subject line might look like
the following:
SUBSCRIBE cws your-email-address
UNSUBSCRIBE Sender is removed from the CWS list.
Should your email not fit into one of the above subjects, a help
message will be returned to you.
Due to the volume of subscription requests we receive, we cannot
guarantee to acknowledge requests. Please contact this office if
you wish to verify that your subscription request was received, or
if you would like your bulletin delivered via postal mail or fax.
2. Obtaining old bulletins
Sun Security Bulletins are available via the security-alert alias
and on SunSolve. Please try these sources first before contacting
this office for old bulletins.
----------
- -----------------------END SUN SECURITY BULLETIN ----------------------------
.............................................................................
- -----------------------------------------------------------------------------
AUSCERT thanks Brian Meilak (Queensland University of Technology) and Sun
Microsystems for their assistance in this matter.
- -----------------------------------------------------------------------------
The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate. However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual
system should be considered before application in conjunction with local
policies and procedures. AUSCERT takes no responsibility for the
consequences of applying the contents of this document.
If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AUSCERT is located at The University of Queensland within the Prentice
Centre. AUSCERT is a full member of the Forum of Incident Response and
Security Teams (FIRST).
AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT
Advisories, and other computer security information.
AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 4477
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
Prentice Centre
Brisbane
Qld. 4072.
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
14 May 1997 Pre-compiled binaries of the overflow_wrapper program
were only made available as an interim measure. As
patches have been released, these binaries are no longer
available and the advisory was updated to reflect this.
The location of overflow_wrapper.c has changed. Section
3 was updated to show this.
21 Apr 1997 Sun Microsystems has released a security bulletin addressing
this vulnerability in the eject program. This was appended
in Appendix A. Section 3 was modified to include this
information.
16 Apr 1997 Updated Section 3 to include information on Volume
management daemon.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBM3mgPyh9+71yA2DNAQEOOwP/Qu1RW26q+65NQ29RMMap0gQIS9HPMUOu
67Hauijgr9c4AxgdFoO+STE2jp+NSt7u5sNGhX6NMjYAolfIcHVHO2XmzaXFti5K
pQGyb1hTCzLJtocwftNr/cwHViBfgWikEApcR5LlPe9WIVKHUitmLt414gDR2x6G
7xqsusr9Ae4=
=dWv9
-----END PGP SIGNATURE-----
|