Date: 21 May 1997
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-97.066 -- Sun Security Bulletin #00140
Vulnerability in ffbconfig
21 May 1997
===========================================================================
Sun Microsystems has released the following security bulletin providing
patch information for a vulnerabiltiy in the ffbconfig program under
Solaris 2.5/2.5.1. This vulnerability may allow local users to gain root
access.
This bulletin addresses the problems previously described in AUSCERT
Advisory AA-97.06 -- Solaris ffbconfig Buffer Overrun Vulnerability.
AUSCERT advises that all sites apply the appropriate patches described in
this bulletin as soon as possible.
The following security bulletin is provided as a service to AUSCERT's
members. As AUSCERT did not write this document, AUSCERT has had no
control over its content. As such, the decision to use any or all of this
information is the responsibility of each user or organisation, and should
be done so in accordance with site policies and procedures.
Contact information for Sun Microsystems is included in the Security
Bulletin below. If you have any questions or need further information,
please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/information/advisories.html
If you believe that your system has been compromised, contact AUSCERT or your
representative in FIRST (Forum of Incident Response and Security Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 4477
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
- --------------------------BEGIN INCLUDED TEXT--------------------
______________________________________________________________________________
Sun Microsystems, Inc. Security Bulletin
Bulletin Number: #00140
Date: 14 May 1997
Cross-Ref: AUSCERT AA-97.06
Title: Vulnerability in ffbconfig
______________________________________________________________________________
Permission is granted for the redistribution of this Bulletin, so long as
the Bulletin is not edited and is attributed to Sun Microsystems. Portions
may also be excerpted for re-use in other security advisories so long as
proper attribution is included.
Any other use of this information without the express written consent of
Sun Microsystems is prohibited. Sun Microsystems expressly disclaims all
liability for any misuse of this information by any third party.
______________________________________________________________________________
1. Bulletins Topics
Sun announces the release of patches for Solaris 2.5.1 (SunOS 5.5.1) and
Solaris 2.5 (SunOS 5.5) that relate to vulnerabilities in the ffbconfig
program, which can result in root access if exploited.
Sun strongly recommends that you install these patches immediately on
every affected system. Exploitation information for ffbconfig is publicly
available.
2. Who is Affected
Vulnerable: SunOS versions 5.5.1 and 5.5 SPARC running the Creator
FFB Graphics Accelerator.
See section 4. Understanding the Vulnerability, for a way
to test if a system is affected.
Not vulnerable: All other supported versions of SunOS
This vulnerability does not exist in the upcoming release of Solaris 2.6.
3. What to Do
Install the patches listed in 5.
4. Understanding the Vulnerability
The ffbconfig program configures the Creator Fast Frame Buffer (FFB)
Graphics Accelerator, which is part of the FFB Configuration Software
Package, SUNWffbcf. This software is used when the FFB Graphics accelerator
card is installed. Due to insufficient bounds checking on arguments, it is
possible to overwrite the internal stack space of the ffbconfig program.
If exploited, this vulnerability can be used to gain root access on
attacked systems.
To test if a system is vulnerable, run the following command to check for
the presence of SUNWffbcf package which is installed when the FFB Graphics
accelerator card is present:
/usr/bin/pkginfo -l SUNWffbcf
If it is not present, you will get an error message stating that SUNWffbcf
was not found. If it is present, ffbconfig is installed in /usr/sbin.
5. List of Patches
The vulnerability relating to ffbconfig is fixed by the following patches:
OS version Patch ID
---------- --------
SunOS 5.5.1 103796-09
SunOS 5.5 103076-09
The above-mentioned patches are listed in the Graphics section under
Unbundled Products at
ftp://sunsolve1.sun.com/pub/patches/patches.html.
6. Checksum Table
The checksum table below shows the BSD checksums (SunOS 5.x: /usr/ucb/sum),
SVR4 checksums (SunOS 5.x: /usr/bin/sum), and the MD5 digital signatures
for the above-mentioned patches that are available from:
ftp://sunsolve1.sun.com/pub/patches/patches.html
These checksums may not apply if you obtain patches from your answer
centers.
File Name BSD SVR4 MD5
- --------------- --------- --------- --------------------------------
103796-09.tar.Z 37854 2479 55959 4957 4994176B4C03215BD2707B87921C5096
103076-09.tar.Z 33438 2435 42064 4869 0A8AA3C106C4F09448220C1B0B714CD1
______________________________________________________________________________
Sun acknowledges with thanks CERT/CC and AUSCERT for their assistance in the
preparation of this bulletin.
Sun, CERT/CC, and AUSCERT are members of FIRST, the Forum of Incident Response
and Security Teams. For more information about FIRST, visit the FIRST web site
at "http://www.first.org/".
______________________________________________________________________________
APPENDICES
A. Patches listed in this security bulletin are available to all Sun customers
via World Wide Web at:
ftp://sunsolve1.sun.com/pub/patches/patches.html
Customers with Sun support contracts can also obtain patches from local
Sun answer centers and SunSITEs worldwide.
B. To report or inquire about a security problem with Sun software, contact
one or more of the following:
- Your local Sun answer centers
- Your representative computer security response team, such as CERT
- Sun Security Coordination Team. Send email to:
security-alert@sun.com
C. To receive information or subscribe to our CWS (Customer Warning System)
mailing list, send email to:
security-alert@sun.com
with a subject line (not body) containing one of the following commands:
Command Information Returned/Action Taken
------- ---------------------------------
HELP An explanation of how to get information
LIST A list of current security topics
QUERY [topic] The mail containing the question is relayed to
the Security Coordination Team for response.
REPORT [topic] The mail containing the text is treated as a
security report and forwarded to the Security
Coordination Team. We do not recommend that detailed
problem descriptions be sent in plain text.
SEND topic A short status summary or bulletin. For example, to
retrieve a Security Bulletin #00138, supply the
following in the subject line (not body):
SEND #138
SUBSCRIBE Sender is added to our mailing list. To subscribe,
supply the following in the subject line (not body):
SUBSCRIBE cws your-email-address
Note that your-email-address should be substituted
by your email address.
UNSUBSCRIBE Sender is removed from our mailing list.
______________________________________________________________________________
- --------------------------END INCLUDED TEXT--------------------
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBM4q44Sh9+71yA2DNAQEUZgP+MAmypoUSkH9YnRn/0DciwLeIyEzkZtQU
pPSq1t8ecWCakugEcHMai/HC7uBh6E8cCoiuE2CN8y0oIqEQs69zEo8Un+OrvHKA
N3DlPTRWTiHrKfEvSkC0CqanzJxRlm4ILez46dDqGf8k5sKT/R+PRnSceDKJv7Ql
pe3geVvZ7Ik=
=QkjQ
-----END PGP SIGNATURE-----
|