Date: 24 September 1996
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
AL-96.03 AUSCERT Alert
Vulnerability in Solaris 2.x admintool
30 July 1996
Last Revised: 24 September 1996
Added Sun patch information
- -----------------------------------------------------------------------------
AUSCERT has received a report of a vulnerability in the Sun Microsystems
Solaris 2.x distribution involving the program admintool. This program is
used to provide a graphical user interface to numerous system administration
tasks.
This vulnerability may allow a local user to gain root privileges.
Exploit details involving this vulnerability have been made publicly
available.
AUSCERT recommends that sites apply the vendor patch as recommended in
Section 3.2. Until the patch can be applied, sites should take the
necessary actions as stated in Section 3.1.
- -----------------------------------------------------------------------------
1. Description
admintool is a graphical user interface that enables an administrator to
perform several system administration tasks on a system. These tasks
include the ability to manage users, groups, hosts and other services.
To help prevent different users updating system files simultaneously,
admintool uses temporary files as a locking mechanism. The handling of
these temporary files is not performed in a secure manner, and hence it
may be possible to manipulate admintool into creating or writing to
arbitrary files on the system. These files are accessed with the
effective uid of the process executing admintool.
In Solaris 2.5, admintool is set-user-id root by default. That is, all
file accesses are performed with the effective uid of root. An effect
of this is that the vulnerability will allow access to any file on the
system. If the vulnerability is exploited to try and create a file that
already exists, the contents of that file will be deleted. If the file
does not exist, it will be created with root ownership and be world
writable.
In earlier versions of Solaris 2.x, admintool is not set-user-id root
by default. In this case, admintool runs only with the privileges of
the user executing it. However, local users may wait for a specific user
to execute admintool, exploiting the vulnerability to create or write
files with that specific users' privileges. Again, files created in this
manner will be world writable.
2. Impact
A local user may be able to create or write to arbitrary files on the
system. This can be leveraged to gain root privileges.
3. Workarounds/Solution
Sun Microsystems have released a patch for this vulnerability. Sites
are advised to apply this patch (see Section 3.2) as soon as possible.
Until vendor patches are applied, sites are advised to take the
necessary steps outlined in Section 3.1.
3.1 Remove executable permissions on admintool
Until vendor patches are applied sites are encouraged to completely
prevent execution of admintool by any user (including root).
# chmod 400 /usr/bin/admintool
# ls -l /usr/bin/admintool
-r-------- 1 root sys 303516 Oct 27 1995 /usr/bin/admintool
Note that if only the setuid permissions are removed, it is still possible
for users to gain privileges when admintool is executed as root.
AUSCERT recommends that, where possible, admintool should not be used
at all until vendor patches are applied. In the interim, system
administrators should perform administration tasks by using the command
line equivalents. More details on performing these tasks may be found
in the Sun documentation set.
3.2
Sun Microsystems have released patches which address the
vulnerability described in this advisory. AUSCERT recommends that
sites apply these patches as soon as possible.
Patches have been released for:
Solaris 2.5 sparc: 103247-06
Solaris 2.5 x86: 103245-06
Solaris 2.5.1 sparc: 103558-02
Solaris 2.5.1 x86: 103559-02
Solaris 2.5.1 ppc: 103560-02
These patches can be retrieved from:
ftp://sunsolve1.sun.com.au/pub/patches/
ftp://ftp.auscert.org.au/pub/mirrors/sunsolve1.sun.com/
- -----------------------------------------------------------------------------
AUSCERT wishes to thank Brian Meilak (QUT), Marek Krawus (UQ), Leif
Hedstrom, Kim Holburn and Michael James for their assistance in this matter.
- -----------------------------------------------------------------------------
The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate. However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual system
should be considered before application in conjunction with local policies
and procedures. AUSCERT takes no responsibility for the consequences of
applying the contents of this document.
If you believe that your system has been compromised, contact AUSCERT or your
representative in FIRST (Forum of Incident Response and Security Teams).
AUSCERT is located at The University of Queensland within the Prentice Centre.
AUSCERT is a full member of the Forum of Incident Response and Security Teams
(FIRST).
AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT
Advisories, and other computer security information.
AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 4477
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
c/- Prentice Centre
The University of Queensland
Brisbane
Qld. 4072.
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
September 24, 1996 Added Sun patch information
Removed references saying no patches were currently
available.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBMkv3WCh9+71yA2DNAQH8mwQAm9X05KF4Nhj0H1Vp1bHgj/G1buVrvIkL
pOE8+8vSA1vYoR1JrnPnV+xuQmhDx7n6iJIjiQ+jZGJz9ONNsJTlQNIx5UMUXzLw
lURkeTQu4N1WCpl/CNh6imCjCUiWCFVy/7O6HpeIaRgwOsC8dnqbM2SOp86Gvqha
XNUZHYrm/e8=
=VD5Z
-----END PGP SIGNATURE-----
|