Date: 07 January 2000
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
A U S C E R T A L E R T
AL-2000.01 -- AUSCERT ALERT
Solaris chkperm buffer overrun vulnerability
07 January 2000
===========================================================================
PROBLEM:
A buffer overrun exists in the 'chkperm' program, as included in
the Solaris operating system by Sun Microsystems.
While AusCERT has not yet been able to verify that this buffer
overrun is exploitable, it is our experience that buffer overruns
in general are likely to be successfully exploited.
If this buffer overrun is exploitable then by supplying a
maliciously crafted buffer of executable code to the 'chkperm'
executable, arbitrary commands may be executed as a privileged
user.
PLATFORM:
Sun Solaris 2.3-2.6 and 7.0 on all architectures.
IMPACT:
A local user may execute arbitrary code with the privileges of
the user and group 'bin' on vulnerable systems. This may be
exploited by local users to gain root privileges on vulnerable
systems.
Knowledge of this vulnerability has been made public.
SOLUTION:
To remove the vulnerability, chkperm should have the setuid
and setgid bit removed.
This can done by executing the following command as root.
Remove setuid/setgid permissions of chkperm (as root):
# chmod 0500 /usr/vmsys/bin/chkperm
It is not expected that the change of file permissions should
affect the day-to-day operation of the system.
AusCERT and Sun Microsystems are currently monitoring the problem.
If and when a patch becomes available AusCERT or Sun Microsystems
will issue a bulletin. Neither AusCERT nor Sun Microsystems offer
any warranty that a bulletin will be issued at any time in the
future.
- ---------------------------------------------------------------------------
For more information contact Sun Microsystems. AusCERT acknowledges Yong
jun Kim of the Buqtraq mailing list and Security Focus for information
contained in this alert.
- ---------------------------------------------------------------------------
[AusCERT issues an alert when the risk posed by a vulnerability that may
not have been thoroughly investigated and for which a work-around or fix
may not yet have been developed requires notification.]
The AusCERT team has made every effort to ensure that the information
contained in this document is accurate at the time of publication. However,
the decision to use the information described is the responsibility of
each user or organisation. The appropriateness of this document for an
organisation or individual system should be considered before application
in conjunction with local policies and procedures. AusCERT takes no
responsibility for the consequences of applying the contents of this
document.
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AusCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT
and AusCERT Advisories, and other computer security information.
AusCERT maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business
hours which are GMT+10:00 (AEST). On call
after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
AUSTRALIA
===========================================================================
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBOJ/aVSh9+71yA2DNAQFFiQP7Bk0Uvrf4KfJtdUUvAtGF7LUeywUo/sbo
NvGJdhkJPDbzSwCrW25ZnvhhAWiviwgmSWKVmDM35/TlWa86OnUALyNbP9joZgKM
KGYpPky3YdHYha0qf661HNTo3nYKRjITMe4jQFtfaLAG3rKbHWuxWIu0wOhNCCpd
jDv8vY0dQ18=
=QMDL
-----END PGP SIGNATURE-----
|