[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : SunView selection_svc vulnerability

Title: SunView selection_svc vulnerability
Released by: CERT
Date: 14th August 1990
Printable version: Click here 
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1







CA-90:05

Last Revised: September 17,1997

                Attached copyright statement



                              CERT Advisory

                              August 14, 1990

                    SunView selection_svc vulnerability 

- -----------------------------------------------------------------------------



Sun has recently released a patch for a security hole in SunView.

This problem affects SunView running on all versions of SunOS (3.5 and

before, 4.0, 4.0.1, 4.0.3, and 4.1) and all platforms (Sun3, Sun4,

386i).  This vulnerability allows any remote system to read selected

files from the workstation running SunView.  As noted below in the

IMPACT section, the files that can be read are limited.



This vulnerability is in the SunView (aka SunTools) selection_svc

facility and can be exploited while SunView is in use; however, as

noted below in the IMPACT section, this bug may be exploitable after

the user quits using Sunview.  This problem cannot be exploited while

X11 is in use (unless the user runs X11 after running Sunview; see the

IMPACT section).  This problem is specific to Sun's SunView software;

to our knowledge, this problem does NOT affect other vendor platforms

or software.



OBTAINING THE PATCH



To obtain the patch, please call your local Sun Answer Center

(in the USA, it's 1-800-USA-4SUN), and ask for patch number 100085-01.

You can also reference Sun Bug ID 1039576.



The patch is available for SunOS 4.0.1, 4.0.3 and SunOS 4.1, on Sun3,

Sun4, and 386i architectures.  Contact Sun for further details.





IMPACT



On Sun3 and Sun4 systems, a remote system can read any file that is

readable to the user running SunView.  On the 386i, a remote system

can read any file on the workstation running SunView regardless of

protections.  Note that if root runs Sunview, all files are

potentially accessible by a remote system.



If the password file with the encrypted passwords is world readable,

an intruder can take the password file and attempt to guess passwords.

In the CERT/CC's experience, most systems have at least one password

that can be guessed.



Sunview does not kill the selection_svc process when the user quits

from Sunview.  Thus, unless the process is killed, remote systems can

still read files that were readable to the last user that ran Sunview.

Under these circumstances, once a user has run Sunview, start using

another window system (such as X11), or even logoff, but still have

files accessible to remote systems.  However, even though

selection_svc is not killed when Sunview exits, the patch still solves

the security problem and prevents remote access.





CONTACT INFORMATION



For further questions, please contact your Sun answer center or send

mail to security-features@sun.com.



Thanks to Peter Shipley for discovering, documenting, and helping

resolve this problem.

- -----------------------------------------------------------------------------



Computer Emergency Response Team/Coordination Center (CERT/CC)

Software Engineering Institute

Carnegie Mellon University

Pittsburgh, PA 15213-3890



Internet: cert@cert.org

Telephone: 412-268-7090 24-hour hotline: CERT personnel answer

           7:30a.m.-6:00p.m. EST, on call for

           emergencies other hours.



Past advisories and other information are available for anonymous ftp

from cert.org (192.88.209.5).



- ---------------------------------------------------------------------------





Copyright 1990 Carnegie Mellon University. Conditions for use, disclaimers,

and sponsorship information can be found in

http://www.cert.org/legal_stuff.html and http://ftp.cert.org/pub/legal_stuff .

If you do not have FTP or web access, send mail to cert@cert.org with

"copyright" in the subject line.



CERT is registered in the U.S. Patent and Trademark Office.



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Revision History



September 17,1997  Attached copyright statement



-----BEGIN PGP SIGNATURE-----

Version: PGP for Personal Privacy 5.0

Charset: noconv



iQA/AwUBOBS8cVr9kb5qlZHQEQIe0wCfexfhLAnm4zQU3hSOBNsGHSy3yhQAnjnc

yhbeu4R+msnFIZc6YRh87f5T

=VRsl

-----END PGP SIGNATURE-----






(C) 1999-2000 All rights reserved.