[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : SunOS TIOCCONS Vulnerability

Title: SunOS TIOCCONS Vulnerability
Released by: CERT
Date: 20th December 1990
Printable version: Click here
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



CA-90:12  

Last Revised: September 17,1997

                Attached copyright statement





                             CERT Advisory

                              December 20, 1990

                        SunOS TIOCCONS Vulnerability



- -------------------------------------------------------------------------



The following information was sent to us from Sun Microsystems.  It

contains availability information regarding a fix for a vulnerability

in SunOS 4.1 and SunOS 4.1.1.  (A version for SunOS 4.0.3 is currently

in testing and should be available shortly.)  For more information,

please contact Sun Microsystems at 1-800-USA-4SUN.



- -------------------------------------------------------------------------



SUN MICROSYSTEMS SECURITY BULLETIN:



 This information is only to be used for the purpose of alerting

customers to problems. Any other use or re-broadcast of this

information without the express written consent of Sun Microsystems

shall be prohibited.



Sun expressly disclaims all liability for any misuse of this information

by any third party.

- -------------------------------------------------------------------------



These patches are available through your local Sun answer centers

worldwide. As well as through anonymous ftp to ftp.uu.net in the

~ftp/sun-dist directory.



Please refer to the BugID and PatchID when requesting patches from Sun

answer centers.



NO README information will be posted in the patch on UUNET. Please refer

the the information below for patch installation instructions.



- -------------------------------------------------------------------------



Sun Bug ID   : 1008324

Synopsis     : TIOCCONS redirection of console input/output is a security 

               violation.

Sun Patch ID : for SunOS 4.1, SunOS 4.1_PSR_A 100187-01

Sun Patch ID : for SunOS 4.1.1 100188-01

Available for: Sun3, Sun3x, Sun4 Sun4c

               SunOS 4.1, SunOS 4.1_PSR_A, SunOS 4.1.1

Checksum of compressed tarfile on ftp.uu.net:~ftp/sun-dist



sum of SunOS 4.1 tarfile 100187-01.tar.Z  : 14138   142

sum of SunOS 4.1.1 tarfile 100188-01.tar.Z: 24122   111



- --------------------------------------------------------------------------



README information follows:



Patch-ID# 100188-01

Keywords: TIOCCONS

Synopsis: SunOS 4.1.1: TIOCCONS redirection of console is a security violation.

Date: 17/Dec/90

 

SunOS release: 4.1.1

 

Unbundled Product:

 

Unbundled Release:

 

Topic: 

 

BugId's fixed with this patch: 1008324



Architectures for which this patch is available: sun3 sun3x sun4 sun4c



Patches which may conflict with this patch:



Obsoleted by: Next major release of SunOS



Problem Description: TIOCCONS can be used to re-direct console output/input

                     away from "console"





Patch contains kernel object modules for:



/sys/sun?/OBJ/cons.o

/sys/sun?/OBJ/zs_async.o

/sys/sun?/OBJ/mcp_async.o

/sys/sun?/OBJ/mti.o



Where sun? is one of sun4, sun4c, sun3, sun3x, sun4/490-4.1_PSR_A



NOTE: The sun4c does not use mti.o nor mcp_async.o since this architecture

does not have VME slots and therefore cannot use the ALM-2 Asynchronous Line

Multiplexor or Systech MTI-800/1600. So those modules are not needed.

      

The fix consists of adding permission checking to setcons, the routine

that does the work of console redirection, and changing its callers to

supply additional information required for the check and to see whether

or not the check succeeded.  Setcons now uses uid and gid information

supplied to it as new arguments to perform a VOP_ACCESS call for VREAD

permission on the console.  If the caller doesn't have permission to

read from the console, setcons rejects the redirection attempt.





INSTALL:



AS ROOT:

save aside the object modules from the FCS tapes as a precaution:



# mv /sys/sun?/OBJ/cons.o /sys/sun?/OBJ/cons.o.orig

# mv /sys/sun?/OBJ/tty_pty.o /sys/sun?/OBJ/tty_pty.o.orig

# mv /sys/sun?/OBJ/zs_async.o /sys/sun?/OBJ/zs_async.o.orig

# mv /sys/sun?/OBJ/mcp_async.o /sys/sun?/OBJ/mcp_async.o.orig

# mv /sys/sun?/OBJ/mti.o /sys/sun?/OBJ/mti.o.orig



copy the new ".o" files to the OBJ directory:



# cp sun?/*.o /sys/sun?/OBJ/



build and install a new kernel:

rerun /etc/config  and do a "make" for the new kernel

Please refer to the System and Network Administration Manual for details

on how to configure and install a custom kernel.

 





- -------------------------------------------------------------------------

Patch-ID#  100187-01

Keywords: TIOCCONS

Synopsis: SunOS 4.1 4.1_PSR_A: TIOCCONS redirection of console is a security

          violation.

Date: 17/Dec/90

 

SunOS release: 4.1 4.1_PSR_A

 

Unbundled Product:

 

Unbundled Release:

 

Topic: 

 

BugId's fixed with this patch: 1008324



Architectures for which this patch is available: sun3 sun3x sun4 sun4c

                                                 sun4-490_4.1_PSR_A 



Patches which may conflict with this patch:



Obsoleted by: Next major release of SunOS



Problem Description: TIOCCONS can be used to re-direct console output/input

                     away from "console"





Patch contains kernel object modules for:



/sys/sun?/OBJ/cons.o

/sys/sun?/OBJ/zs_async.o

/sys/sun?/OBJ/mcp_async.o

/sys/sun?/OBJ/mti.o



Where sun? is one of sun4, sun4c, sun3, sun3x, sun4/490-4.1_PSR_A



NOTE: The sun4c does not use mti.o nor mcp_async.o since this architecture

does not have VME slots and therefore cannot use the ALM-2 Asynchronous Line

Multiplexed or Systech MTI-800/1600. So those modules are not needed.



      

The fix consists of adding permission checking to setcons, the routine

that does the work of console redirection, and changing its callers to

supply additional information required for the check and to see whether

or not the check succeeded.  Setcons now uses uid and gid information

supplied to it as new arguments to perform a VOP_ACCESS call for VREAD

permission on the console.  If the caller doesn't have permission to

read from the console, setcons rejects the redirection attempt.





INSTALL:



AS ROOT:

save aside the object modules from the FCS tapes as a precaution:



# mv /sys/sun?/OBJ/cons.o /sys/sun?/OBJ/cons.o.orig

# mv /sys/sun?/OBJ/tty_pty.o /sys/sun?/OBJ/tty_pty.o.orig

# mv /sys/sun?/OBJ/zs_async.o /sys/sun?/OBJ/zs_async.o.orig

# mv /sys/sun?/OBJ/mcp_async.o /sys/sun?/OBJ/mcp_async.o.orig

# mv /sys/sun?/OBJ/mti.o /sys/sun?/OBJ/mti.o.orig



copy the new ".o" files to the OBJ directory:



# cp sun?/*.o /sys/sun?/OBJ/



build and install a new kernel:

rerun /etc/config  and do a "make" for the new kernel

Please refer to the System and Network Administration Manual for details

on how to configure and install a custom kernel.



- -------------------------------------------------------------------------

Computer Emergency Response Team/Coordination Center (CERT/CC)

Software Engineering Institute

Carnegie Mellon University

Pittsburgh, PA 15213-3890



Internet E-mail: cert@cert.org

Telephone: 412-268-7090 24-hour hotline:

           CERT personnel answer 7:30a.m.-6:00p.m. EST, on call for

           emergencies during other hours.



Past advisories and other information are available for anonymous ftp

from cert.org (192.88.209.5).



- -------------------------------------------------------------------------





Copyright 1990 Carnegie Mellon University. Conditions for use, disclaimers,

and sponsorship information can be found in

http://www.cert.org/legal_stuff.html and http://ftp.cert.org/pub/legal_stuff .

If you do not have FTP or web access, send mail to cert@cert.org with

"copyright" in the subject line.



CERT is registered in the U.S. Patent and Trademark Office.



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Revision History



September 17, 1997  Attached Copyright Statement





-----BEGIN PGP SIGNATURE-----

Version: PGP for Personal Privacy 5.0

Charset: noconv



iQA/AwUBOBS82lr9kb5qlZHQEQI1MgCg6NCeDgA4RVT2o2RHxvcZNQq3Hp4AoJmL

rgc+M3AD5WJhPEONSASNbJ5P

=FPD8

-----END PGP SIGNATURE-----








(C) 1999-2000 All rights reserved.