|
|
Home : Advisories : Vulnerability in Solaris admintool
| Title: |
Vulnerability in Solaris admintool |
| Released by: |
CERT |
| Date: |
5th August 1996 |
| Printable version: |
Click here |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
CERT(*) Advisory CA-96.16
Original issue date: August 5, 1996
Last Revised: October 20, 1997
Vendor information for Sun has been added to the UPDATES
section.
A complete revision history is at the end of this file.
Topic: Vulnerability in Solaris admintool
- -----------------------------------------------------------------------------
The text of this advisory was originally released on July 30, 1996, as
AUSCERT Advisory AL-96.03, developed by the Australian Computer Emergency
Response Team. Because of the seriousness of the problem, we are reprinting
the AUSCERT advisory here with their permission. Only the contact
information at the end has changed: AUSCERT contact information has been
replaced with CERT/CC contact information.
We will update this advisory as we receive additional information.
Please check advisory files regularly for updates that relate to your site.
=============================================================================
AUSCERT has received a report of a vulnerability in the Sun Microsystems
Solaris 2.x distribution involving the program admintool. This program is
used to provide a graphical user interface to numerous system administration
tasks.
This vulnerability may allow a local user to gain root privileges.
Exploit details involving this vulnerability have been made publicly
available.
At this stage, AUSCERT is not aware of any official patches. AUSCERT
recommends that sites take the actions suggested in Section 3 until official
patches are available.
- -----------------------------------------------------------------------------
1. Description
admintool is a graphical user interface that enables an administrator to
perform several system administration tasks on a system. These tasks
include the ability to manage users, groups, hosts and other services.
To help prevent different users updating system files simultaneously,
admintool uses temporary files as a locking mechanism. The handling of
these temporary files is not performed in a secure manner, and hence it
may be possible to manipulate admintool into creating or writing to
arbitrary files on the system. These files are accessed with the
effective uid of the process executing admintool.
In Solaris 2.5, admintool is set-user-id root by default. That is, all
file accesses are performed with the effective uid of root. An effect
of this is that the vulnerability will allow access to any file on the
system. If the vulnerability is exploited to try and create a file that
already exists, the contents of that file will be deleted. If the file
does not exist, it will be created with root ownership and be world
writable.
In earlier versions of Solaris 2.x, admintool is not set-user-id root
by default. In this case, admintool runs only with the privileges of
the user executing it. However, local users may wait for a specific user
to execute admintool, exploiting the vulnerability to create or write
files with that specific users' privileges. Again, files created in this
manner will be world writable.
2. Impact
A local user may be able to create or write to arbitrary files on the
system. This can be leveraged to gain root privileges.
3. Workarounds/Solution
Currently, AUSCERT is not aware of any official patches which address
this vulnerability. When official patches are made available, AUSCERT
suggests that they be installed.
Until official patches are available sites are encouraged to
completely prevent execution of admintool by any user (including root).
# chmod 400 /usr/bin/admintool
# ls -l /usr/bin/admintool
-r-------- 1 root sys 303516 Oct 27 1995 /usr/bin/admintool
Note that if only the setuid permissions are removed, it is still possible
for users to gain privileges when admintool is executed as root.
AUSCERT recommends that, where possible, admintool should not be used at
all until official patches are available. In the interim, system
administrators should perform administration tasks by using the command
line equivalents. More details on performing these tasks may be found
in the Sun documentation set.
- -----------------------------------------------------------------------------
AUSCERT wishes to thank Brian Meilak (QUT), Marek Krawus (UQ), Leif
Hedstrom, Kim Holburn and Michael James for their assistance in this matter.
- -----------------------------------------------------------------------------
If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident
Response and Security Teams (FIRST).
We strongly urge you to encrypt any sensitive information you send by email.
The CERT Coordination Center can support a shared DES key and PGP. Contact
the CERT staff for more information.
Location of CERT PGP key
http://info.cert.org/pub/CERT_PGP.key
CERT Contact Information
- ------------------------
Email cert@cert.org
Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST
(GMT-5)/EDT(GMT-4), and are on call for
emergencies during other hours.
Fax +1 412-268-6989
Postal address
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
USA
CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from
http://www.cert.org/
http://info.cert.org/pub/
CERT advisories and bulletins are also posted on the USENET newsgroup
comp.security.announce
To be added to our mailing list for CERT advisories and bulletins, send your
email address to
cert-advisory-request@cert.org
- ------------------------------------------------------------------------------
Copyright 1996 Carnegie Mellon University. Conditions for use, disclaimers,
and sponsorship information can be found in
http://www.cert.org/legal_stuff.html and http://ftp.cert.org/pub/legal_stuff .
If you do not have FTP or web access, send mail to cert@cert.org with
"copyright" in the subject line.
CERT is registered in the U.S. Patent and Trademark Office.
This file:
http://info.cert.org/pub/cert_advisories/CA-96.16.Solaris_admintool_vul
http://www.cert.org
click on "CERT Advisories"
===========================================================================
UPDATES
Vendor Information
Below is information we have received from vendors. If you do not see your
vendor's name below, contact the vendor directly for information.
Sun Microsystems, Inc.
- ----------------------
Sun Microsystems has provided the following list of patches in response
to this advisory:
103558-10 5.5.1
103559-07 5.5.1_x86
103247-07 5.5
103245-08 5.5_x86
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision history
Oct. 20, 1997 Vendor information for Sun has been added to the UPDATES
section.
Sep. 24, 1997 Updated copyright statement
Aug. 30, 1996 Removed references to CA-96.16.README.
Beginning of the advisory - removed AUSCERT advisory header
to avoid confusion.
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQA/AwUBOBTBflr9kb5qlZHQEQLqIwCfU/Mt54ccrk7qpJnDWx+UwSs0xyoAoPqQ
fyCec842ckiWCT4aAVU99KhT
=SPHU
-----END PGP SIGNATURE-----
|
