[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Vulnerability in Solaris vold

Title: Vulnerability in Solaris vold
Released by: CERT
Date: 6th August 1996
Printable version: Click here
-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



=============================================================================

CERT(*) Advisory CA-96.17

Original issue date: August 6, 1996

Last Revised: October 20, 1997

              Vendor information for Sun has been added to the UPDATES

              section.

 

              A complete revision history is at the end of this file.





Topic: Vulnerability in Solaris vold

- -----------------------------------------------------------------------------



   The text of this advisory was originally released on August 2, 1996, as

   AUSCERT Advisory AL-96.04, developed by the Australian Computer Emergency

   Response Team. We are reprinting the AUSCERT advisory here with their

   permission. Only the contact information at the end has changed: AUSCERT

   contact information has been replaced with CERT/CC contact information.



   We will update this advisory as we receive additional information.

   Please check advisory files regularly for updates that relate to your site.



=============================================================================



AUSCERT has received a report of a vulnerability in the Sun Microsystems

Solaris 2.x distribution involving the Volume Management daemon, vold(1M).

This program is used to help manage CDROM and floppy devices.



This vulnerability may allow a local user to gain root privileges.



Exploit details involving this vulnerability have been made publicly

available.



At this stage, AUSCERT is not aware of any official patches.  AUSCERT

recommends that sites take the actions suggested in Section 3 until official

patches are available.



- -----------------------------------------------------------------------------



1.  Description



    The Volume Management daemon, vold(1M), manages the CDROM and floppy

    devices.  For example, it provides the ability to automatically detect,

    and then mount, removable media such as CDROMs and floppy devices.



    vold is part of the Solaris 2.x Volume Management package (SUNWvolu).

    It is executed as a background daemon on system startup and runs as root.



    When vold detects that a CDROM or floppy has been inserted into a drive,

    it is configured to automatically mount the media, making it available

    to users.  Part of this process includes the creation of temporary files,

    which are used to allow the Openwindows File Manager, filemgr(1), to

    determine that new media has been mounted.  These files are created by

    the action_filemgr.so shared object which is called indirectly by vold

    through rmmount(1M).  The handling of these files is not performed in a

    secure manner.  As vold is configured to access these temporary files

    with root privileges, it may be possible to manipulate vold into creating

    or over-writing arbitrary files on the system.



    This vulnerability requires that vold be running and media managed by

    vold, such as a CDROM or floppy, be physically loaded into a drive.  Note

    that a local user need not have physical access to the media drive to

    exploit this vulnerability.  It is enough to wait until somebody else

    loads the drive, exploiting the vulnerability at that time.



    This vulnerability is known to be present in Solaris 2.4 and Solaris 2.5.

    Solaris distributions prior to Solaris 2.4 are also expected to be

    vulnerable.



2.  Impact



    Local users may be able to create or over-write arbitrary files on the

    system.  This can be leveraged to gain root privileges.



3.  Workaround



    AUSCERT believes the workarounds given in Sections 3.1 or 3.2 will address

    this vulnerability.  Vendor patches may also address this vulnerability

    in the future (Section 3.3).



3.1 Edit /etc/rmmount.conf



    The temporary files which are susceptible to attack are created by the

    /usr/lib/rmmount/action_filemgr.so.1 shared object which is called

    indirectly by vold through rmmount(1M).  rmmount(1M) can be

    configured so that it does not create the temporary files, thereby

    removing this vulnerability.



    To our knowledge, configuring rmmount(1M) in this fashion will not

    affect the functionality of vold.  It will, however, remove the

    ability of the Openwindows File Manager, filemgr(1), to automatically

    detect newly mounted media.



    To prevent rmmount(1M) creating temporary files, sites must edit the

    /etc/rmmount.conf file and comment out (or remove) any entry which

    references action_filemgr.so.



    The standard /etc/rmmount.conf contains the following entries which

    must be commented out (or deleted) to remove this vulnerability:



        action cdrom action_filemgr.so

        action floppy action_filemgr.so



    After applying this workaround, an example of /etc/rmmount.conf may look

    like:



        # @(#)rmmount.conf 1.2     92/09/23 SMI

        #

        # Removable Media Mounter configuration file.

        #



        # File system identification

        ident hsfs ident_hsfs.so cdrom

        ident ufs ident_ufs.so cdrom floppy pcmem

        ident pcfs ident_pcfs.so floppy pcmem



        # Actions

        #

        # Following two lines commented out to remove vold vulnerability

        #

        # action cdrom action_filemgr.so

        # action floppy action_filemgr.so



    Note that vold does not have to be restarted for these changes to

    take effect.



3.2 Remove the Volume Management system



    Sites who do not require the vold functionality should remove the complete

    set of Volume Management packages.  These are SUNWvolg, SUNWvolu and

    SUNWvolr.  These packages can be removed using pkgrm(1M).



3.3 Install vendor patches



    Currently, AUSCERT is not aware of any official patches which address

    this vulnerability.  When official patches are made available, AUSCERT

    suggests that they be installed.



- -----------------------------------------------------------------------------

AUSCERT wishes to thanks to Leif Hedstrom, Mark McPherson(QTAC),

Marek Krawus(UQ), DFN-CERT and CERT/CC for their assistance in this matter.

- -----------------------------------------------------------------------------



If you believe that your system has been compromised, contact the CERT

Coordination Center or your representative in the Forum of Incident

Response and Security Teams (FIRST).



We strongly urge you to encrypt any sensitive information you send by email.

The CERT Coordination Center can support a shared DES key and PGP. Contact

the CERT staff for more information.



Location of CERT PGP key

         http://info.cert.org/pub/CERT_PGP.key



CERT Contact Information

- ------------------------

Email    cert@cert.org



Phone    +1 412-268-7090 (24-hour hotline)

                CERT personnel answer 8:30-5:00 p.m. EST

                (GMT-5)/EDT(GMT-4), and are on call for

                emergencies during other hours.



Fax      +1 412-268-6989



Postal address

        CERT Coordination Center

        Software Engineering Institute

        Carnegie Mellon University

        Pittsburgh PA 15213-3890

        USA



CERT publications, information about FIRST representatives, and other

security-related information are available for anonymous FTP from

        http://www.cert.org/

        http://info.cert.org/pub/



CERT advisories and bulletins are also posted on the USENET newsgroup

        comp.security.announce



To be added to our mailing list for CERT advisories and bulletins, send your

email address to

        cert-advisory-request@cert.org







- ------------------------------------------------------------------------------



Copyright 1996 Carnegie Mellon University. Conditions for use, disclaimers,

and sponsorship information can be found in

http://www.cert.org/legal_stuff.html and http://ftp.cert.org/pub/legal_stuff .

If you do not have FTP or web access, send mail to cert@cert.org with

"copyright" in the subject line.



CERT is registered in the U.S. Patent and Trademark Office.





This file:

        http://info.cert.org/pub/cert_advisories/CA-96.17.Solaris_vold_vul

        http://www.cert.org

               click on "CERT Advisories"



===========================================================================

UPDATES

 

Vendor Information

 

Below is information we have received from vendors. If you do not see your

vendor's name below, contact the vendor directly for information.

 

Sun Microsystems, Inc.

- ----------------------

        

Sun Microsystems has provided the following list of patches in response

to this advisory: 



        104010-01 5.5.1 

        104011-01 5.5.1_x86  

        104015-01 5.5    

        104016-01 5.5_x86 

        101907-14 5.4  

        101908-14 5.4_x86



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Revision history



Oct. 20, 1997  Vendor information for Sun has been added to the UPDATES

                 section.

Sep. 24, 1997  Updated copyright statement

Aug. 30, 1996  Removed references to CA-96.17.README.

               Beginning of the advisory - removed AUSCERT advisory header

                 to avoid confusion.





-----BEGIN PGP SIGNATURE-----

Version: PGP for Personal Privacy 5.0

Charset: noconv



iQA/AwUBOBTBhVr9kb5qlZHQEQI9vACaA3JspA8GS43p/ocXLPvy5BNXVgoAoMNL

N/CoCKFMh70jhVKpF/WsiwCG

=ValR

-----END PGP SIGNATURE-----








(C) 1999-2000 All rights reserved.