-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =============================================================================== >> CERT-NL, 01-Mar-2000 << >> All CERT-NL information has been moved to http://cert.surfnet.nl. Links << >> to CERT-NL information contained in this advisory are therefore outdated. << >> << >> CERT-NL also has stopped the CERT-CC-Mirror service. Due to this the << >> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the << >> complete CERT-CC advisory texts: http://www.cert.org << =============================================================================== =============================================================================== Security Advisory CERT-NL =============================================================================== Author/Source : Nico de Koo Index : S-97-15 Distribution : World Page : 1 Classification: External Version: 1 Subject : Solaris 2.x CDE sdtcm_convert vulnerability Date : 24-Feb-97 =============================================================================== By courtesy of AUSCERT we received information on a vulnerability in Solaris 2.x CDE. Unauthorized root access is possible using this vulnerability. CERT-NL recommends installation of vendor supplied patches. ============================================================================== AA-97.08 AUSCERT Advisory Solaris 2.x CDE sdtcm_convert vulnerability 24 February 1997 Last Revised: -- - - --------------------------------------------------------------------------- AUSCERT has received information that a vulnerability exists in the Solaris 2.x Common Desktop Environment (CDE) sdtcm_convert utility. This vulnerability may allow local users to gain root privileges. Exploit information involving this vulnerability has been made publicly available. AUSCERT recommends that sites take the steps outlined in section 3 as soon as possible. - - --------------------------------------------------------------------------- 1. Description sdtcm_convert(1) is a calendar data conversion utility which converts between version 3 and version 4 calendar data formats. During the execution of sdtcm_convert, files are modified with root privileges in an insecure manner. By manipulating the files that sdtcm_convert is accessing, local users may change the ownership of arbitrary files on the system. This may be leveraged to gain root privileges. sdtcm_convert is part of the Solaris 2.x Common Desktop Environment (CDE) Applications package, SUNWdtdst. Sites can determine whether the SUNWdtdst package is installed with the command: % pkginfo -l SUNWdtdst The long listing (-l) from pkginfo will also give the version of the CDE package installed. The default location for sdtcm_convert is /usr/dt/bin/sdtcm_convert. 2. Impact Local users may be able to change the ownership of arbitrary files on the system. This may be leveraged to gain root privileges. 3. Workarounds/Solution Official vendor patches have been released by Sun Microsystems which address this vulnerability (Section 3.1). Until the patches recommended by Sun Microsystems can be applied, AUSCERT recommends that sites limit the possible exploitation of this vulnerability by immediately removing the setuid permissions as stated in Section 3.2. 3.1 Install vendor patches Sun Microsystems has released security patches which address the vulnerability described in this advisory. AUSCERT recommends that sites apply these patches as soon as possible. Patches have been released for: CDE version Patch MD5 ~~~~~~~~~~~ ~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1.0.1 sparc 103671-02.tar.Z abb42a75b89c16e085d0f8811eeede10 1.0.2 sparc 103670-02.tar.Z e9f8f34deaaf215ff5f5b632bf0d45ea 1.0.1 x86 103718-02.tar.Z cebb82a95592392359f5206fe2a63ed1 1.0.2 x86 103717-02.tar.Z 18fe28c03abdf118b647fd347261089e Sites with SunService Contracts may obtain these patches through their local SunSolve Online server. For sites without a SunService Contract, the above security patches may be retrieved from: ftp://sunsolve1.sun.com.au/pub/outgoing/ Note that this site is currently the only public area where these patches are available. 3.2 Remove setuid permissions To prevent the exploitation of the vulnerability described in this advisory, AUSCERT recommends that the setuid permissions be removed from sdtcm_convert immediately. As the sdtcm_convert program will no longer work for non-root users, it is recommended that the execute permissions also be removed. For example: # ls -l /usr/dt/bin/sdtcm_convert -r-sr-sr-x 1 root daemon 285700 Feb 24 12:20 /usr/dt/bin/sdtcm_convert # chmod 500 /usr/dt/bin/sdtcm_convert -r-x------ 1 root daemon 285700 Feb 24 12:20 /usr/dt/bin/sdtcm_convert 4. Additional measures Most Unix systems ship numerous programs which have setuid or setgid privileges. Often the functionality supplied by these privileged programs is not required by many sites. The large number of privileged programs that are shipped by default are to cater for all possible uses of the system. AUSCERT encourages sites to examine all the setuid/setgid programs and determine the necessity of each program. If a program does not absolutely require the setuid/setgid privileges to operate (for example, it is only run by the root user), the setuid/setgid privileges should be removed. Furthermore, if a program is not required at your site, then all execute permissions should be removed. A sample command to find all setuid/setgid programs is (run as root): # find / \( -perm -4000 -o -perm -2000 \) -type f -exec ls -l {} \; It is AUSCERT's experience that many vulnerabilities are being discovered in setuid/setgid programs which are not necessary for the correct operation of most systems. Sites can increase their security by removing unnecessary setuid/setgid programs. For example, the functionality provided by the sdtcm_convert program is not needed by many sites. If sites had previously disabled sdtcm_convert, they would not have been vulnerable to this latest exploit. - ---------------------------------------------------------------------------- AUSCERT thanks Marko Laakso (University of Oulu) for his initial report, continued assistance, and technical expertise crucial in the production of this advisory. Thanks also to CERT/CC, DFN-CERT and Sun Microsystems for their help in this matter. - ---------------------------------------------------------------------------- ============================================================================== CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet is the Dutch network for educational, research and related institutes. CERT-NL is a member of the Forum of Incident Response and Security Teams (FIRST). All CERT-NL material is available under: http://cert.surfnet.nl/ In case of computer or network security problems please contact your local CERT/security-team or CERT-NL (if your institute is NOT a SURFnet customer please address the appropriate (local) CERT/security-team). CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer, i.e. UTC+0100 in winter and UTC+0200 in summer (DST). Email: cert-nl@surfnet.nl ATTENDED REGULARLY ALL DAYS Phone: +31 302 305 305 BUSINESS HOURS ONLY Fax: +31 302 305 329 BUSINESS HOURS ONLY Snailmail: SURFnet bv Attn. CERT-NL P.O. Box 19035 NL - 3501 DA UTRECHT The Netherlands NOODGEVALLEN: 06 22 92 35 64 ALTIJD BEREIKBAAR EMERGENCIES : +31 6 22 92 35 64 ATTENDED AT ALL TIMES CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES: THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED* PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU. =============================================================================== -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1i iQA/AwUBOL6ITzSYjBqwfc9jEQLOvACeKwg8P5YTIj1u/M6aQEmkJz9wYMAAnikX T1TmXWJls43vlJjCbUaL6hdY =cGfr -----END PGP SIGNATURE-----