From jericho@netcom.com Wed May 14 20:55:51 1997
Date: Wed, 14 May 1997 19:40:25 -0700 (PDT)
From: Disgruntled Customer <jericho@netcom.com>
To: jericho@dimensional.com
Subject: Sun Security Bulletin #00140 (fwd)



---------- Forwarded message ----------
Date: Wed, 14 May 1997 13:58:05 -0700
From: Sun Security Coordination Team <secure@sunsc.Eng.Sun.COM>
To: bugtraq@netspace.org
Subject: Sun Security Bulletin #00140



______________________________________________________________________________

        Sun Microsystems, Inc. Security Bulletin
     
Bulletin Number:  #00140
Date:       14 May 1997
Cross-Ref:    AUSCERT AA-97.06
Title:      Vulnerability in ffbconfig
______________________________________________________________________________

Permission is granted for the redistribution of this Bulletin, so long as 
the Bulletin is not edited and is attributed to Sun Microsystems. Portions 
may also be excerpted for re-use in other security advisories so long as 
proper attribution is included.

Any other use of this information without the express written consent of 
Sun Microsystems is prohibited. Sun Microsystems expressly disclaims all 
liability for any misuse of this information by any third party.
______________________________________________________________________________

1.  Bulletins Topics

    Sun announces the release of patches for Solaris 2.5.1 (SunOS 5.5.1) and 
    Solaris 2.5 (SunOS 5.5) that relate to vulnerabilities in the ffbconfig 
    program, which can result in root access if exploited. 

    Sun strongly recommends that you install these patches immediately on
    every affected system. Exploitation information for ffbconfig is publicly
    available.

2.  Who is Affected
  
       Vulnerable:  SunOS versions 5.5.1 and 5.5 SPARC running the Creator 
                    FFB Graphics Accelerator.
                    See section 4. Understanding the Vulnerability, for a way 
                    to test if a system is affected.

      
       Not vulnerable:  All other supported versions of SunOS
          
       This vulnerability does not exist in the upcoming release of Solaris 2.6.
     
3.  What to Do

    Install the patches listed in 5.
   
4.  Understanding the Vulnerability

    The ffbconfig program configures the Creator Fast Frame Buffer (FFB) 
    Graphics Accelerator, which is part of the FFB Configuration Software 
    Package, SUNWffbcf. This software is used when the FFB Graphics accelerator 
    card is installed. Due to insufficient bounds checking on arguments, it is 
    possible to overwrite the internal stack space of the ffbconfig program. 
    If exploited, this vulnerability can be used to gain root access on 
    attacked systems.
    
    To test if a system is vulnerable, run the following command to check for 
    the presence of SUNWffbcf package which is installed when the FFB Graphics 
    accelerator card is present:

    /usr/bin/pkginfo -l SUNWffbcf

    If it is not present, you will get an error message stating that SUNWffbcf 
    was not found. If it is present, ffbconfig is installed in /usr/sbin.
    
5.  List of Patches

    The vulnerability relating to ffbconfig is fixed by the following patches:

  OS version    Patch ID
  ----------    --------
  SunOS 5.5.1    103796-09
       SunOS 5.5    103076-09
    
    The above-mentioned patches are listed in the Graphics section under 
    Unbundled Products at 
    
        ftp://sunsolve1.sun.com/pub/patches/patches.html.
    
6.  Checksum Table

    The checksum table below shows the BSD checksums (SunOS 5.x: /usr/ucb/sum), 
    SVR4 checksums (SunOS 5.x: /usr/bin/sum), and the MD5 digital signatures 
    for the above-mentioned patches that are available from:
     
       ftp://sunsolve1.sun.com/pub/patches/patches.html
       
    These checksums may not apply if you obtain patches from your answer
    centers. 

File Name    BSD         SVR4      MD5
---------------   ---------    ---------    --------------------------------
103796-09.tar.Z   37854 2479   55959 4957   4994176B4C03215BD2707B87921C5096
103076-09.tar.Z   33438 2435   42064 4869   0A8AA3C106C4F09448220C1B0B714CD1

______________________________________________________________________________

Sun acknowledges with thanks CERT/CC and AUSCERT for their assistance in the 
preparation of this bulletin.

Sun, CERT/CC, and AUSCERT are members of FIRST, the Forum of Incident Response 
and Security Teams. For more information about FIRST, visit the FIRST web site 
at "http://www.first.org/".
______________________________________________________________________________

APPENDICES

A.  Patches listed in this security bulletin are available to all Sun customers 
    via World Wide Web at:
    
      ftp://sunsolve1.sun.com/pub/patches/patches.html
      
    Customers with Sun support contracts can also obtain patches from local 
    Sun answer centers and SunSITEs worldwide.
       
B.  To report or inquire about a security problem with Sun software, contact 
    one or more of the following:
  
        - Your local Sun answer centers
        - Your representative computer security response team, such as CERT 
        - Sun Security Coordination Team. Send email to:
   
         security-alert@sun.com

C.  To receive information or subscribe to our CWS (Customer Warning System) 
    mailing list, send email to:
    
        security-alert@sun.com
   
    with a subject line (not body) containing one of the following commands:

        Command         Information Returned/Action Taken
        -------         ---------------------------------

        HELP            An explanation of how to get information

        LIST            A list of current security topics

        QUERY [topic]   The mail containing the question is relayed to
                        the Security Coordination Team for response.

        REPORT [topic]  The mail containing the text is treated as a
                        security report and forwarded to the Security
                        Coordination Team. We do not recommend that detailed 
                        problem descriptions be sent in plain text.

        SEND topic      A short status summary or bulletin. For example, to 
            retrieve a Security Bulletin #00138, supply the 
            following in the subject line (not body):
            
              SEND #138

        SUBSCRIBE       Sender is added to our mailing list.  To subscribe, 
                        supply the following in the subject line (not body):

                              SUBSCRIBE cws your-email-address
      
      Note that your-email-address should be substituted
      by your email address.
      
        UNSUBSCRIBE     Sender is removed from our mailing list.
______________________________________________________________________________