-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===============================================================================
>>                                                      CERT-NL, 01-Mar-2000 <<
>> All CERT-NL information has been moved to http://cert.surfnet.nl.  Links  <<
>> to CERT-NL information contained in this advisory are therefore outdated. <<
>>                                                                           <<
>> CERT-NL also has stopped the CERT-CC-Mirror service.  Due to this the     <<
>> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the  <<
>> complete CERT-CC advisory texts:                     http://www.cert.org  <<
===============================================================================
===============================================================================
Security Advisory                                                       CERT-NL
===============================================================================
Author/Source : CERT-NL (Erik-Jan Bos)                      Index  :    S-93-25
Distribution  : Kernel                                      Page   :          1
Classification: External                                    Version:      Final
Subject       : SunOS/Solbourne loadmodule and modload Vulnerability
                                                            Date   :  16-Dec-93
===============================================================================

CERT-NL has received information concerning a vulnerability in
/usr/etc/modload and $OPENWINHOME/bin/loadmodule in Sun Microsystems,
Inc. SunOS 4.1.1, 4.1.2, 4.1.3, and 4.1.3c and OpenWindows 3.0 on all
sun4 and Solbourne Computer, Inc. architectures. The problem does not
exist in Solaris 2.x, Solaris x86, and sun3 architectures (OpenWindows
3.0 was not released for the sun3 architecture).

Sun has produced a patch for these vulnerabilities for sun4
architectures. It is available through your local Sun Answer Center as
well as through anonymous FTP from ftp.nic.surfnet.nl [192.87.46.3]
in the surfnet/net-security/cert-nl/patches/sun-fixes directory.

Solbourne has announced a workaround that is included below.

Please note that this advisory supersedes CERT Coordination Center
Advisory CA-91:22 "SunOS OpenWindows Vulnerability". This Advisory was
not issued by CERT-NL.

- -----------------------------------------------------------------------------

I.   Description

     loadmodule(8) and modload(8) can be exploited to execute a user's
     program using the effective UID of root.

II.  Impact

     This vulnerability allows a local user to gain root access.

III. Solution

     A. SunOS Solution

     Obtain and install the appropriate patches according to the
     instructions included with the patches.

     Module           Patch ID        Filename
     ----------       ---------       ---------------
     loadmodule       100448-02       100448-02.tar.Z

                  BSD Checksum = 19410 5
                  MD5 Checksum = 0215910cf65e055ed3042070bd961a22

     modload          101200-02       101200-02.tar.Z

                  BSD Checksum = 41677 28
                  MD5 Checksum = 626ab2917204eb6e6eb5f165cca3e908


     B. Solbourne Solution

     Solbourne systems do not support the "loadmodule" functionality.
     This vulnerability can be fixed on Solbourne systems by removing
     the setuid bit:

        chmod 0755 /usr/openwin/bin/loadmodule

     The modload program does not need to replaced or changed.

- ---------------------------------------------------------------------------
CERT-NL wishes to thank the CERT Coordination Center and Sun
Microsystems, Inc. and Solbourne Computers, Inc. for their support in
responding to this problem and distributing the necessary information and
patches.
- ---------------------------------------------------------------------------

==============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet
is the Dutch network for educational, research and related institutes. CERT-NL
is a member of the Forum of Incident Response and Security Teams (FIRST).

All CERT-NL material is available under:
  http://cert.surfnet.nl/

In case of computer or network security problems please contact your local
CERT/security-team or CERT-NL  (if your institute is NOT a SURFnet customer
please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).

   Email:     cert-nl@surfnet.nl     ATTENDED REGULARLY ALL DAYS
   Phone:     +31 302 305 305        BUSINESS HOURS ONLY
   Fax:       +31 302 305 329        BUSINESS HOURS ONLY
   Snailmail: SURFnet bv
              Attn. CERT-NL
              P.O. Box 19035
              NL - 3501 DA  UTRECHT
              The Netherlands

NOODGEVALLEN:    06 22 92 35 64      ALTIJD BEREIKBAAR
EMERGENCIES : +31 6 22 92 35 64      ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED*
PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT
TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU.
===============================================================================

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i

iQA/AwUBOL6WDDSYjBqwfc9jEQJF8ACcD3mEqw7ZuMf46aXzUjA8Of4YCaoAoLoc
Dp5DSOx7Mb+zu244cDF6lmFh
=K6PT
-----END PGP SIGNATURE-----