-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===============================================================================
>>                                                      CERT-NL, 01-Mar-2000 <<
>> All CERT-NL information has been moved to http://cert.surfnet.nl.  Links  <<
>> to CERT-NL information contained in this advisory are therefore outdated. <<
>>                                                                           <<
>> CERT-NL also has stopped the CERT-CC-Mirror service.  Due to this the     <<
>> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the  <<
>> complete CERT-CC advisory texts:                     http://www.cert.org  <<
===============================================================================
===============================================================================
Security Advisory                                                       CERT-NL
===============================================================================
Author/Source : CERT-NL (Teun Nijssen)                      Index  :    S-93-26
Distribution  : Public                                      Page   :          1
Classification: External                                    Version:      Final
Subject       : Solaris system startup vulnerability        Date   :  20-Dec-93
===============================================================================

CERT-NL has received information from several sources concerning the
fact that a failure of the file system check (fsck) in Solaris 2.x
systems can represent a security vulnerability. This vulnerability
does not occur in 4.1.x systems.

This vulnerability allows a person with physical access to a
workstation with eeprom(1m) security enabled to force a startup
failure and subsequently gain root privilege without supplying the
eeprom or root password.  Changing the system scripts as described
below or restricting physical access to the workstations will
eliminate this vulnerability.  Note that without eeprom security
enabled, a workstation is vulnerable to any unauthorized individual
who has physical access.

Without the script changes, if fsck(8) fails during boot, the system
will run a privileged shell on the workstation.  Since an attacker can
force the failure, CIAC recommends application of the changes
described below.  If this is not possible, then restrict physical
workstation access to only those users allowed root privilege.

The changes will require the user to enter the root password before
the system runs the privileged shell.  To make the changes, edit both
/sbin/rcS and /sbin/mountall.  Change every occurrence of

          /sbin/sh < /dev/console
to
          /sbin/sulogin < /dev/console

The Sun distribution of /sbin/rcS contains an occurrence of the target
string at line 152; the distribution of /sbin/mountall contains one at
line 66 and one at line 250.

An attacker with physical access to a workstation without eeprom
security enabled can easily compromise the system by booting it in
single user mode. It is thus recommended to enable eeprom security for
all workstations without strict physical access controls.

- ---------------------------------------------------------------------------
CERT-NL wishes to thank Sun Microsystems, Inc. for distributing the
necessary information and solution.
- ---------------------------------------------------------------------------

==============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet
is the Dutch network for educational, research and related institutes. CERT-NL
is a member of the Forum of Incident Response and Security Teams (FIRST).

All CERT-NL material is available under:
  http://cert.surfnet.nl/

In case of computer or network security problems please contact your local
CERT/security-team or CERT-NL  (if your institute is NOT a SURFnet customer
please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).

   Email:     cert-nl@surfnet.nl     ATTENDED REGULARLY ALL DAYS
   Phone:     +31 302 305 305        BUSINESS HOURS ONLY
   Fax:       +31 302 305 329        BUSINESS HOURS ONLY
   Snailmail: SURFnet bv
              Attn. CERT-NL
              P.O. Box 19035
              NL - 3501 DA  UTRECHT
              The Netherlands

NOODGEVALLEN:    06 22 92 35 64      ALTIJD BEREIKBAAR
EMERGENCIES : +31 6 22 92 35 64      ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED*
PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT
TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU.
===============================================================================

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i

iQA/AwUBOL6WDDSYjBqwfc9jEQLN1gCfVDN50ZAJWA5VFznVR20Rm8BAAXoAnA8W
ZuqFoLnZVGerwsyBnFY7GJ/T
=4D9r
-----END PGP SIGNATURE-----