AA-96.05.Solaris.Solstice.Launcher.Vulnerability
95763a6c009b3bee59946c40da7114aa62131f5a931591b12aa73d603750553c
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AA-96.05 AUSCERT Advisory
Vulnerability in Solaris 2.x Solstice Admintool Launcher
15 October 1996
Last Revised:
- ---------------------------------------------------------------------------
AUSCERT has received a report of a vulnerability in the Solaris 2.x
Solstice Admintool Launcher program "solstice". solstice provides a
graphical user interface which can be used to launch system administration
applications.
This vulnerability may allow local users to gain root privileges.
AUSCERT recommends that sites apply the vendor patches as recommended in
Section 3.2. Until patches can be applied, sites should take the
necessary actions as stated in Section 3.1.
- ---------------------------------------------------------------------------
1. Description
Solaris 2.x has two separate GUI system administration tools, Desktop
Admintool (admintool) and the Solstice Admintool Launcher (solstice).
solstice provides a graphical interface which can be used to perform
various system administration tasks which include the ability to manage
users, groups, hosts and other services. It also allows individual
users to give extra functionality to the interface by adding their
own applications.
Due to the fact that all applications added by local users and launched
from the Solstice Admintool Launcher (solstice) have the effective
group-id of bin, local users have to ability to execute any command
on the system with these privileges. Under standard Solaris 2.x
installations, this can easily be leveraged to gain root privileges.
The Solstice Admintool Launcher (solstice) is installed, by default,
as /usr/bin/solstice. It is usually installed with the package
SUNWsadml. While this package was introduced in Solaris 2.5, it can
also be installed under earlier versions of Solaris 2.x.
Individual sites are encouraged to check their systems for this package
and, if installed, take the recommended actions given in Section 3.
To determine whether the SUNWsadml package is installed, use the command:
% /usr/bin/pkginfo -l SUNWsadml
2. Impact
Local users may be able to execute commands with the effective group-id
of bin. This can be leveraged to gain root privileges.
3. Workarounds/Solution
Sun Microsystems has released patches addressing this vulnerability.
Sites are advised to apply these patches (see Section 3.2) as soon as
possible. Until vendor patches are applied, sites are advised to take
the necessary steps outlined in Section 3.1.
3.1 Remove permissions
Until official patches are available, sites are encouraged to remove
the set-group-id permissions from the /usr/bin/solstice executable.
# /bin/chmod g-s /usr/bin/solstice
# /bin/ls -l /usr/bin/solstice
-r-xr-xr-x 1 bin bin 88264 Oct 27 1995 /usr/bin/solstice
AUSCERT believes that this will not remove any functionality of the
solstice program.
3.2 Install vendor patches
Sun Microsystems has released patches which address the vulnerability
described in this advisory. AUSCERT recommends that sites apply these
patches as soon as possible.
Patches have been released for:
Operating System Patch MD5 Checksum
~~~~~~~~~~~~~~~~ ~~~~~ ~~~~~~~~~~~~
Solaris 2.5 sparc: 103247-07.tar.Z 7ac1835d9604756dba94198f425dbcf6
Solaris 2.5 x86: 103245-07.tar.Z e17e049bb53f706782a2451340b27286
Solaris 2.5.1 sparc: 103558-05.tar.Z be967825e898f40620e3ae2390767158
Solaris 2.5.1 x86: 103559-05.tar.Z a1afcf2e7549308dbbbce154255d6d85
Solaris 2.5.1 ppc: 103560-05.tar.Z 500600260ea1bb49b9079fe41dc36e77
These patches can be retrieved from:
ftp://sunsolve1.sun.com.au/pub/patches/
ftp://ftp.auscert.org.au/pub/mirrors/sunsolve1.sun.com/
4. Additional measures
The standard Solaris 2.x installation consists of numerous important
system files and directories which are writable by semi-privileged
groups, such as "bin". This has serious security implications, as
intruders need only get the privileges of the these groups to alter
critical system files on the system. This may easily be leveraged
to gain root privileges.
A script which establishes more secure permissions on critical files
and directories under Solaris 2.x is available from:
ftp://ftp.fwi.uva.nl/pub/solaris/fix-modes.tar.gz
Sites should note that package or patch installs may reset the
permissions to the default (less secure) settings. Sites are
encouraged to check permissions after doing installations and re-run
the fix-modes script if necessary.
Similar problems exist when system critical files and directories,
owned by non-root users, are used with root privileges. For a
discussion of this and other security issues, see the AUSCERT security
checklist:
ftp://ftp.auscert.org.au/pub/auscert/papers/unix_security_checklist
- ---------------------------------------------------------------------------
AUSCERT thanks Marko Laakso (University of Oulu), CERT/CC, DFN-CERT and
Sun Microsystems for their help in this matter.
- ---------------------------------------------------------------------------
The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate. However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual system
should be considered before application in conjunction with local policies
and procedures. AUSCERT takes no responsibility for the consequences of
applying the contents of this document.
If you believe that your system has been compromised, contact AUSCERT or your
representative in FIRST (Forum of Incident Response and Security Teams).
AUSCERT is located at The University of Queensland within the Prentice Centre.
AUSCERT is a full member of the Forum of Incident Response and Security Teams
(FIRST).
AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT
Advisories, and other computer security information.
AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 4477
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
c/- Prentice Centre
The University of Queensland
Brisbane
Qld. 4072.
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBMmN7Lyh9+71yA2DNAQG8iwP/efKQQrg+7TTXdBknjQOGixd4ZTg7EVe4
JfeRdr6y9vC0zLgc39hYqWvgqT4XQgiAmFELXxAJJFxxmhL1xs0qISGtHENf4tge
8UYvHMZukEubADfdKf22bfnuK/QGd3OvRJyGlQT08BC1LWkT+K3oXpFP1PPTyxgZ
9m5hYKO+bPY=
=+upP
-----END PGP SIGNATURE-----