-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
AA-96.05                        AUSCERT Advisory
      Vulnerability in Solaris 2.x Solstice Admintool Launcher
             15 October 1996

Last Revised:

- ---------------------------------------------------------------------------
AUSCERT has received a report of a vulnerability in the Solaris 2.x
Solstice Admintool Launcher program "solstice".  solstice provides a
graphical user interface which can be used to launch system administration
applications.

This vulnerability may allow local users to gain root privileges.

AUSCERT recommends that sites apply the vendor patches as recommended in
Section 3.2.  Until patches can be applied, sites should take the
necessary actions as stated in Section 3.1.

- ---------------------------------------------------------------------------

1.  Description

    Solaris 2.x has two separate GUI system administration tools, Desktop
    Admintool (admintool) and the Solstice Admintool Launcher (solstice).
    solstice provides a graphical interface which can be used to perform
    various system administration tasks which include the ability to manage
    users, groups, hosts and other services.  It also allows individual
    users to give extra functionality to the interface by adding their
    own applications.

    Due to the fact that all applications added by local users and launched
    from the Solstice Admintool Launcher (solstice) have the effective
    group-id of bin, local users have to ability to execute any command
    on the system with these privileges.  Under standard Solaris 2.x
    installations, this can easily be leveraged to gain root privileges.

    The Solstice Admintool Launcher (solstice) is installed, by default,
    as /usr/bin/solstice.  It is usually installed with the package
    SUNWsadml.  While this package was introduced in Solaris 2.5, it can
    also be installed under earlier versions of Solaris 2.x.

    Individual sites are encouraged to check their systems for this package
    and, if installed, take the recommended actions given in Section 3.
    To determine whether the SUNWsadml package is installed, use the command:

  % /usr/bin/pkginfo -l SUNWsadml

2.  Impact

    Local users may be able to execute commands with the effective group-id
    of bin.  This can be leveraged to gain root privileges.

3.  Workarounds/Solution

    Sun Microsystems has released patches addressing this vulnerability.
    Sites are advised to apply these patches (see Section 3.2) as soon as
    possible.  Until vendor patches are applied, sites are advised to take
    the necessary steps outlined in Section 3.1.

3.1 Remove permissions

    Until official patches are available, sites are encouraged to remove
    the set-group-id permissions from the /usr/bin/solstice executable.

      # /bin/chmod g-s /usr/bin/solstice
      # /bin/ls -l /usr/bin/solstice
          -r-xr-xr-x   1 bin   bin   88264 Oct 27  1995 /usr/bin/solstice

    AUSCERT believes that this will not remove any functionality of the
    solstice program.

3.2 Install vendor patches

    Sun Microsystems has released patches which address the vulnerability
    described in this advisory.  AUSCERT recommends that sites apply these
    patches as soon as possible.

    Patches have been released for:

    Operating System           Patch                MD5 Checksum
    ~~~~~~~~~~~~~~~~           ~~~~~                ~~~~~~~~~~~~
   Solaris 2.5 sparc:      103247-07.tar.Z  7ac1835d9604756dba94198f425dbcf6 
   Solaris 2.5 x86:        103245-07.tar.Z  e17e049bb53f706782a2451340b27286
   Solaris 2.5.1 sparc:    103558-05.tar.Z  be967825e898f40620e3ae2390767158
   Solaris 2.5.1 x86:      103559-05.tar.Z  a1afcf2e7549308dbbbce154255d6d85
   Solaris 2.5.1 ppc:      103560-05.tar.Z  500600260ea1bb49b9079fe41dc36e77

    These patches can be retrieved from:

        ftp://sunsolve1.sun.com.au/pub/patches/
        ftp://ftp.auscert.org.au/pub/mirrors/sunsolve1.sun.com/

4.  Additional measures

    The standard Solaris 2.x installation consists of numerous important
    system files and directories which are writable by semi-privileged
    groups, such as "bin".  This has serious security implications, as
    intruders need only get the privileges of the these groups to alter
    critical system files on the system. This may easily be leveraged
    to gain root privileges.

    A script which establishes more secure permissions on critical files
    and directories under Solaris 2.x is available from:
  
  ftp://ftp.fwi.uva.nl/pub/solaris/fix-modes.tar.gz

    Sites should note that package or patch installs may reset the
    permissions to the default (less secure) settings.  Sites are
    encouraged to check permissions after doing installations and re-run
    the fix-modes script if necessary.

    Similar problems exist when system critical files and directories,
    owned by non-root users, are used with root privileges.  For a
    discussion of this and other security issues, see the AUSCERT security
    checklist:

  ftp://ftp.auscert.org.au/pub/auscert/papers/unix_security_checklist

- ---------------------------------------------------------------------------
AUSCERT thanks Marko Laakso (University of Oulu), CERT/CC, DFN-CERT and
Sun Microsystems for their help in this matter.
- ---------------------------------------------------------------------------

The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate.  However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual system
should be considered before application in conjunction with local policies
and procedures.  AUSCERT takes no responsibility for the consequences of
applying the contents of this document.

If you believe that your system has been compromised, contact AUSCERT or your
representative in FIRST (Forum of Incident Response and Security Teams).

AUSCERT is located at The University of Queensland within the Prentice Centre.
AUSCERT is a full member of the Forum of Incident Response and Security Teams
(FIRST).

AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT and AUSCERT
Advisories, and other computer security information.

AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Facsimile:  (07) 3365 4477
Telephone:  (07) 3365 4417 (International: +61 7 3365 4417)
    AUSCERT personnel answer during Queensland business hours
    which are GMT+10:00 (AEST).
    On call after hours for emergencies.

Postal:
Australian Computer Emergency Response Team
c/- Prentice Centre
The University of Queensland
Brisbane
Qld.  4072.
AUSTRALIA


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBMmN7Lyh9+71yA2DNAQG8iwP/efKQQrg+7TTXdBknjQOGixd4ZTg7EVe4
JfeRdr6y9vC0zLgc39hYqWvgqT4XQgiAmFELXxAJJFxxmhL1xs0qISGtHENf4tge
8UYvHMZukEubADfdKf22bfnuK/QGd3OvRJyGlQT08BC1LWkT+K3oXpFP1PPTyxgZ
9m5hYKO+bPY=
=+upP
-----END PGP SIGNATURE-----