_____________________________________________________
              The Computer Incident Advisory Capability
                          ___  __ __    _     ___
                         /       |     / \   /
                         \___  __|__  /___\  \___ 
          _____________________________________________________
                          Information Bulletin

       SunOS Environment Variables and setuid/setgid Vulnerability

May 27, 1992, 1500 PDT                            Number C-26

_________________________________________________________________________
PROBLEM:   User environment variables can be used to subvert security.
PLATFORM:  All Sun3/Sun4 computers running SunOS 4.1, 4.1.1, or 4.1.2
DAMAGE:    Local users can obtain unauthorized privileges.
SOLUTION:  Install environment wrapper (included) and/or apply patchs. 
_________________________________________________________________________
               Critical Information about Shared Libraries

CIAC has obtained information concerning a security problem with shared
libraries (i.e., dynamically-linked programs). User environment
variables are improperly passed to SETUID and SETGID programs. 

This vulnerability applies to in-house, third-party, and Sun
SETUID/SETGID applications that change the real ID and effective ID to
match before executing the program. The programs known by SUN to have
this problem in SunOS 4.1.x are:  /usr/lib/sendmail, /usr/bin/login,
/usr/bin/su, /usr/5bin/su.

 Patch ID#        FILE        CHECKSUM             VERSION
 ----------  ---------------  -----------  ------------------------------
  100377-04  100377-04.tar.Z  14692   311  sendmail
  100630-01  100630-01.tar.Z  36269    39  login/su, International version
  100631-01  {contact SUN Answer Center}*  login/su, Domestic version

  * Export regulations prohibit distributing 100631-01 via anonymous ftp.
    Please contact your SUN Answer Center for Patch ID# 100631-01

If you do not have ready access to the patches listed above or have
third party software that may be vulnerable, CIAC recommends that you
wrap executables in the enclosed wrapper code, provided by Wietse
Venema, Eindhoven University of Technology, The Netherlands.

It is highly recommended that the wrapper program be installed around
your applicable ARM versions of the affected programs.

These patches, as well as all other Sun patches, are available both
through your local Sun Answer Centers and via anonymous ftp. In the
US, ftp to ftp.uu.net (137.39.1.9) and retrieve the patch from the
directory ~ftp/systems/sun/sun-dist. In Europe, ftp to mcsun.eu.net
(192.16.202.1) and retrieve the patch from the ~ftp/sun/fixes
directory.

For additional information or assistance, please contact CIAC:

     Marvin J. Christensen
     (510) 423-5173 or (FTS) 543-5173
     send e-mail to mjchristensen@llnl.gov


     CIAC at (510) 422-8193/(FTS)
         FAX (510) 423-8002/(FTS)
     send e-mail to ciac@llnl.gov.  

Previous CIAC bulletins and other information is available via 
anonymous ftp from irbis.llnl.gov (ip address 128.115.19.60).

===========================================================================

/* 
 *  Remove "LD_" variables from user environment before calling a
 *  SETUID/SETGID executable
 *
 *  This code is specific to /bin/login, but can be easily modified to
 *  wrap other programs by modifying "COMMAND".  Change the value of
 *  "COMMAND" to the new, full path name of the command that you want
 *  to wrap after you have moved it.  For example, if you moved
 *  /usr/lib/sendmail to /usr/lib/sendmail+ (using the command "mv
 *  /usr/lib/sendmail /usr/lib/sendmail+"), change the macro definition
 *  of "COMMAND" in the C program to:
 *
 *                #define COMMAND "/usr/lib/sendmail+"
 *
 *  Then perform the steps below to compile and install your
 *  sendmail wrapper.
 */

#define COMMAND "/bin/login+"

main(argc,argv)
        int argc;
        char **argv;
{
        fixenv();
        execv(COMMAND,argv);
        perror(COMMAND);
        exit(1);
}

fixenv()
{
    extern char **environ;
    char  **cpp;
    char  **xpp;
    char   *cp;

    for (cpp = environ; cp = *cpp; cpp++) {
        while (*cp++ == 'L' && *cp++ == 'D' && *cp == '_') {
            for (xpp = cpp; xpp[0] = xpp[1]; xpp++)
                 /* void */ ;
            if ((cp = *cpp) == 0)
                return;
        }
    }
}

/*----------------------------------------------------------------*/

The example code above is specific to /bin/login.

Install as root:  

Move the old /bin/login to /bin/login+ and modify permissions:
# mv /bin/login /bin/login+
# chmod 750 /bin/login+

Put the code above in a C program file and compile.  For this example
assume the file is /tmp/login.c:
# cd /tmp
# make login

Move the wrapper program into /bin/login and modify permissions and ownership:
# mv /tmp/login /bin/login 
# chown root.staff /bin/login
# chmod 4711 /bin/login

===========================================================================
CIAC would like to acknowledge the contributions of: CERT/CC, PCERT,
SUN Microsystems, and Wietse Venema.

PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents.  Some of the other teams include the NASA NSI response
team, DARPA's CERT/CC, NAVCIRT, and the Air Force response team.  Your
agency's team will coordinate with CIAC.

This document was prepared as an account of work sponsored by an agency
of the United States Government.  Neither the United States Government
nor the University of California nor any of their employees, makes any
warranty, express or implied, or assumes any legal liability or
responsibility for the accuracy, completeness, or usefulness of any
information, apparatus, product, or process disclosed, or represents
that its use would not infringe privately owned rights.  Reference
herein to any specific commercial products, process, or service by
trade name, trademark, manufacturer, or otherwise, does not necessarily
constitute or imply its endorsement, recommendation or favoring by the
United States Government or the University of California.  The views
and opinions of authors expressed herein do not necessarily state or
reflect those of the United States Government or the University of
California, and shall not be used for advertising or product
endorsement purposes.