exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

ciac-08.sunos-restore

ciac-08.sunos-restore
Posted Sep 23, 1999

ciac-08.sunos-restore

systems | solaris
SHA-256 | 2b80ed165e6287624206f86a0af7b1dca7a35f72fac7b2c5c51d27badb2bac4b

ciac-08.sunos-restore

Change Mirror Download

________________________________________________________________
THE COMPUTER INCIDENT ADVISORY CAPABILITY

CIAC

ADVISORY NOTICE
________________________________________________________________


Announcement of Vulnerability in the SunOS Restore Utility

The Computer Incident Advisory Capability (CIAC) has learned of a vulnerability
in SunOS. This vulnerability is in the restore utility. Because restore is
setuid to root, it allows an ordinary user to obtain unauthorized privileges.
This vulnerability is found in all SunOS 4.x systems (4.0, 4.0.1, and 4.0.3).
This vulnerability can, however, be exploited by only users who have an account
on a SunOS 4.x system.

Sun Microsystems is aware of this vulnerability (Sun Bug 1019265) and is
developing a permanent solution in a future SunOS release. However, until
this fix is available, you should install one of two temporary fixes:

Temporary Solution 1: Make restore non-setuid, using the following
workaround:

chmod 750 /usr/etc/restore

This solution is appropriate for systems that do restore locally and uses
the root account to do restores. It eliminates the vulnerability in restore.
However, in addition to making store non-setuid, this solution makes restore
unreadable and non-executable by ordinary (non-root) users, and restricts the
use of remote restore by these users. For example, with SunOS, a user who is
not root cannot get a privileged port. If temporary solution 1 has been
implemented, an ordinary user who requests a remote tape drive to do restore
would discover that restore would be unable to obtain a privileged port.
Therefore, the remote tape drive would not work.

Temporary Solution 2: Using the following workaround:

cd /usr/etc
chgrp operator restore
chmod 4550 restore

You should use this solution if you do remote restore outside of the root
account. You may substitute "operator" with any other group that contains
the users you want to use restore. The group "operator" is a default group
on SunOS 4.x. With this method, restore still is still setuid and vulnerable,
but you will have an accountable group of users who can use restore. The
4550 makes restore readable and executable by root and the group you specified,
and unreadable by everyone else. Thus, this solution does not totally disable
the remote restore capability, but allows designated user groups to have
this capability.

In addition, as a security prevention measurement, we suggest that you restrict
the accessability of dump. The "dump" utility, the partner of restore, is
frequently used to do backups on a system. Restore is used to extract the
files that dump has stored on tape. CIAC's recommendation is to make dump
unreadable, non-executable and unwriteable to everyone by using the following
workaround:

chmod 6750 /usr/etc/dump

This will restrict access of dump by allowing its use only by root and the
group to which dump belongs (eg. operator, staff, or wheel).

For further information, contact:

Ana Maria de Alvare'
Computer Incident Advisory Capability
Lawrence Livermore National Laboratory
P.O. Box 808, L-303
Livermore, CA 94550
(415) 422-7007 or (FTS) 532-7007
anamaria@lll-lcc.llnl.gov

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close