what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

SUN MICROSYSTEMS SECURITY BULLETIN: #00116

SUN MICROSYSTEMS SECURITY BULLETIN: #00116
Posted Jan 19, 1994

Patch advisory for Sun Microsystems. Please read for details.

SHA-256 | e0d29fc1a84fac3f39e8fd3d4cb7e83abe19baea970d9b71df5c0acd9893f74a

SUN MICROSYSTEMS SECURITY BULLETIN: #00116

Change Mirror Download
SUN MICROSYSTEMS SECURITY BULLETIN: #00116, 26 May 92

This information is only to be used for the purpose of alerting
customers to problems. Any other use or re-broadcast of this
information without the express written consent of Sun Microsystems
shall be prohibited.

Sun expressly disclaims all liability for any misuse of this information
by any third party.
---------------------------------------------------------------------------

All patches listed are available through your local Sun answer centers
worldwide as well as through anonymous ftp: in the US, ftp to ftp.uu.net
and obtain the patch from the /systems/sun/sun-dist directory; in Europe,
ftp to mcsun.eu.net and obtain the patch from the ~ftp/sun/fixes directory.
Note that Sun does not have direct access to mcsun.eu.net and must request
that patches be copied from ftp.uu.net to mcsun.eu.net. Therefore, there
may be a time lag before patches appear on mcsun.eu.net.

Please refer to the BugId and PatchId when requesting patches from Sun
answer centers.

----------------------------------------------------------------------------

BULLETIN TOPICS
I. New Patches
A. 100482-02, SunOS 4.1.x: ypserv and ypxfrd will send maps to anyone
B. 100630-01, SunOS 4.1.x: "LD_" environment variables can be used to
exploit login/su, International version
II. Upgraded Patches
A. 100377-04, SunOS 4.1.x: "LD_" environment variables can be used to
exploit sendmail
III. Program wrapper suggested if patches 100630-01, 100631-01, 100377-04
are not immediately available.

==============================================================================
NEW PATCH INFORMATION

Sun Patch ID: 100482-02
Sun Bug IDs: 1036869, 1039839, 1082319, 1082320, 1080353
SunOS release: 4.1, 4.1.1, 4.1.2
Synopsis: This patch fixes several problems with NIS:
1. Bug 1036869 - ypserv will send maps to anyone who can guess the
domainame
2. Bug 1039839 - DNS used in conjunction with NIS may generate
inaccurate syslog messages to the console.
3. Bug 1082319 - ypserv will send maps to anyone via the portmapper
4. Bug 1082320 - ypxfrd will send maps to anyone. Ypxfrd does not
check whether the person transferring the map is root on his/her
machine, when the map is ``secure''. As a consequence, any user
can get the password map if the NIS master is running ypxfrd.
5. Bug 1080353 - whenever a primary name server downloads an 'A'
record to a secondary system and this 'A' record contains more
than 36 IP addresses, ypserv on the secondary system will core dump.

Please note that the /var/yp/securenets configuration file that is provided
in this patch does not support blank lines.

Checksum of compressed tarfile 100482-02.tar.Z on ftp.uu.net = 53416 284

Sun Microsystems would like to acknowledge the following people for the
permission to use their source modifications in the above patch:
Alain Brossard, Ecole Polytechnique Federale de Lausanne, Suisse
Richard Watterson and Daniel Trinkle, Purdue University, IN
Peter Lamb, Swiss Federal Institute of Technology
In addition, the following people provided valuable assistance:
Casper H.S. Dik, University of Amsterdam, The Netherlands
Dan Kegel, Jet Propulsion Laboratory, NASA



Sun Patch ID: 100630-01
Sun Bug IDs: 1085851
SunOS release: 4.1, 4.1.1, 4.1.2
Synopsis: "LD_" environment variables can be used to exploit login/su
Problem Description: a dynamically-linked program that is invoked by
a setuid/setgid program has access to the caller's environmental
variables if the setuid/setgid program sets the real and effective
UIDs to be equal and the real and effective GIDs to be equal before the
dynamically-linked program is executed. A vulnerability exists if the
UIDs and GIDs are not equal to those of the user that invoked the
setuid/setgid program.

Note that this patch contains the international version of /bin/login
that users who are not using the US Encryption Kit need to install.
Patch 100631-01 contains the domestic version of /bin/login. /usr/bin/su
and /usr/5bin/su from this international patch are suitable for
sites that use the US Encryption Kit. Export regulations prohibit
putting 100631-01 on anonymous ftp sites. Please contact your Answer
Center for 100631-01.

Please refer to the section below entitled "PROGRAM WRAPPER" for
additional information.


Checksum of compressed tarfile 100630-01.tar.Z on ftp.uu.net = 36269 39

==============================================================================
UPGRADED PATCH INFORMATION

Sun Patch ID: 100377-04
Sun Bug IDs: 1030087, 1036159, 1041284, 1056203, 1068637, 1085853,
SunOS release: 4.1, 4.1.1, 4.1.2
Synopsis: This patch combines 6 fixes and obsoletes Patch 100099-01:
1. Bug 1030087 - sendmail yp aliasing does not work with non-Sun YP masters
2. Bug 1036159 - a user can exploit sendmail to run programs with root's
group privileges
3. Bug 1041284 - sendmail -t fails when /var/spool/mail is nfs mounted
from mailhost
4. Bug 1056203 - a system that runs sendmail.mx will connect back to
itself when it connects to a site that has MX records
5. Bug 1068637 - sendmail ignores the .forward file of users with uid
values greater than 32767
6. Bug 1085853 - security can be subverted by the use of "LD_" environment
variables.
Problem Description: Bug 1085853 for sendmail is the same problem discussed
above for bug 1085851, Patch 100630-01 for login/su. Please refer to
the description for Patch 100630-01 for more information.

Checksum of compressed tarfile 100377-04.tar.Z on ftp.uu.net = 14692 311

==============================================================================
PROGRAM WRAPPER

Sun has been informed by several computer emergency response teams that
the vulnerabilities stated in BugIds 1085851 and 1085853 are known and
currently being exploited by computer crackers. If your site is
concerned about the security of your SunOS systems, it is important that
you install the applicable patches for BugIds 1085851 and 1085853 as
soon as possible.

The only applications that are known to have this problem in SunOS 4.1.x
are login, su, and sendmail. However, custom or third party setuid/setgid
applications may also be vulnerable. Please check with your software
supplier, a response team, or with me if you have doubts.

If you do not have ready access to the patches for these bugs, Sun
recommends that you wrap your login, su, and sendmail executables with
the following C program, provided by Wietse Venema, Eindhoven University
of Technology, The Netherlands:

/*----------------------------------------------------------------*/

/*
* Remove "LD_" variables from user environment before calling an executable
*
* This code is specific to /bin/login, but can be easily modified
* to wrap other programs by modifying "COMMAND".
*/

#define COMMAND "/bin/login+"

main(argc,argv)
int argc;
char **argv;
{
fixenv();
execv(COMMAND,argv);
perror(COMMAND);
exit(1);
}

fixenv()
{
extern char **environ;
char **cpp;
char **xpp;
char *cp;

for (cpp = environ; cp = *cpp; cpp++) {
while (*cp++ == 'L' && *cp++ == 'D' && *cp == '_') {
for (xpp = cpp; xpp[0] = xpp[1]; xpp++)
/* void */ ;
if ((cp = *cpp) == 0)
return;
}
}
}

/*----------------------------------------------------------------*/

The example code above is specific to /bin/login.

Install as root:

Move the old /bin/login to /bin/login+ and modify permissions:
mv /bin/login /bin/login+
chmod 0750 /bin/login+

Put the code above in a C program file and compile. For this example
assume the file is /tmp/login.c:
cd /tmp
make login

Move the wrapper program into /bin/login and modify permissions and ownership:
mv /tmp/login /bin/login
chown root.staff /bin/login
chmod 4711 /bin/login


The C code above can be easily modified for use with /usr/lib/sendmail,
/usr/bin/su, and /usr/5bin/su. Change the value of "COMMAND" to the
new, full path name of the command that you want to wrap after you have
moved it. For example, if you moved /usr/lib/sendmail to /usr/lib/sendmail+
(using the command "mv /usr/lib/sendmail /usr/lib/sendmail+"), change
the macro definition of "COMMAND" in the C program to:

#define COMMAND "/usr/lib/sendmail+"

Then perform the analogous steps above to compile and install your sendmail
wrapper. Note that "COMMAND" should always be an absolute pathname for
security purposes. The code should not be modified to accept "COMMAND"
as an argument using argv[].

Sun patches for these bugs are being tested for Sun SHIELD ARM. Please
contact your Answer Center or me for availability. It is highly recommended
that the wrapper program be installed around your applicable ARM versions
of the affected programs.

Sun Microsystems would like to acknowledge Wietse Venema and the CERT,
CIAC, and PCERT computer security emergency response teams for their
valuable assistance in dealing with this vulnerability.

===========================================================================

Sun Microsystems recommends that all customers concerned with the security
of their SunOS systems obtain and load the patches that are applicable to
their system(s).

Kenneth L. Pon
Software Security Coordinator
Sun Microsystems, Inc.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close