exploit the possibilities


Posted Sep 15, 1995


MD5 | 2a049dd4474c060660382a25c611cb10


Change Mirror Download


In this bulletin Sun summarizes the availability of a new set of
security patches for Solaris 2.x (SunOS 5.x) systems. The patches close
the so-called "ps_data" vulnerability.

This bug does not affect SunOS 4.1.x systems. Additionally, not all
Solaris 2.x systems are affected. We discuss later in this bulletin how
to determine if your configuration is vulnerable.

This is the same bug that was discussed in CERT bulletin CA-95:09
(released 29 August 1995) and AUSCERT advisory AA-95.07 (released 15
August 95). We have quoted extensively from those two bulletins and
wish to thank both groups for their cooperation.

I. Vulnerability history and analysis

II. Announcement of patches for Solaris 2.x "ps_data" vulnerability

III. Checksum Table


A. How to obtain Sun security patches

B. How to report or inquire about Sun security problems

C. How to obtain Sun security bulletins

/\ Send Replies or Inquiries To:
\\ \
\ \\ / Mark Graff
/ \/ / / Sun Security Coordinator
/ / \//\ MS MPK3
\//\ / / 2550 Garcia Avenue
/ / /\ / Mountain View, CA 94043-1100
/ \\ \ Phone: 415-688-9081
\ \\ Fax: 415-688-9101
\/ E-mail: security-alert@Sun.COM


Permission is granted for the redistribution of this Bulletin for
the purpose of alerting Sun customers to problems, as long as the
Bulletin is not edited and is attributed to Sun Microsystems.

Any other use of this information without the express written consent
of Sun Microsystems is prohibited. Sun Microsystems expressly disclaims
all liability for any misuse of this information by any third party.


I. Vulnerability history and analysis

A. Vulnerability history

This set of new patches fixes a security hole involving the Solaris
"ps" program. The effect of the bug is to create a race condition
which can make it possible under some conditions for a
non-privileged user of the system to gain root access.

The existence of the flaw was publicly announced on August 14th on
a mailing list known as "BUGTRAQ", maintained by Scott Chasin. The
notice is "bugtraq-alert-081495.01". An exploitation script was
released by Mr. Chasin that same day.

We have reason to believe this bug is being actively exploited and
recommend that the relevant patch be installed on any affected
system. The workaround described below is also believed to be
effective and is presented as an alternative.

B. Vulnerability analysis

The race condition can only be exploited if the attacker has access
to certain temporary files used by the "ps" program. Access to
these temporary files may be possible if the permissions on the
/tmp directory are set incorrectly.

The permissions on the /tmp directory are often reset incorrectly
by the system at boot time if tmpfs (which is mounting swap as
/tmp) is in use.

To determine if you are running tmpfs, the following command can be
used to verify if the filesystem for /tmp is swap:

% /usr/sbin/df -k /tmp
Filesystem kbytes used avail capacity Mounted on
swap 28348 12 28336 0% /tmp

or look in the file /etc/vfstab for the configuration line:

#device device mount FS fsck mount mount
#to mount to fsck point type pass at boot options
swap - /tmp tmpfs - yes -

If either of these two conditions exist, then you are running tmpfs
and the system may automatically reset the permission bits of /tmp
at the next reboot.

To verify if your configuration is currently vulnerable, the
following command may be used:

% /usr/bin/ls -ld /tmp
drwxrwxrwt 2 sys sys 61 Aug 15 12:12 /tmp

If the sticky bit is set, the final flag in the permissions setting
will be a "t", as shown. With the permissions shown above, your
system is not vulnerable. If the final flag is an "x" (not shown),
the sticky bit is not set and your system is vulnerable.

Setting the sticky bit on the /tmp and /var/tmp directories is
sound security practice in general, and we recommend this be done
even if the patch discussed in this bulletin is also installed.

C. Temporary workaround

A workaround that takes effect immediately is to set the sticky bit
on the /tmp directory, by issuing the following command as root:

# /usr/bin/chmod 1777 /tmp

In addition, the ownership and group membership of the /tmp
directory should be verified using /usr/bin/ls -ld /tmp. To reset

them to their original settings, issue as root the commands:

# /usr/bin/chown sys /tmp
# /usr/bin/chgrp sys /tmp

Note that the effect of the commands shown above will be lost when
the system reboots. That is, the system will become vulnerable
again every time it is rebooted. In order to make the change
permanent you will need to put similar commands into the system
boot sequence.

D. Permanent workaround

The effect of the commands shown above will be lost when the system
reboots. In order to make the change permanent you will need to put
similar commands into the system boot sequence.

You can do this by creating a script called (for example)
"/etc/init.d/tmpfsfix" containing the lines:


if [ -d /tmp ]
/usr/bin/chmod 1777 /tmp
/usr/bin/chgrp sys /tmp
/usr/bin/chown sys /tmp

and executing as root a command similar to:

# /usr/bin/ln -s /etc/init.d/tmpfsfix /etc/rc3.d/S79tmpfix

The next time the system boots the sticky bit will be set on the
/tmp directory, and the owner and group of /tmp will be set to

II. Announcement of patches for Solaris 2.x "ps_data" vulnerability

A. Patch list

We have produced patches for the versions of SunOS shown below.

OS version Patch ID Patch File Name
---------- --------- ---------------
5.3 101545-02 101545-02.tar.Z
5.4 102711-01 102711-01.tar.Z
5.4_x86 102712-01 102712-01.tar.Z

B. Patch notes

1. SunOS 4.1.x systems are not affected by this bug.

2. The fix has been applied to the upcoming version of Solaris.

III. Checksum Table

In the checksum table we show the BSD and SVR4 checksums and MD5
digital signatures for the compressed tar archives.

Name Checksum Checksum Digital Signature
--------------- ----------- ---------- --------------------------------
101545-02.tar.Z 41218 77 47754 153 A8FB866780E7207D26CF16210BCFDC83
102711-01.tar.Z 17256 69 20376 138 98A449372C5ABBDB7C37B08BFE0E6ED7
102712-01.tar.Z 29867 68 56717 136 E324004BB8C09990B2790CB5D29D3AF5

The checksums shown above are from the BSD-based checksum
(on 4.1.x, /bin/sum; on Solaris 2.x, /usr/ucb/sum) and from
the SVR4 version on Solaris 2.x (/usr/bin/sum).


A. How to obtain Sun security patches

1. If you have a support contract

Customers with Sun support contracts can obtain the patches listed
here (and all other security patches, and a list of patches) from:

- Local Sun answer centers, worldwide
- SunSolve Online, and SunSITEs worldwide

The patches are available via World Wide Web at http://sunsolve1.sun.com.

You should also contact your answer center if you have a support
contract and:

- You need assistance in installing a patch
- You need additional patches
- You want an existing patch ported to another platform
- You believe you have encountered a bug in a Sun patch
- You want to know if a patch exists, or when one will be ready

2. If you do not have a support contract

Sun also makes its security patches available to customers who do
not have a support contract, via anonymous ftp, from the directory
/systems/sun/sun-dist on the system ftp.uu.net.

Sun does not furnish patches to any external distribution sites
other than the ones mentioned here.

3. About the checksums

Patches announced in a Sun security bulletin are uploaded to the
ftp.*.net sites just before the bulletin is released, and seldom
updated. In contrast, the "supported" patch databases are
refreshed nightly, and will often contain newer versions of a patch
incorporating changes which are not security-related.

So that you can quickly verify the integrity of the patch files
themselves, we supply checksums for the tar archives in each
bulletin. The listed checksums should always match those on the
ftp.*.net systems. (The rare exceptions are listed in the
"checksums" file there.)

Normally, the listed checksums will also match the patches on the
SunSolve database. However, this will not be true if we have
changed (as we sometimes do) the README file in the patch after the
bulletin has been released.

In the future we plan to provide checksum information for the
individual components of a patch as well as the compressed archive
file. This will allow customers to determine, if need be, which
file(s) have been changed since we issued the bulletin containing
the checksums.

If you would like assistance in verifying the integrity of a patch
file please contact this office or your local answer center.

B. How to report or inquire about Sun security problems

If you discover a security problem with Sun software or wish to
inquire about a possible problem, contact one or more of the

- Your local Sun answer centers
- Your representative computer security response team, such as CERT
- This office. Address postal mail to:

Sun Security Coordinator
MS MPK2-04
2550 Garcia Avenue Mountain
View, CA 94043-1100

Phone: 415-688-9081
Fax: 415-688-9101
E-mail: security-alert@Sun.COM

We strongly recommend that you report problems to your local Answer
Center. In some cases they will accept a report of a security bug
even if you do not have a support contract. An additional notification
to the security-alert alias is suggested but should not be used as your
primary vehicle for reporting a bug.

C. How to obtain Sun security bulletins

1. Subscription information

Sun Security Bulletins are available free of charge as part of
our Customer Warning System. It is not necessary to have a Sun
support contract in order to receive them.

To subscribe to this bulletin series, send mail to the address
"security-alert@Sun.COM" with the subject "subscribe CWS
your-mail-address" and a message body containing affiliation and
contact information. To request that your name be removed from the
mailing list, send mail to the same address with the subject
"unsubscribe CWS your-mail-address". Do not include other requests
or reports in a subscription message.

Due to the volume of subscription requests we receive, we cannot
guarantee to acknowledge requests. Please contact this office if
you wish to verify that your subscription request was received, or
if you would like your bulletin delivered via postal mail or fax.

2. Obtaining old bulletins

Sun Security Bulletins are archived on ftp.uu.net (in the same
directory as the patches) and on SunSolve. Please try these
sources first before contacting this office for old bulletins.


Login or Register to add favorites

File Archive:

May 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    1 Files
  • 2
    May 2nd
    4 Files
  • 3
    May 3rd
    26 Files
  • 4
    May 4th
    17 Files
  • 5
    May 5th
    3 Files
  • 6
    May 6th
    32 Files
  • 7
    May 7th
    11 Files
  • 8
    May 8th
    2 Files
  • 9
    May 9th
    2 Files
  • 10
    May 10th
    13 Files
  • 11
    May 11th
    17 Files
  • 12
    May 12th
    22 Files
  • 13
    May 13th
    11 Files
  • 14
    May 14th
    9 Files
  • 15
    May 15th
    2 Files
  • 16
    May 16th
    2 Files
  • 17
    May 17th
    21 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    0 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2020 Packet Storm. All rights reserved.

Security Services
Hosting By