Re: BUGTRAQ ALERT: Solaris 2.x vulnerability

[Mark.Graff () Eng Sun COM (Mark Graff)]

----------
X-Sun-Data-Type: text
X-Sun-Data-Description: text
X-Sun-Data-Name: text
X-Sun-Charset: us-ascii
X-Sun-Content-Lines: 87

Scott Chasin said,

>  Mark Graff relayed to me...

Yup. I also thought I sent a note out to this list, on August 14th.
I'll attach that message.

Our general policy is not to announce a problem until we have a fix.
Since Scott disclosed the hole here I responded (or tried to respond)
with the information that we knew about the problem and were testing
fixes. Sorry if it didn't get out for some reason!

On this bug the update is that I expect to release the patches and a
corresponding bulletin next week, perhaps as early as Wednesday.

BTW we have been working on a patch (for all affected platforms) since
July. (We got a second report on August 1, but it turns out the fix was
already in the works.) The traffic on this list, including Scott's
disclosure and followup exploitation script, has had no effect on our
schedule.  We were already in the final stages of testing when he
acted.

So far as the "sticky bit" workaround goes, it looks good to me so
far.  By the time I issue the bulletin I will be sure one way or the
other. Over the last couple of days, in parallel with the testing
effort, I have been looking into the conditions under which the bit is
not set by the startup scripts. (Don't send me all the traffic on this
list about that--I've been following it here too).

-mg-

p.s. Followup inquiries or other questions should generally be sent
to security-alert () sun com, not to me directly. That addressed is
covered when I'm out of the office.

      /\
     \\ \        Mark G. Graff
    \ \\ /       Sun Security Coordinator
   / \/ / /      MS MPK3
  / /   \//\     2550 Garcia Avenue
  \//\   / /     Mountain View, CA 94043-1100
   / / /\ /      Phone: 415-688-9151
    / \\ \       Email: mark.graff () Sun COM
     \ \\               security-alert () sun com
      \/


 From owner-bugtraq () CRIMELAB COM  Fri Aug 18 09:15:55 1995
 Approved-By:  Scott Chasin <chasin () CRIMELAB COM>
 Date:         Fri, 18 Aug 1995 10:03:33 MDT
 Subject:      Re: BUGTRAQ ALERT: Solaris 2.x vulnerability
 X-To:         bugtraq () crimelab com
 To: Multiple recipients of list BUGTRAQ <BUGTRAQ () CRIMELAB COM>

 [casper () HOLLAND SUN COM wrote]:

> > Just to add my two cents to the discussion:
> >         - this is a known problem


> So why wasn't it more publically announced. Sun could easily have issued a
> new binary very publically and without saying what they had fixed.

 Mark Graff relayed to me that Sun has known about this for about 2 weeks
 or so.

 [casper () HOLLAND SUN COM wrote]:
> >         - it is fixed in 2.5 (by using fchown, not chown, both versions of ps)

 Apparently this is *NOT* fixed in the 2.5 release. At least not the copy I
 have.  And I believe someone else has contested to this fact as well.

> So why didnt you tell people instead of negligently leaving them exposed

 This is the old full-disclosure debate.  I don't think we should be getting
 into this here.

> Otherwise known as the majority of people who are less technically clued up.
> Vendors need to improve their methods.
>
> Alan


 --Scott
 chasin () crimelab com

----------
X-Sun-Data-Type: sun-deskset-message
X-Sun-Data-Name: sun-deskset-message
X-Sun-Encoding-Info: uuencode
X-Sun-Content-Lines: 44

begin 600 sun-deskset-message
M1G)O;2!G<F%F9B!-;VX@075G(#$T(#$X.C(Y.C T(#$Y.34*5&\Z($)51U12
M05% 0U))345,04(N0T]-"E-U8FIE8W0Z(%)E.B!3;VQA<FES(#(N>"!V=6YE
M<F%B:6QI='D*6"U3=6XM0VAA<G-E=#H@55,M05-#24D*0V]N=&5N="U,96YG
M=&@Z(#$V,S4*6"U,:6YE<SH@-3 *4W1A='5S.B!23PH*4W5N(&ES(&%W87)E
M(&]F('1H92!P<F]B;&5M+B!792!A<F4@<W1I;&P@979A;'5A=&EN9R!B=70@
M22!D;R!E>'!E8W0*=7,@=&\@<')O9'5C92!A('!A=&-H+B!)(&1O;B=T(&AA
M=F4@86X@97-T:6UA=&4@>65T(&]N('=H96X@;VYE('=I;&P*8F4@879A:6QA
M8FQE+B!)(&AA=F4@<V%I9"!P<F5V:6]U<VQY(&EN('1H:7,@<W!A8V4@=&AA
M="!T=V\@=V5E:W,*:7,@;F]R;6%L;'D@=&AE(&UI;FEM=6T@=&EM92!N965D
M960N"@I4:&4@<W5G9V5S=&5D('=O<FMA<F]U;F0@;&]O:W,@9V]O9"!T;R!M
M92X*"E=H96X@22!H879E(&$@<&%T8V@@22!W:6QL(&ES<W5E(&$@4W5N(%-E
M8W5R:71Y($)U;&QE=&EN(&%N9"!P;W-T"G1H870@:&5R92X*"BUM9RT*"B @
M(" @("]<(" @(" @(" @"B @(" @7%P@7" @(" @(" @36%R:R!'+B!'<F%F
M9@H@(" @7"!<7" O(" @(" @(%-U;B!396-U<FET>2!#;V]R9&EN871O<@H@
M(" O(%PO("\@+R @(" @($U3($U02S,*(" O("\@("!<+R]<(" @(" R-34P
M($=A<F-I82!!=F5N=64*("!<+R]<(" @+R O(" @("!-;W5N=&%I;B!6:65W
M+"!#02 Y-# T,RTQ,3 P"B @("\@+R O7" O(" @(" @4&AO;F4Z(#0Q-2TV
M.#@M.3$U,0H@(" @+R!<7"!<(" @(" @($5M86EL.B!M87)K+F=R869F0%-U
M;BY#3TT*(" @("!<(%Q<(" @(" @(" )<V5C=7)I='DM86QE<G1 <W5N+F-O
M;0H@(" @("!<+PH*($9R;VT@;W=N97(M8G5G=')A<4!#4DE-14Q!0BY#3TT@
M($UO;B!!=6<@,30@,3,Z,# Z-# @,3DY-0H@07!P<F]V960M0GDZ("!38V]T
M="!#:&%S:6X@/&-H87-I;D!#4DE-14Q!0BY#3TT^"B!$871E.B @(" @(" @
M($UO;BP@,30@075G(#$Y.34@,3(Z,SDZ,3$@3414"B!3=6)J96-T.B @(" @
M(%-O;&%R:7,@,BYX('9U;F5R86)I;&ET>0H@6"U4;SH@(" @(" @("!B=6=T
M<F%Q0&-R:6UE;&%B+F-O;0H@5&\Z($UU;'1I<&QE(')E8VEP:65N=',@;V8@
M;&ES="!"54=44D%1(#Q"54=44D%10$-224U%3$%"+D-/33X*( H@02!M86IO
M<B!H;VQD(&AA<R!B965N(&9O=6YD(&]N(%-O;&%R:7,@,BYX('=H:6-H('=I
M;&P@86QL;W<*(&%N>6]N92!W:71H(&$@=7-E<B!A8V-O=6YT('1O(&=A:6X@
M<F]O="!A8V-E<W,N"B *($D@=VEL;"!B92!S96YD:6YG('1H92!E>'!L;VET
M(&-O9&4@=&\@>6]U(&EN(&$@9F5W(&AO=7)S(&9R;VT@;F]W+@H@"B!4:&4@
M8G5G(&5X<&QO:71S(&$@8V]M;6]N('9U;F5R86)I;&ET>2!T:&%T(&-A;B!B
M92!F:7AE9"!W:71H"B!A;B!E87-Y('=O<FMA<F]U;F0Z(&-H;6]D("MT("]T
M;7 *( H@37D@<W5G9V5S=&EO;B!T;R!Y;W4@:7,@=&AA="!Y;W4@8VAE8VL@
M86QL(&UA8VAI;F5S(')U;FYI;F<@4V]L87)I<R R+G@*('1O('-E92!I9B!T
M:&4@+W1M<"!D:7)E8W1O<GD@:&%S('1H92!S=&EC:WD@8FET('-E="X*( H@
M1T]/1#H@(&1R=WAR=WAR=W0@(" S(')O;W0@(" @(')O;W0@(" @(" @(" X
M-S<@075G(#$T(#$R.C0S("]T;7 *($5624PZ("!D<G=X<G=X<G=X(" @,R!R
M;V]T(" @("!R;V]T(" @(" @(" @.#<W($%U9R Q-" Q,CHT,R O=&UP"B *
M( H@268@>6]U(&AA=F4@86YY('%U97-T:6]N<R!A="!A;&PL('!L96%S92!%
M;6%I;"!M92X*( H@4V-O='0@0VAA<VEN"B!C:&%S:6Y 8W)I;65L86(N8V]M
$"B *"B!M

end