Bugtraq mailing list archives

CERT Advisory CA-96.16 - Vulnerability in Solaris admintool

From: cert-advisory () cert org (CERT Advisory)
Date: Mon, 5 Aug 1996 12:43:45 -0500


-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
CERT(sm) Advisory CA-96.16
August 5, 1996

Topic: Vulnerability in Solaris admintool

- -----------------------------------------------------------------------------
The text of this advisory was originally released on July 30, 1996, as AUSCERT
Advisory AL-96.03, developed by the Australian Computer Emergency Response
Team. Because of the seriousness of the problem, we are reprinting the AUSCERT
advisory here with their permission. Only the contact information at the end
has changed: AUSCERT contact information has been replaced with CERT/CC
contact information.

As usual, we will place updated information in a README file
(ftp://info.cert.org/pub/cert_advisories/CA-96.16.README).

=============================================================================
AL-96.03                    AUSCERT Alert
                  Vulnerability in Solaris 2.x admintool
                             30 July 1996
- -----------------------------------------------------------------------------

AUSCERT has received a report of a vulnerability in the Sun Microsystems
Solaris 2.x distribution involving the program admintool.  This program is
used to provide a graphical user interface to numerous system administration
tasks.

This vulnerability may allow a local user to gain root privileges.

Exploit details involving this vulnerability have been made publicly
available.

At this stage, AUSCERT is not aware of any official patches.  AUSCERT
recommends that sites take the actions suggested in Section 3 until official
patches are available.

- -----------------------------------------------------------------------------

1.  Description

    admintool is a graphical user interface that enables an administrator to
    perform several system administration tasks on a system.  These tasks
    include the ability to manage users, groups, hosts and other services.

    To help prevent different users updating system files simultaneously,
    admintool uses temporary files as a locking mechanism.  The handling of
    these temporary files is not performed in a secure manner, and hence it
    may be possible to manipulate admintool into creating or writing to
    arbitrary files on the system.  These files are accessed with the
    effective uid of the process executing admintool.

    In Solaris 2.5, admintool is set-user-id root by default.  That is, all
    file accesses are performed with the effective uid of root.  An effect
    of this is that the vulnerability will allow access to any file on the
    system.  If the vulnerability is exploited to try and create a file that
    already exists, the contents of that file will be deleted.  If the file
    does not exist, it will be created with root ownership and be world
    writable.

    In earlier versions of Solaris 2.x, admintool is not set-user-id root
    by default.  In this case, admintool runs only with the privileges of
    the user executing it.  However, local users may wait for a specific user
    to execute admintool, exploiting the vulnerability to create or write
    files with that specific users' privileges.  Again, files created in this
    manner will be world writable.

2.  Impact

    A local user may be able to create or write to arbitrary files on the
    system.  This can be leveraged to gain root privileges.

3.  Workarounds/Solution

    Currently, AUSCERT is not aware of any official patches which address
    this vulnerability.  When official patches are made available, AUSCERT
    suggests that they be installed.

    Until official patches are available sites are encouraged to
    completely prevent execution of admintool by any user (including root).

        # chmod 400 /usr/bin/admintool
        # ls -l /usr/bin/admintool
        -r--------   1 root  sys  303516 Oct 27  1995 /usr/bin/admintool

    Note that if only the setuid permissions are removed, it is still possible
    for users to gain privileges when admintool is executed as root.

    AUSCERT recommends that, where possible, admintool should not be used at
    all until official patches are available.  In the interim, system
    administrators should perform administration tasks by using the command
    line equivalents.  More details on performing these tasks may be found
    in the Sun documentation set.

- -----------------------------------------------------------------------------
AUSCERT wishes to thank Brian Meilak (QUT), Marek Krawus (UQ), Leif
Hedstrom, Kim Holburn and Michael James for their assistance in this matter.
- -----------------------------------------------------------------------------

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident
Response and Security Teams (FIRST).

We strongly urge you to encrypt any sensitive information you send by email.
The CERT Coordination Center can support a shared DES key and PGP. Contact
the CERT staff for more information.

Location of CERT PGP key
         ftp://info.cert.org/pub/CERT_PGP.key

CERT Contact Information
- ------------------------
Email    cert () cert org

Phone    +1 412-268-7090 (24-hour hotline)
                CERT personnel answer 8:30-5:00 p.m. EST
                (GMT-5)/EDT(GMT-4), and are on call for
                emergencies during other hours.

Fax      +1 412-268-6989

Postal address
        CERT Coordination Center
        Software Engineering Institute
        Carnegie Mellon University
        Pittsburgh PA 15213-3890
        USA

CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from
        http://www.cert.org/
        ftp://info.cert.org/pub/

CERT advisories and bulletins are also posted on the USENET newsgroup
        comp.security.announce

To be added to our mailing list for CERT advisories and bulletins, send your
email address to
        cert-advisory-request () cert org



CERT is a service mark of Carnegie Mellon University.

This file:
        ftp://info.cert.org/pub/cert_advisories/CA-96.16.Solaris_admintool_vul
        http://www.cert.org
               click on "CERT Advisories"



-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMgXy2XVP+x0t4w7BAQELhwP/csOzfrgZZyG5RlQUTamD2bXQ6EUac4Hb
xTXDplTaRIM67PZ4H4wf/xCbaHT/VD9m3TfFolthAGwNQdg0sTQA2VNYWHfQf7gP
WXSh+wDY4FmkcW6VLPIT9zLjerwnsD0utbmIt8y4IVDKn8n/yo1L/J5ivz8ChfT1
e3Rim9kiSWY=
=hsYK
-----END PGP SIGNATURE-----

Current thread:

Exploiting Zolaris 2.4 ?? :) Aleph One (Aug 03)
- Re: Exploiting Zolaris 2.4 ?? :) Casper Dik (Aug 04)
  - Re: Exploiting Zolaris 2.4 ?? :) David DeSimone (Aug 04)
  - Re: Exploiting Zolaris 2.4 ?? :) Grant Kaufmann (Aug 05)
    - Re: Exploiting Zolaris 2.4 ?? :) Casper Dik (Aug 06)
  - problems in /usr/Cadmin/bin for IRIX 5.3 Grant Kaufmann (Aug 05)
  - CERT Advisory CA-96.16 - Vulnerability in Solaris admintool CERT Advisory (Aug 05)
- Re: group-setuid core hole Justin Mason (Aug 06)
- problems in /usr/Cadmin/bin for IRIX 5.3: EXPLOIT Grant Kaufmann (Aug 06)
- CERT Advisory CA-96.17 - Vulnerability in Solaris vold CERT Advisory (Aug 06)