Bugtraq mailing list archives

Re: Solaris 2.5.1 patch not effective?

From: sfs () TC UMN EDU (Steve Siirila)
Date: Thu, 11 Jun 1998 16:28:09 -0500


I can confirm that the patch 104490-05 is indeed ineffective against at least
one root compromise bug.  We experienced such a compromise recently even with
the latest security patches (including 104490-05) installed.

We decided to simply make ufsdump/ufsrestore non-setuid, non-setgid as they
are never run by non-root users at our site anyways.

Tom Perrine wrote:


I have two reports from other UC campuses that exploits of the Solaris
ufsrestore bug are being used against *sparc* hosts.

At least one of the sites reports that patch 104490-05 (Solaris 2.5.1,
sparc arch) was applied on a system that was compromised (presumably
via this method).

Consider this an *inconclusive* warning that the Sun ufsrestore patch
*may* not be effective.  I have a call into Sun on this one.  If we
can get the binary of the exploit, it might be interesting.

[The reporting sites are BCC'ed on this note.  If they want to go
public, its up to them.]

--tep

--
Tom E. Perrine (tep () SDSC EDU) | San Diego Supercomputer Center
http://www.sdsc.edu/~tep/     | Voice: +1.619.534.5000
Been there, done that, erased the evidence, blackmailed the witnesses...



--

Steven F. Siirila
Enterprise Internet Services                    Office: Lind Hall, Room 130B
Academic and Distributed Computing Services     E-mail: sfs () umn edu
Office of Information Technology                Voice: (612) 626-0244
University of Minnesota                         Fax: (612) 626-7593

Current thread:

Solaris 2.5.1 patch not effective? Tom Perrine (Jun 09)
- Re: Solaris 2.5.1 patch not effective? Steve Siirila (Jun 11)
  - CERT Summary CS-98.06 Phillip R. Jaenke (Jun 11)
  - Re: Solaris 2.5.1 patch not effective? Richard Peters (Jun 11)
- <Possible follow-ups>
- Solaris 2.5.1 patch not effective? Pete Ashdown (Jun 19)