FOLLOWUP: Solaris 2.6 ufsdump/ufsrestore vulnerabilities

[eugene.bradley () erols com (Eugene Bradley)]

-----BEGIN PGP SIGNED MESSAGE-----

[Note: To prevent unnecessary and unprofessional flames,
I will not mention the names of the employees at Sun that
I have dealt with in the course of this matter.]

Today, a Sun engineer emailed me new test binaries of
patched versions of ufsdump and ufsrestore for Solaris
2.6 SPARC that fix a buffer overflow vulnerability that
can be exploited to obtain root access.

Note that I received test binaries of the above-mentioned
software last month.  Upon testing those (the week of May
15 of this year), I found that both binaries still
produced a SIGSEGV in the tape device arguement when it
exceeds a certain fixed length, and were still
exploitable.  I reported this to Sun after my initial
findings May 18.

I had a very interesting time in dealing with Sun
concerning this particular vulnerability.  In early May,
I was informed by one Sun programmer that this
vulnerability will be fixed in the next release of
Solaris (2.7 -- due out this fall) and that all engineers
"...were working to get [Solaris] 2.7 out the door."  He
also informed me that part of the reason for the delay
was because I had a valid workaround, which was what I
posted to BUGTRAQ back on April 23:

quackers# chmod ug-s /usr/lib/fs/ufs/ufsdump
quackers# chmod u-s /usr/lib/fs/ufs/ufsrestore

Needless to say, after my boss and I complained loudly to
our Sun representative as well as security-alert () sun com
concerning the ufsdump & ufsrestore buffer overflow
security vulnerability, things managed to start rolling
again towards a *fully-working* patch.

I'm already aware of the fact that Sun released a similiar
ufsdump/ufsrestore patch for Solaris 2.5.1 (now at patch
104490-05 according to sunsolve.sun.com) that didn't fix
the vulnerability.  I'll be testing the patched binaries
on a Sun workstation at work over the weekend.  Let me
know if you want me to look for anything in particular
besides the obvious SIGSEGV error(s).  The last thing I
need is a repeat of the failed ufsdump/ufsrestore patch
for Solaris 2.6.

Attached is a note I got from a Sun engineer today that
explains most everything.  This will include two bug
numbers, of which only one of them is valid in the Sun
bug database at sunsolve.sun.com.  Note that I've
modified the headers in the attachment to prevent
unnecessary and unprofessional flames.

Last note:  thanks to Sean McGann for discovering the
original Solaris 2.6 ufsdump/ufsrestore vulnerability in
on the x86 platform.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: cp850

iQCVAgUBNYhlP+NY3xV+5qZBAQGhHAP/XKGaVX9wztacfwn7Ca5S6Jno3gGyGNg9
DQC/Vpyvs9z5QV5B7Lq9ECUxuiU2ITzJD7tsTdIKLwzpy2kViuFAwmZq9ujfrgv6
Jioo7VT0Gf3qxhul1MOla6v5OAwhowQoMB4K7zmXU1Uq/wYw5tmGbYKGXGYpcQg0
i0dSO0QvGao=
=MePB
-----END PGP SIGNATURE-----
--
Eugene Bradley -- Just Another Random Solaris administrator
eugene.bradley () erols com (Personal ONLY!) -- PGP key ID Ox7EE6A641
PGP key available by sending me mail with "GET KEY" in the Subject: line
homepage is @ http://www.geocities.com/SiliconValley/Haven/9323/