Re: expoit for locale format string bug (Solaris 2.x)

[Drazen Kacar <dave () SRCE HR>]

Dan Harkless wrote:
> Ejovi Nuwere <ejovi () EJOVI NET> writes:

> > >  * Script kiddies: you should modify this code
> > >  * slightly by yourself. :)
>
> Has anyone with a Sun support contract heard if a patch for this is
> forthcoming??  As soon as a working version of this exploit is posted,
> all administrators of Solaris systems that allow local user logins are going
> to be in a world of hurt.

Actually, Solaris administrators were in a world of hurt before this was
released. It was known that the problem with NLSPATH exists on some
architectures for quite some time. This is the first Solaris exploit
of that kind that I've seen, but I expected some Solaris utilities to be
voulnerable, although I didn't test it. Exploit release makes more people
aware of the problem, at least.

So... Remove suid/sgid mode from all programs. Copy them to something with
.orig extension, for example. Make a wrapper which removes NLSPATH
from environment and executes corresponding .orig program. Take care
while coding, because you don't want setuid wrapper to be exploitable
with symlink races. Put your wrapper in place of all suid/sgid programs
with those bits turned on.

You should be safe then. Take care when patching, because the patches
will overrwrite the wrapper.

If this looks too drastic, remove suid bit from eject, at least. Users
on servers usually don't need that utility.

--
 .-.   .-.    I don't work for my employer.
(_  \ /  _)
     |        dave () srce hr
     |        dave () fly srk fer hr