-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
CERT(sm) Advisory CA-95:12
Original issue date: October 18, 1995
Last revised: August 30, 1996
              References to README files were removed.

              A complete revision history is at the end of this file.         

Topic: Sun 4.1.X Loadmodule Vulnerability 
- -----------------------------------------------------------------------------

The CERT Coordination Center has received reports of problems with the
loadmodule(8) program. An exploitation script is available and has been used
by local users to gain root privileges.

The problem is present in SunOS 4.1.X only, and there is a patch available for
sun4 architectures.

The CERT staff recommends that you install the appropriate patch as soon as
possible and take the steps in Section III.B. to further protect your system.

We will update this advisory as we receive additional information.
Please check advisory files regularly for updates that relate to your site.

- -----------------------------------------------------------------------------

I.   Description

     The loadmodule(8) program is used by the xnews(1) window system server to
     load two dynamically loadable kernel drivers into the currently running
     system and to create special devices in the /dev directory to use those
     modules. These modules and special files are used to provide a SunView
     binary compatibility mode while running the X11/NeWS windowing system.
     Because of the way the loadmodule(8) program sanitizes its environment,
     unauthorized users can gain root access on the local machine. A script is
     publicly available and has been used to exploit this vulnerability.

     This problem is present in SunOS 4.1.X only.

II.  Impact

     Local users can gain root privileges.

III. Solution

     The CERT staff recommends that you take the steps described in both A and
     B below. 

     A. Obtain and install the appropriate patches according to the
        instructions included with the patches. Patches are available through
        your local Sun Answer Center and by FTP from

             ftp://sunsolve1.sun.com/pub/patches/100448-03.tar.Z 

        Module           Patch ID        Filename
        ----------       ---------       ---------------
        loadmodule       100448-03       100448-03.tar.Z

        Checksum:
            MD5 (100448-03.tar.Z) = 183a22f0a2f6020f1389b6aeea5ca6c6

     B. Because, in general, a set-user-id program can lead to security
        exposures, you should also do at least step 1 below. We recommend
        doing steps 2 and 3 as well.

        The intent of these directions is make the loadmodule(8) program
        work only for the super-user (currently it works for all users because
        it is set-user-id) and to execute it each time the system boots. By
        following these directions, users who require SunView binary
        compatibility will have it available to them.  

        1. If you do not need SunView binary compatibility, then as root,
           turn off setuid root on the loadmodule(8) program with

                # /bin/chmod u-s /usr/openwin/bin/loadmodule

        2. If your users need SunView binary compatibility, you can
           enable it immediately--that is without having to reboot
           your system--with the following script.

        ------------------------cut here--8<------------------------
        ARCH=`/bin/arch -k`
        OBJ=/sys/${ARCH}/OBJ
        LM=/usr/openwin/bin/loadmodule
        /bin/chmod u-s $LM
        if [ -f $OBJ/evqmod-${ARCH}.o ]; then
          if /usr/etc/modstat | /bin/egrep -s evqmod ; then
            echo evq: already loaded
          elif $LM evqmod-${ARCH}.o evqload; then
            echo evq: loaded
          else
            echo evq: unable to load module
          fi
        fi
        if [ -f $OBJ/winlock-${ARCH}.o ]; then
          if /usr/etc/modstat | /bin/egrep -s winlock ; then
            echo winlock: already loaded
          elif $LM winlock-${ARCH}.o winlockload; then
            echo winlock: loaded
          else
            echo winlock: unable to load module
          fi
        fi
        ------------------------cut here--8<------------------------

        As a suggestion, store this script in /tmp/esbc and then
        execute it as root with:

                # sh /tmp/esbc

     3. If you've done step 2 above, the module loadings will disappear
        the next time you reboot your system. To make them permanent--
        that is to make these module loadings occur each time your system
        is rebooted--add the script to the end of your /etc/rc.local file.
        
- ---------------------------------------------------------------------------
The CERT Coordination Center staff thanks Wolfgang Ley and Sun Microsystems
for their support in the development of this advisory.
- ---------------------------------------------------------------------------

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident
Response and Security Teams (FIRST).

If you wish to send sensitive incident or vulnerability information to
CERT staff by electronic mail, we strongly advise that the email be
encrypted.  The CERT Coordination Center can support a shared DES key, PGP
(public key available via anonymous FTP on info.cert.org), or PEM (contact
CERT staff for details).

Internet email: cert@cert.org
Telephone: +1 412-268-7090 (24-hour hotline)
           CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),
           and are on call for emergencies during other hours.
Fax: +1 412-268-6989

Postal address:  CERT Coordination Center
                 Software Engineering Institute
                 Carnegie Mellon University
                 Pittsburgh, PA 15213-3890
                 USA

CERT advisories and bulletins are posted on the USENET newsgroup
comp.security.announce. If you would like to have future advisories and
bulletins mailed to you or to a mail exploder at your site, please send mail
to cert-advisory-request@cert.org.

Past CERT publications, information about FIRST representatives, and
other information related to computer security are available for anonymous
FTP from info.cert.org. 


Copyright 1995, 1996 Carnegie Mellon University
This material may be reproduced and distributed without permission provided it
is used for non-commercial purposes and the copyright statement is included.

CERT is a service mark of Carnegie Mellon University.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision history

Aug. 30, 1996  References to README files were removed because updates are
               added to the advisories themselves.




-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMiS6Y3VP+x0t4w7BAQG08AQAxkv/NSVeGn/jkvGs7gZNTPFE6bdpqXhM
NN9dsYqRVnhRk7tsxnzSAx842zdJDlDTE5cRn/qYLR/rcVfr07vKqVNCq62CgvFH
ViqKbuam0EBPBxu4moWXfFuZcbVhWwNlaQg5Y4mxx2OYPpj5Pvq66yp3lyaP1scU
6oco/Kivg98=
=VwuA
-----END PGP SIGNATURE-----