-----BEGIN PGP SIGNED MESSAGE----- ============================================================================= CERT(sm) Advisory CA-96.16 Original issue date: August 5, 1996 Last revised: August 30, 1996 Removed references to the advisory README file. A complete revision history is at the end of this file. Topic: Vulnerability in Solaris admintool - ----------------------------------------------------------------------------- The text of this advisory was originally released on July 30, 1996, as AUSCERT Advisory AL-96.03, developed by the Australian Computer Emergency Response Team. Because of the seriousness of the problem, we are reprinting the AUSCERT advisory here with their permission. Only the contact information at the end has changed: AUSCERT contact information has been replaced with CERT/CC contact information. We will update this advisory as we receive additional information. Please check advisory files regularly for updates that relate to your site. ============================================================================= AUSCERT has received a report of a vulnerability in the Sun Microsystems Solaris 2.x distribution involving the program admintool. This program is used to provide a graphical user interface to numerous system administration tasks. This vulnerability may allow a local user to gain root privileges. Exploit details involving this vulnerability have been made publicly available. At this stage, AUSCERT is not aware of any official patches. AUSCERT recommends that sites take the actions suggested in Section 3 until official patches are available. - ----------------------------------------------------------------------------- 1. Description admintool is a graphical user interface that enables an administrator to perform several system administration tasks on a system. These tasks include the ability to manage users, groups, hosts and other services. To help prevent different users updating system files simultaneously, admintool uses temporary files as a locking mechanism. The handling of these temporary files is not performed in a secure manner, and hence it may be possible to manipulate admintool into creating or writing to arbitrary files on the system. These files are accessed with the effective uid of the process executing admintool. In Solaris 2.5, admintool is set-user-id root by default. That is, all file accesses are performed with the effective uid of root. An effect of this is that the vulnerability will allow access to any file on the system. If the vulnerability is exploited to try and create a file that already exists, the contents of that file will be deleted. If the file does not exist, it will be created with root ownership and be world writable. In earlier versions of Solaris 2.x, admintool is not set-user-id root by default. In this case, admintool runs only with the privileges of the user executing it. However, local users may wait for a specific user to execute admintool, exploiting the vulnerability to create or write files with that specific users' privileges. Again, files created in this manner will be world writable. 2. Impact A local user may be able to create or write to arbitrary files on the system. This can be leveraged to gain root privileges. 3. Workarounds/Solution Currently, AUSCERT is not aware of any official patches which address this vulnerability. When official patches are made available, AUSCERT suggests that they be installed. Until official patches are available sites are encouraged to completely prevent execution of admintool by any user (including root). # chmod 400 /usr/bin/admintool # ls -l /usr/bin/admintool -r-------- 1 root sys 303516 Oct 27 1995 /usr/bin/admintool Note that if only the setuid permissions are removed, it is still possible for users to gain privileges when admintool is executed as root. AUSCERT recommends that, where possible, admintool should not be used at all until official patches are available. In the interim, system administrators should perform administration tasks by using the command line equivalents. More details on performing these tasks may be found in the Sun documentation set. - ----------------------------------------------------------------------------- AUSCERT wishes to thank Brian Meilak (QUT), Marek Krawus (UQ), Leif Hedstrom, Kim Holburn and Michael James for their assistance in this matter. - ----------------------------------------------------------------------------- If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (FIRST). We strongly urge you to encrypt any sensitive information you send by email. The CERT Coordination Center can support a shared DES key and PGP. Contact the CERT staff for more information. Location of CERT PGP key ftp://info.cert.org/pub/CERT_PGP.key CERT Contact Information - ------------------------ Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA CERT publications, information about FIRST representatives, and other security-related information are available for anonymous FTP from http://www.cert.org/ ftp://info.cert.org/pub/ CERT advisories and bulletins are also posted on the USENET newsgroup comp.security.announce To be added to our mailing list for CERT advisories and bulletins, send your email address to cert-advisory-request@cert.org CERT is a service mark of Carnegie Mellon University. This file: ftp://info.cert.org/pub/cert_advisories/CA-96.16.Solaris_admintool_vul http://www.cert.org click on "CERT Advisories" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Revision history Aug. 30, 1996 Removed references to CA-96.16.README. Beginning of the advisory - removed AUSCERT advisory header to avoid confusion. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMiTD0nVP+x0t4w7BAQGY4wQA2imvW2Q4ZY/eG9bbxLPXCv1gZTvgxb9G s1Ib/wPzc0+OmJPi1OHPmwVKkW20soAKaTZ1UKv3SJmlXoQ6aYg2FZFLOXNli8Hc N3ylOInJ+oF4pYkME3AxUq03kXt/iwY+7Q7yPB/lYUTmx9Hm8+WygmXuDgwV8vuT kt0PMOE1/Fs= =Tgmc -----END PGP SIGNATURE-----