Date: Thu, 28 Mar 2024 18:25:29 -0400 (EDT) Message-ID: <239240653.515.1711664729299@windcrest.sei.cmu.edu> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_514_1751257320.1711664729297" ------=_Part_514_1751257320.1711664729297 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
A complete revision history is at the end of this file.
The CERT Coordination Center has received reports of problems with the <= i>loadmodule(8) program. An exploitation script is available and has be= en used by local users to gain root privileges.
The problem is present in SunOS 4.1.X only, and there is a patch availab= le for sun4 architectures.
The CERT staff recommends that you install the appropriate patch as soon= as possible and take the steps in Section III.B. to further protect your s= ystem.
We will update this advisory as we receive additional information. Pleas= e check advisory files regularly for updates that relate to your site.
The loadmodule(8) program is used by the xnews(1) window s= ystem server to load two dynamically loadable kernel drivers into the curre= ntly running system and to create special devices in the /dev directory to = use those modules. These modules and special files are used to provide a Su= nView binary compatibility mode while running the X11/NeWS windowing system= . Because of the way the loadmodule(8) program sanitizes its environ= ment, unauthorized users can gain root access on the local machine. A scrip= t is publicly available and has been used to exploit this vulnerability.
This problem is present in SunOS 4.1.X only.
Local users can gain root privileges.
The CERT staff recommends that you take the steps described in both A an= d B below.
Patches are available through your local Sun Answer Center and by FTP fr= om
ftp://su= nsolve1.sun.com/pub/patches/100448-03.tar.Z
Module Patch ID Filename ---------- --------- --------------- loadmodule 100448-03 100448-03.tar.Z Checksum: MD5 (100448-03.tar.Z) =3D 183a22f0a2f6020f1389b6aeea5ca6c6
The intent of these directions is make the loadmodule(8) program = work only for the super-user (currently it works for all users because it i= s set-user-id) and to execute it each time the system boots. By following t= hese directions, users who require SunView binary compatibility will have i= t available to them.
# /bin/chmod= u-s /usr/openwin/bin/loadmodule
------------------------cut here--8<-----------------= ------- ARCH=3D`/bin/arch -k` OBJ=3D/sys/${ARCH}/OBJ LM=3D/usr/openwin/bin/loadmodule /bin/chmod u-s $LM if [ -f $OBJ/evqmod-${ARCH}.o ]; then if /usr/etc/modstat | /bin/egrep -s evqmod ; then echo evq: already loaded elif $LM evqmod-${ARCH}.o evqload; then echo evq: loaded else echo evq: unable to load module fi fi if [ -f $OBJ/winlock-${ARCH}.o ]; then if /usr/etc/modstat | /bin/egrep -s winlock ; then echo winlock: already loaded elif $LM winlock-${ARCH}.o winlockload; then echo winlock: loaded else echo winlock: unable to load module fi fi ------------------------cut here--8<------------------------As a suggestion, store this script in /tmp/esbc and then execute it = as root with:
# sh /tmp/esbc
Copyright 1995, 1996 Carnegie Mellon University.
Sep. 23, 1997 Updated copyright statement Aug. 30, 1996 References to README files were removed because updates are added to the advisories themselves.