View Source

Original issue date: October 18, 1995<BR>
Last revised: September 23, 1997<BR>
Attached copyright statement

<P>A complete revision history is at the end of this file.

<P>The CERT Coordination Center has received reports of problems with the
<I>loadmodule(8)</I> program. An exploitation script is available and has been used
by local users to gain root privileges.

<P>The problem is present in SunOS 4.1.X only, and there is a patch available for
sun4 architectures.

<P>The CERT staff recommends that you install the appropriate patch as soon as
possible and take the steps in Section III.B. to further protect your system.

<P>We will update this advisory as we receive additional information.
Please check advisory files regularly for updates that relate to your site.

<P><HR>

<P>
<H2>I. Description</H2>

<P>The <I>loadmodule(8)</I> program is used by the <I>xnews(1)</I> window system server to
load two dynamically loadable kernel drivers into the currently running
system and to create special devices in the /dev directory to use those
modules. These modules and special files are used to provide a SunView
binary compatibility mode while running the X11/NeWS windowing system.
Because of the way the <I>loadmodule(8)</I> program sanitizes its environment,
unauthorized users can gain root access on the local machine. A script is
publicly available and has been used to exploit this vulnerability.

<P>This problem is present in SunOS 4.1.X only.

<P>
<H2>II. Impact</H2>

<P>Local users can gain root privileges.

<P>
<H2>III. Solution</H2>

<P>The CERT staff recommends that you take the steps described in both A and
B below.

<P>
<H3>A. Obtain and install the appropriate patches according to the instructions included with the patches.</H3>

<P>Patches are available through your local Sun Answer Center and by FTP from

<P>
<A HREF=ftp://sunsolve1.sun.com/pub/patches/100448-03.tar.Z>ftp://sunsolve1.sun.com/pub/patches/100448-03.tar.Z</A>
<PRE>
      Module           Patch ID        Filename
      ----------       ---------       ---------------
      loadmodule       100448-03       100448-03.tar.Z

      Checksum:
      MD5 (100448-03.tar.Z) = 183a22f0a2f6020f1389b6aeea5ca6c6
</PRE>

<P>
<H3>B. Because, in general, a set-user-id program can lead to security exposures, you should also do at least step 1 below. We recommend doing steps 2 and 3 as well.</H3>

<P>The intent of these directions is make the <I>loadmodule(8)</I> program
work only for the super-user (currently it works for all users because
it is set-user-id) and to execute it each time the system boots. By
following these directions, users who require SunView binary
compatibility will have it available to them.

<P>
<OL>
<LI>If you do not need SunView binary compatibility, then as root,
turn off setuid root on the <I>loadmodule(8)</I> program with
<PRE>
    # /bin/chmod u-s /usr/openwin/bin/loadmodule
</PRE>
<LI>If your users need SunView binary compatibility, you can
enable it immediately--that is without having to reboot
your system--with the following script.

<P>
<PRE>
------------------------cut here--8<------------------------
ARCH=`/bin/arch -k`
OBJ=/sys/${ARCH}/OBJ
LM=/usr/openwin/bin/loadmodule
/bin/chmod u-s $LM
if [ -f $OBJ/evqmod-${ARCH}.o ]; then
  if /usr/etc/modstat | /bin/egrep -s evqmod ; then
    echo evq: already loaded
  elif $LM evqmod-${ARCH}.o evqload; then
    echo evq: loaded
  else
    echo evq: unable to load module
  fi
fi
if [ -f $OBJ/winlock-${ARCH}.o ]; then
  if /usr/etc/modstat | /bin/egrep -s winlock ; then
    echo winlock: already loaded
  elif $LM winlock-${ARCH}.o winlockload; then
    echo winlock: loaded
  else
    echo winlock: unable to load module
  fi
fi
------------------------cut here--8<------------------------
</PRE>
As a suggestion, store this script in /tmp/esbc and then
execute it as root with:
<PRE>
   # sh /tmp/esbc
</PRE>
<LI>If you've done step 2 above, the module loadings will disappear
the next time you reboot your system. To make them permanent--
that is to make these module loadings occur each time your system
is rebooted--add the script to the end of your /etc/rc.local file.

<P>
</OL>
<HR>
The CERT Coordination Center staff thanks Wolfgang Ley and Sun Microsystems
for their support in the development of this advisory.

<!--#include virtual="/include/footer_nocopyright.html" -->
<P>Copyright 1995, 1996 Carnegie Mellon University.</P>

<HR>

Revision History
<PRE>
Sep. 23, 1997  Updated copyright statement
Aug. 30, 1996  References to README files were removed because updates are
               added to the advisories themselves.
</PRE>