Original issue date: October 18, 1995<BR> Last revised: September 23, 1997<BR> Attached copyright statement <P>A complete revision history is at the end of this file. <P>The CERT Coordination Center has received reports of problems with the <I>loadmodule(8)</I> program. An exploitation script is available and has been used by local users to gain root privileges. <P>The problem is present in SunOS 4.1.X only, and there is a patch available for sun4 architectures. <P>The CERT staff recommends that you install the appropriate patch as soon as possible and take the steps in Section III.B. to further protect your system. <P>We will update this advisory as we receive additional information. Please check advisory files regularly for updates that relate to your site. <P><HR> <P> <H2>I. Description</H2> <P>The <I>loadmodule(8)</I> program is used by the <I>xnews(1)</I> window system server to load two dynamically loadable kernel drivers into the currently running system and to create special devices in the /dev directory to use those modules. These modules and special files are used to provide a SunView binary compatibility mode while running the X11/NeWS windowing system. Because of the way the <I>loadmodule(8)</I> program sanitizes its environment, unauthorized users can gain root access on the local machine. A script is publicly available and has been used to exploit this vulnerability. <P>This problem is present in SunOS 4.1.X only. <P> <H2>II. Impact</H2> <P>Local users can gain root privileges. <P> <H2>III. Solution</H2> <P>The CERT staff recommends that you take the steps described in both A and B below. <P> <H3>A. Obtain and install the appropriate patches according to the instructions included with the patches.</H3> <P>Patches are available through your local Sun Answer Center and by FTP from <P> <A HREF=ftp://sunsolve1.sun.com/pub/patches/100448-03.tar.Z>ftp://sunsolve1.sun.com/pub/patches/100448-03.tar.Z</A> <PRE> Module Patch ID Filename ---------- --------- --------------- loadmodule 100448-03 100448-03.tar.Z Checksum: MD5 (100448-03.tar.Z) = 183a22f0a2f6020f1389b6aeea5ca6c6 </PRE> <P> <H3>B. Because, in general, a set-user-id program can lead to security exposures, you should also do at least step 1 below. We recommend doing steps 2 and 3 as well.</H3> <P>The intent of these directions is make the <I>loadmodule(8)</I> program work only for the super-user (currently it works for all users because it is set-user-id) and to execute it each time the system boots. By following these directions, users who require SunView binary compatibility will have it available to them. <P> <OL> <LI>If you do not need SunView binary compatibility, then as root, turn off setuid root on the <I>loadmodule(8)</I> program with <PRE> # /bin/chmod u-s /usr/openwin/bin/loadmodule </PRE> <LI>If your users need SunView binary compatibility, you can enable it immediately--that is without having to reboot your system--with the following script. <P> <PRE> ------------------------cut here--8<------------------------ ARCH=`/bin/arch -k` OBJ=/sys/${ARCH}/OBJ LM=/usr/openwin/bin/loadmodule /bin/chmod u-s $LM if [ -f $OBJ/evqmod-${ARCH}.o ]; then if /usr/etc/modstat | /bin/egrep -s evqmod ; then echo evq: already loaded elif $LM evqmod-${ARCH}.o evqload; then echo evq: loaded else echo evq: unable to load module fi fi if [ -f $OBJ/winlock-${ARCH}.o ]; then if /usr/etc/modstat | /bin/egrep -s winlock ; then echo winlock: already loaded elif $LM winlock-${ARCH}.o winlockload; then echo winlock: loaded else echo winlock: unable to load module fi fi ------------------------cut here--8<------------------------ </PRE> As a suggestion, store this script in /tmp/esbc and then execute it as root with: <PRE> # sh /tmp/esbc </PRE> <LI>If you've done step 2 above, the module loadings will disappear the next time you reboot your system. To make them permanent-- that is to make these module loadings occur each time your system is rebooted--add the script to the end of your /etc/rc.local file. <P> </OL> <HR> The CERT Coordination Center staff thanks Wolfgang Ley and Sun Microsystems for their support in the development of this advisory. <!--#include virtual="/include/footer_nocopyright.html" --> <P>Copyright 1995, 1996 Carnegie Mellon University.</P> <HR> Revision History <PRE> Sep. 23, 1997 Updated copyright statement Aug. 30, 1996 References to README files were removed because updates are added to the advisories themselves. </PRE> |