Original issue date: August 6, 1996<BR>
Last revised: October 20, 1997<BR>
Vendor information for Sun has been added to the UPDATES section.
<P>A complete revision history is at the end of this file.
<P>The text of this advisory was originally released on August 2, 1996, as
AUSCERT Advisory AL-96.04, developed by the Australian Computer Emergency
Response Team. We are reprinting the AUSCERT advisory here with their
permission. Only the contact information at the end has changed: AUSCERT
contact information has been replaced with CERT/CC contact information.
<P>We will update this advisory as we receive additional information.
Please check advisory files regularly for updates that relate to your site.
<HR>
<P>AUSCERT has received a report of a vulnerability in the Sun Microsystems
Solaris 2.x distribution involving the Volume Management daemon, vold(1M).
This program is used to help manage CDROM and floppy devices.
<P>This vulnerability may allow a local user to gain root privileges.
<P>Exploit details involving this vulnerability have been made publicly
available.
<P>At this stage, AUSCERT is not aware of any official patches. AUSCERT
recommends that sites take the actions suggested in Section 3 until official
patches are available.
<P>
<HR>
<H2>1. Description</H2>
<P>The Volume Management daemon, vold(1M), manages the CDROM and floppy
devices. For example, it provides the ability to automatically detect,
and then mount, removable media such as CDROMs and floppy devices.
<P>vold is part of the Solaris 2.x Volume Management package (SUNWvolu).
It is executed as a background daemon on system startup and runs as root.
<P>When vold detects that a CDROM or floppy has been inserted into a drive,
it is configured to automatically mount the media, making it available
to users. Part of this process includes the creation of temporary files,
which are used to allow the Openwindows File Manager, filemgr(1), to
determine that new media has been mounted. These files are created by
the action_filemgr.so shared object which is called indirectly by vold
through rmmount(1M). The handling of these files is not performed in a
secure manner. As vold is configured to access these temporary files
with root privileges, it may be possible to manipulate vold into creating
or over-writing arbitrary files on the system.
<P>This vulnerability requires that vold be running and media managed by
vold, such as a CDROM or floppy, be physically loaded into a drive. Note
that a local user need not have physical access to the media drive to
exploit this vulnerability. It is enough to wait until somebody else
loads the drive, exploiting the vulnerability at that time.
<P>This vulnerability is known to be present in Solaris 2.4 and Solaris 2.5.
Solaris distributions prior to Solaris 2.4 are also expected to be
vulnerable.
<H2>2. Impact</H2>
Local users may be able to create or over-write arbitrary files on the
system. This can be leveraged to gain root privileges.
<H2>3. Workaround</H2>
AUSCERT believes the workarounds given in Sections 3.1 or 3.2 will address
this vulnerability. Vendor patches may also address this vulnerability
in the future (Section 3.3).
<H3>3.1 Edit /etc/rmmount.conf</H3>
The temporary files which are susceptible to attack are created by the
/usr/lib/rmmount/action_filemgr.so.1 shared object which is called
indirectly by vold through rmmount(1M). rmmount(1M) can be
configured so that it does not create the temporary files, thereby
removing this vulnerability.
<P>To our knowledge, configuring rmmount(1M) in this fashion will not
affect the functionality of vold. It will, however, remove the
ability of the Openwindows File Manager, filemgr(1), to automatically
detect newly mounted media.
<P>To prevent rmmount(1M) creating temporary files, sites must edit the
/etc/rmmount.conf file and comment out (or remove) any entry which
references action_filemgr.so.
<P>The standard /etc/rmmount.conf contains the following entries which
must be commented out (or deleted) to remove this vulnerability:
<UL>
action cdrom action_filemgr.so<BR>
action floppy action_filemgr.so
</UL>
After applying this workaround, an example of /etc/rmmount.conf may look
like:
<PRE>
# @(#)rmmount.conf 1.2 92/09/23 SMI
#
# Removable Media Mounter configuration file.
#
# File system identification
ident hsfs ident_hsfs.so cdrom
ident ufs ident_ufs.so cdrom floppy pcmem
ident pcfs ident_pcfs.so floppy pcmem
# Actions
#
# Following two lines commented out to remove vold vulnerability
#
# action cdrom action_filemgr.so
# action floppy action_filemgr.so
</PRE>
<P>Note that vold does not have to be restarted for these changes to
take effect.
<H3>3.2 Remove the Volume Management system</H3>
Sites who do not require the vold functionality should remove the complete
set of Volume Management packages. These are SUNWvolg, SUNWvolu and
SUNWvolr. These packages can be removed using pkgrm(1M).
<H3>3.3 Install vendor patches</H3>
Currently, AUSCERT is not aware of any official patches which address
this vulnerability. When official patches are made available, AUSCERT
suggests that they be installed.
<P><HR>
<P>AUSCERT wishes to thanks to Leif Hedstrom, Mark McPherson(QTAC),
Marek Krawus(UQ), DFN-CERT and CERT/CC for their assistance in this matter.
<P><HR>
<P>
<H2>UPDATES</H2>
<H3>Vendor Information </H3>
Below is information we have received from vendors. If you do not see your
vendor's name below, contact the vendor directly for information.
<H4>Sun Microsystems, Inc.</H4>
Sun Microsystems has provided the following list of patches in response
to this advisory:
<UL>
104010-01 5.5.1
<BR> 104011-01 5.5.1_x86
<BR> 104015-01 5.5
<BR> 104016-01 5.5_x86
<BR> 101907-14 5.4
<BR> 101908-14 5.4_x86
</UL>
<!--#include virtual="/include/footer_nocopyright.html" -->
<P>Copyright 1996 Carnegie Mellon University.</P>
<HR>
Revision History
<PRE>
Oct. 20, 1997 Vendor information for Sun has been added to the UPDATES
section.
Sep. 24, 1997 Updated copyright statement
Aug. 30, 1996 Removed references to CA-96.17.README.
Beginning of the advisory - removed AUSCERT advisory header
to avoid confusion.
</PRE>
|