************************************************************************** Security Bulletin 9126 DISA Defense Communications System 19 December 1991 Published by: DDN Security Coordination Center (SCC@NIC.DDN.MIL) 1-(800) 365-3642 DEFENSE DATA NETWORK SECURITY BULLETIN The DDN SECURITY BULLETIN is distributed by the DDN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, & concerns to security & management personnel at DDN facilities. Back issues may be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.112.36.5] using login="anonymous" and password="guest". The bulletin pathname is SCC:DDN-SECURITY-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. SCC:DDN-SECURITY-9126). ************************************************************************** + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the Computer ! ! Emergency Response Team (CERT) and is being relayed unedited ! ! via the Defense Information Systems Agency's Security ! ! Coordination Center distribution system as a means of ! ! providing DDN subscribers with useful security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + =========================================================================== CA-91:22 CERT Advisory December 16, 1991 SunOS OpenWindows V3.0 Patch --------------------------------------------------------------------------- The Computer Emergency Response Team/Coordination Center (CERT/CC) has received information concerning a vulnerability in Sun Microsystems, Inc. (Sun) OpenWindows version 3.0. This vulnerability exists on all sun4 and sun4c architectures running SunOS 4.1.1. Sun has provided a patch for this vulnerability. It is available through your local Sun Answer Center as well as through anonymous ftp from the ftp.uu.net (192.48.96.2) system in the /sun-dist directory. Fix PatchID Filename Checksum loadmodule 1076118 100448-01.tar.Z 04354 5 Please note that Sun will occasionally update patch files. If you find that the checksum is different please contact Sun or the CERT/CC for verification. --------------------------------------------------------------------------- I. Description An OpenWindows, version 3, setuid program (loadmodule(8)) can be exploited to execute a user's program using the effective UID of root. II. Impact This vulnerability allows a local user to gain root access. III. Solution Obtain the patch from Sun or from ftp.uu.net and install, following the provided instructions. As root: 1. Move the existing loadmodule aside. # mv $OPENWINHOME/bin/loadmodule $OPENWINHOME/bin/loadmodule.orig # chmod 400 $OPENWINHOME/bin/loadmodule.orig 2. Copy the new loadmodule into the OpenWindows bin directory. # cp sun4/loadmodule $OPENWINHOME/bin/loadmodule # chown root $OPENWINHOME/bin/loadmodule # chmod 4755 $OPENWINHOME/bin/loadmodule See the README file provided with the patch for more information. --------------------------------------------------------------------------- The CERT/CC wishes to thank Ken Pon at Sun Microsystems, Inc. for alerting us to this vulnerability. --------------------------------------------------------------------------- If you believe that your system has been compromised, contact CERT/CC via telephone or e-mail. Internet E-mail: cert@cert.sei.cmu.edu Telephone: 412-268-7090 24-hour hotline: CERT/CC personnel answer 7:30a.m.-6:00p.m. EST(GMT-5)/EDT(GMT-4), on call for emergencies during other hours. Computer Emergency Response Team/Coordination Center (CERT/CC) Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Past advisories and other information related to computer security are available for anonymous ftp from the cert.sei.cmu.edu (192.88.209.5) system.