************************************************************************** Security Bulletin 9627 DISA Defense Communications System December 31, 1996 Published by: DISN Security Coordination Center (SCC@NIC.DDN.MIL) 1-(800) 365-3642 DEFENSE INFORMATION SYSTEM NETWORK SECURITY BULLETIN The DISN SECURITY BULLETIN is distributed by the DISN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DISN facilities. Back issues may be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.112.36.5] using login="anonymous" and password="guest". The bulletin pathname is scc/sec-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/sec-9544.txt). These are also available at our WWW site, http://nic.ddn.mil. ************************************************************************** + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the Automated ! ! Systems Security Incident Support Team (ASSIST) and is being ! ! relayed unedited via the Defense Information Systems Agency's ! ! Security Coordination Center distribution system as a means ! ! of providing DISN subscribers with useful security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + -----BEGIN PGP SIGNED MESSAGE----- <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Automated Systems Security Incident Support Team _____ ___ ___ _____ ___ _____ | / /\ / \ / \ | / \ | | / Integritas / \ \___ \___ | \___ | | < et /____\ \ \ | \ | | \ Celeritas / \ \___/ \___/ __|__ \___/ | |_____\ <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Bulletin 96-25 Release date: December 30, 1996, 06:30 AM EST (GMT -5) SUBJECT: Vulnerability Reports of Interest to Solaris 2.x System Administrators SUMMARY: This bulletin contains information on vulnerabilities found in Solaris AFS/DFS and Solaris 2.x Solstice Admintool Launcher. BACKGROUND: The information described in this bulletin was originally released and made public by the CERT and AUSCERT response teams. IMPACT: See each advisory for impact statements. RECOMMENDED SOLUTIONS: ASSIST recommends following the instructions outlined in each advisory below. <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ============================================================================ [Beginning of Cert Bulletin] ============================================================================ CERT(sm) Vendor-Initiated Bulletin VB-96.16 September 17, 1996 Topic: Solaris AFS/DFS Integrated login bug if user is in too many groups Source: Transarc Corp. To aid in the wide distribution of essential security information, the CERT Coordination Center is forwarding the following information from Transarc Corp. Transarc urges you to act on this information as soon as possible. Transarc contact information is included in the forwarded text below; please contact them if you have any questions or need further information. =======================FORWARDED TEXT STARTS HERE============================ ----------------------------------------------------------------------------- Topic: Solaris AFS/DFS Integrated login bug if user is in too many groups Source: Transarc Corp. --------------------------------- Problem: Vulnerability in Transarc DCE Integrated login for sites running DFS I. Description On systems running the DCE Distributed File System (DFS), users placed in more than NGROUPS_MAX-1 (usually 15) groups in the DCE registry and in /etc/group will have an incorrect grouplist upon login. For systems running both AFS and DFS, this limit is reduced to NGROUPS_MAX-3 (13). The vulnerability is caused by a change in the setgroups(2) system call under DFS, which can cause it to fail when passed a large set of supplementary groups. Thus, it can cause problems in non-Transarc-supplied programs which use setgroups(2) if they do not handle error conditions correctly. Vulnerable products include Transarc DCE and DFS 1.1 for Solaris 2.4 and Solaris 2.5. This vulnerability is not present on sites not running DFS (even if they are running AFS). II. Impact Users with accounts on the system may gain unauthorized access to resources. Access to resources controlled by DCE/DFS is unaffected, as the DCE PAC is correct. Users without accounts on the system cannot take advantage of this vulnerability. III. Solution The following patches are available from Transarc: DCE/DFS 1.1 for Solaris 2.4: patch 22 DCE/DFS 1.1 for Solaris 2.5: patch 2 A workaround is possible as well: simply ensure that no user is listed in more than NGROUPS_MAX-3 groups in /etc/group (including the user's primary group, which may not appear in /etc/group). With this workaround, only the primary group and groups which appear in /etc/group will appear in the grouplist upon login. Contact Transarc customer support by telephone at 412-281-5852 or via email (dfs-help@transarc.com) for additional information or questions. IV. Other Platform Impact HP has advised that this problem does not affect the HP product. IBM has advised that this problem does not affect the IBM product. =========================FORWARDED TEXT ENDS HERE============================= [End of Cert bulletin] [Beginning of AUSCERT bulletin] - ------------------------------------------------------------------------------ ============================================================================= AA-96.05 AUSCERT Advisory Vulnerability in Solaris 2.x Solstice Admintool Launcher 15 October 1996 Last Revised: - - --------------------------------------------------------------------------- AUSCERT has received a report of a vulnerability in the Solaris 2.x Solstice Admintool Launcher program "solstice". solstice provides a graphical user interface which can be used to launch system administration applications. This vulnerability may allow local users to gain root privileges. AUSCERT recommends that sites apply the vendor patches as recommended in Section 3.2. Until patches can be applied, sites should take the necessary actions as stated in Section 3.1. - ----------------------------------------------------------------------------- 1. Description Solaris 2.x has two separate GUI system administration tools, Desktop Admintool (admintool) and the Solstice Admintool Launcher (solstice). solstice provides a graphical interface which can be used to perform various system administration tasks which include the ability to manage users, groups, hosts and other services. It also allows individual users to give extra functionality to the interface by adding their own applications. Due to the fact that all applications added by local users and launched from the Solstice Admintool Launcher (solstice) have the effective group-id of bin, local users have to ability to execute any command on the system with these privileges. Under standard Solaris 2.x installations, this can easily be leveraged to gain root privileges. The Solstice Admintool Launcher (solstice) is installed, by default, as /usr/bin/solstice. It is usually installed with the package SUNWsadml. While this package was introduced in Solaris 2.5, it can also be installed under earlier versions of Solaris 2.x. Individual sites are encouraged to check their systems for this package and, if installed, take the recommended actions given in Section 3. To determine whether the SUNWsadml package is installed, use the command: % /usr/bin/pkginfo -l SUNWsadml 2. Impact Local users may be able to execute commands with the effective group-id of bin. This can be leveraged to gain root privileges. 3. Workarounds/Solution Sun Microsystems has released patches addressing this vulnerability. Sites are advised to apply these patches (see Section 3.2) as soon as possible. Until vendor patches are applied, sites are advised to take the necessary steps outlined in Section 3.1. 3.1 Remove permissions Until official patches are available, sites are encouraged to remove the set-group-id permissions from the /usr/bin/solstice executable. # /bin/chmod g-s /usr/bin/solstice # /bin/ls -l /usr/bin/solstice -r-xr-xr-x 1 bin bin 88264 Oct 27 1995 /usr/bin/solstice AUSCERT believes that this will not remove any functionality of the solstice program. 3.2 Install vendor patches Sun Microsystems has released patches which address the vulnerability described in this advisory. AUSCERT recommends that sites apply these patches as soon as possible. Patches have been released for: Operating System Patch MD5 Checksum ~~~~~~~~~~~~~~~~ ~~~~~ ~~~~~~~~~~~~ Solaris 2.5 sparc: 103247-07.tar.Z 7ac1835d9604756dba94198f425dbcf6 Solaris 2.5 x86: 103245-07.tar.Z e17e049bb53f706782a2451340b27286 Solaris 2.5.1 sparc: 103558-05.tar.Z be967825e898f40620e3ae2390767158 Solaris 2.5.1 x86: 103559-05.tar.Z a1afcf2e7549308dbbbce154255d6d85 Solaris 2.5.1 ppc: 103560-05.tar.Z 500600260ea1bb49b9079fe41dc36e77 These patches can be retrieved from: ftp://sunsolve1.sun.com.au/pub/patches/ ftp://ftp.auscert.org.au/pub/mirrors/sunsolve1.sun.com/ 4. Additional measures The standard Solaris 2.x installation consists of numerous important system files and directories which are writable by semi-privileged groups, such as "bin". This has serious security implications, as intruders need only get the privileges of the these groups to alter critical system files on the system. This may easily be leveraged to gain root privileges. A script which establishes more secure permissions on critical files and directories under Solaris 2.x is available from: ftp://ftp.fwi.uva.nl/pub/solaris/fix-modes.tar.gz Sites should note that package or patch installs may reset the permissions to the default (less secure) settings. Sites are encouraged to check permissions after doing installations and re-run the fix-modes script if necessary. Similar problems exist when system critical files and directories, owned by non-root users, are used with root privileges. For a discussion of this and other security issues, see the AUSCERT security checklist: ftp://ftp.auscert.org.au/pub/auscert/papers/unix_security_checklist =========================================================================== - --------------------------------------------------------------------------- [End AUSCERT bulletin] - --------------------------------------------------------------------------- *************************************************************************** ASSIST thanks both the CERT and AUSCERT teams for the information contained in this bulletin. *************************************************************************** -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBMsKA79H6sbnW3Io9AQHIRAQAqtQDZx7iHBHtYp6FKY75fpnioXMDFB3a 5qxQc5Sl6tHrL9lQmUQQsH9sBS/C38GObEae9Bkm3swWKhYcAwpuaXHmxINK4qZB Q5bswkL4Sq0LRkWHYueO77FIFvdcEkacbtyLj5m+woGf44A0CyVFCL2+e5B7031E qY2zOLQml30= =DcOq -----END PGP SIGNATURE----- <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ASSIST is an element of the Defense Information Systems Agency (DISA), Countermeasures, which provides service to the entire DoD community. Constituents of the DoD with questions about ASSIST or computer security issues, can contact ASSIST using one of the methods listed below. Non-DoD organizations/institutions, contact the Forum of Incident Response and Security Teams (FIRST) representative. To obtain a list of FIRST member organizations and their constituencies send an email to docserver@first.org with an empty "subject" line and a message body containing the line "send first-contacts". ASSIST Information Resources: To be included in the distribution list for the ASSIST bulletins, send your Milnet (Internet) e-mail address to assist-request@assist.mil. Back issues of ASSIST bulletins, and other security related information, are available from the ASSIST BBS at 703-607-4710, 327-4710, and through anonymous FTP from ftp.assist.mil (IP address 199.211.123.12). Note: ftp.assist.mil will only accept anonymous FTP connections from Milnet addresses that are registered with the NIC or DNS. If your system is not registered, you must provide your MILNET IP address to ASSIST before access can be provided. ASSIST Contact Information: PHONE: 800-357-4231 (or 703-607-4700 DSN 327), duty hours are 24 hours a day, 7 days a week, 365 days a year. ELECTRONIC MAIL: Send to assist@assist.mil. ASSIST BBS: Leave a message for the "sysop". ASSIST uses Pretty Good Privacy (PGP) as the digital signature mechanism for bulletins. PGP incorporates the RSAREF(tm) Cryptographic Toolkit under license from RSA Data Security, Inc. A copy of that license is available via anonymous FTP from net-dist.mit.edu (IP 18.72.0.3) in the file /pub/PGP/rsalicen.txt. In accordance with the terms of that license, PGP may be used for non-commercial purposes only. Instructions for downloading the PGP software can also be obtained from net-dist.mit.edu in the pub/PGP/README file. PGP and RSAREF may be subject to the export control laws of the United States of America as implemented by the United States Department of State Office of Defense Trade Controls. The PGP signature information will be attached to the end of ASSIST bulletins. Reference herein to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by ASSIST. The views and opinions of authors expressed herein shall not be used for advertising or product endorsement purposes. >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>><<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< **************************************************************************** * * * The point of contact for NIPRNET security-related incidents is the * * Security Coordination Center (SCC). * * * * E-mail address: SCC@NIC.DDN.MIL * * * * Telephone: 1-(800)-365-3642 * * * * NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, * * Monday through Friday except on federal holidays. * * * **************************************************************************** PLEASE NOTE: Some users outside of the DOD computing communities may receive DISN Security Bulletins. If you are not part of the DOD community, please contact your agency's incident response team to report incidents. Your agency's team will coordinate with DOD. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an service to the DOD community. Neither the United States Government nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government. The opinions of the authors expressed herein do not necessarily state or reflect those of the United States Government, and shall not be used for advertising or product endorsement purposes.