SUMMARY: Unauthorized user(s) can gain root priviledges

From: Wojciech Mikanik (WMIKANIK@star.iinf.polsl.gliwice.pl)
Date: Wed Jun 11 1997 - 05:20:22 CDT


Hi,
this is summary of answers I received for my query related to using
/bin/eject to gain root priviledges.
It is organized as follows:
1. Original message
2. Some information about the program
3. Solutions
4. Sources of additional information
4. *Thanks*
---------------------------------------------------------------------
1. Original message
"Hi,
  We have SPARCClassic with Solaris 2.5.1 (installed a couple days
ago). There is a very simple program (about 60-70 lines of C code),
which allow any user to change his/her effective id to root (uid and
gid stays the same). It does execl with three arguments:
"/bin/eject", "eject" and the third one.
I would be very grateful for every piece of information which help me
to make my system more secure.
It is rather urgent matter."
---------------------------------------------------------------------
2.Some information about the program
It seems that everybody has known the hole, exept me.

This is Sun bug #4038903. It was posted to the bugtraq mailing-list
in March by Christian Schipor and announced in
SUN MICROSYSTEMS SECURITY BULLETIN: #00138, 17 APRIL 1997

The hole with eject is a buffer overflow condition. Basically what
happens is eject doesn't do proper bounds checking on its arguments,
so if you overrun the buffer, it will copy data to the stack. The
tricky part is to do it so that the pc register (program counter, ie
next executed instruction) gets filled with a pointer to the code you
want to execute (ie a shell). since eject is running SUID-root, you
get a root shell.
---------------------------------------------------------------------
3. Solutions
a)The quick fix is to take suid off of /bin/eject:
chmod 0555 /usr/bin/eject, or chmod u-s /usr/bin/eject

b) The following patches fix the problem:
101331-07: SunOS 5.3: fixes for package utilities
101907-14: SunOS 5.4: fixes to volume management
101908-14: SunOS 5.4_x86: fixes to volume management
103024-02: SunOS 5.5: libvolmgt patch
103044-02: SunOS 5.5_x86: libvolmgt patch
104776-01: SunOS 5.5.1: libvolmgt patch
104777-01: SunOS 5.5.1_x86: libvolmgt patch
Released between April 1st and April 17th.

c) Install recommended patches for Solaris 2.5.1 from
ftp://sunsite.unc.edu/pub/patches
or
ftp://sunsolve.sun.com/pub/patches

d)Install sudo, a program which allows defined users to execute
defined programs
with root privileges:
http://www.courtesan.com/courtesan/products/sudo/
---------------------------------------------------------------------
4. Sources of additional information (about this hole and many others)

a) This bug was posted to the bugtraq mailing-list in March by
Christian Schipor. You can find his original posting with his
suggested fix at http://geek-girl.com/bugtraq/1997_1/0279.html
Caspar Diks answer is archived there as
   http://geek-girl.com/bugtraq/1997_1/0289.html

b) Here is an official bulletin announcing the eject command's buffer
   problems... http://ciac.llnl.gov/ciac/bulletins/h-41.shtml

c) The AUS-CERT has an advisory out which describes the
   vulnerability and also workarounds:
ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-
97.10.solaris.eject.overrun.vul

d) There is a web site dealing with "buffer overflow" exploit
   http://millcomm.com/~nate/machines/security/stack-smashing/

d) BUGTRAQ mailing list:
    bugtraq-request@NETSPACE.ORG
   The URL for the BUGTRAQ WWW server is :
    http://www.geek-girl.com/bugtraq
   There are instructions there on how to get onto the list,
   apparently, BUGTRAQ hit 10000 subscribers the otherday. There is
   also a TRAQ list, NTBUGTRAQ.

e) FIRST, the Forum of Incident Response and Security Teams.
   For more information about FIRST, visit the FIRST web site
   at "http://www.first.org/".

f) Other security-advisories can be found at the German CERT:
   ftp://ftp.cert.dfn.de/pub/dfncert/sec-bul/
   or at the US-CERT:
   ftp://info.cert.org/pub/cert_advisories/
---------------------------------------------------------------------
4. Thanks
I would like to thank all who replied:
Chad L. Cook <ccook@bbn.com>
James Fifield <fifield@ug.cs.dal.ca>
Parthiv Shah <parthiv@nscc.com>
Ian MacPhedran <Ian_MacPhedran@engr.USask.Ca>
Casper Dik <casper@holland.Sun.COM>
Gary Franczyk <franczyk@e-one.com>
Tom Vayda <vayda_tom@jpmorgan.com>
gobbers@faw.uni-ulm.de (Dieter Gobbers )
Hans Schaechl <hans@mpim-bonn.mpg.de>
brett@gims.com (Brett)
David Fetrow <fetrow@biostat.washington.edu>
Jason Keltz <cs911089@ariel.cs.yorku.ca>
Matt Reynolds <reynolmd@aston.ac.uk>
Craig Raskin <raskin@asiaonline.net.tw>
Cagri Yucel <cyucel@is.ku.edu.tr>
Liew.Chee.Wah <cwliew@bass.com.my>
Tony C. Wu <tonywu@life.nthu.edu.tw>
Gnuchev Fedor <qwe@ht.eimb.rssi.ru>
Martin Trampler <trampler@pi1.informatik.uni-mannheim.de>

Wojciech Mikanik

Silesia University of Technology
Institute of Computer Science
Akademicka 16
44-100 Gliwice, Poland
Phone: +48-32-37-27-05
Fax: + 48-32-37-27-33
http://sun_zo.iinf.polsl.gliwice.pl/pub/wmikanik/html/



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:11:56 CDT