mkcookie su Solaris
esiste un problema di buffer overflow nel programma
/usr/openwin/lib/mkcookie su Solaris per x86 che potrebbe permettere ad un
utent locale di acquisire privilegi di root.
Dato che al momento non esistono patch, il workaround momentaneo e'
rimuovere il bit SUID dal programma.
--------------------------------------------------------------------------
RSI.0012.12-03-98.SOLARIS.MKCOOKIE
|:::. |::::: |::::. |::::: |::::: |::::.
.. :: .. .. :: .. .. .. ::
|:::: |:::: |:::: :::::: |::::: |:::: |:
|: :: |: |: |:: |: |: ::
|: :: |::::: |: |::::: |::::: |:::::
Repent Security Incorporated, RSI
[ http://www.repsec.com ]
*** RSI ALERT ADVISORY ***
--- [CREDIT] --------------------------------------------------------------
Nick Dubee: Discovered the vulnerability
Mark Zielinski: Author of the advisory
--- [SUMMARY] -------------------------------------------------------------
Announced: November 12, 1998
Report code: RSI.0012.12-03-98.SOLARIS.MKCOOKIE
Report title: Solaris x86 mkcookie
Vulnerability: Please see the details section
Vendor status: Sun Microsystems contacted on November 12, 1998
Patch status: No patch is currently available
Platforms: Solaris 2.5 x86, 2.5.1 x86, 2.6 x86, 2.7 x86
Reference: http://www.repsec.com/advisories.html
Impact: If exploited, an attacker could potentially compromise
root access locally on your server
NOTE: Solaris versions 2.3 x86, and 2.4 x86 were NOT tested
however they could be subject to the same vulnerability.
--- [DETAILS] -------------------------------------------------------------
Description: The mkcookie program is a Solaris utility used to
generate fresh 'Magic Cookies' each time the X server
is run. This program is installed SUID root as
/usr/openwin/lib/mkcookie.
Problem: A programming fault has been discovered in the way
mkcookie copies the contents of the $HOME evironment
variable into a buffer that has a predefined limit with
no bounds checking.
Details: Local users on the system can set their $HOME
environment variable to machine code that will
execute commands as root when mkcookie is run.
This particular problem is not exploitable on the
Sparc architecture due to the way the register values
are saved.
--- [FIX] -----------------------------------------------------------------
Solution: Sun is working on patches which relate to this mkcookie
vulnerability. The patches will be made available to all
Sun customers via the World Wide Web at:
In the meantime, take the SUID bit off mkcookie until
a patch is released for the version of Solaris you are using.
repent% su
Password:
# chmod 711 /usr/openwin/lib/mkcookie
---------------------------------------------------------------------------
Repent Security Incorporated (RSI)
13610 N. Scottsdale Rd.
Suite #10-326
Scottsdale, AZ 85254
E-Mail: advise@repsec.com
FTP: ftp://ftp.repsec.com
WWW: http://www.repsec.com
---------------------------------------------------------------------------