We will try and keep these pages up to date
Copyright 1995 Carnegie Mellon University This material may be reproduced and distributed without permission provided it is used for noncommercial purposes and the copyright statement is included.
The text of this advisory is taken primarily from AUSCERT advisory AA-95.07, with their permission.
A vulnerability exists in Solaris systems that allows a race condition to be exploited to gain root access. The essential problem is that the ps(1) program maintains a data file in the /tmp directory, and the /tmp directory is world-writable, allowing users to delete other users' files in /tmp. This vulnerability affects Solaris 2.x (SunOS 5.x) systems.
An exploit program for this vulnerability has been published. We urge you to take the actions described in Section III as soon as possible.
As we receive additional information relating to this advisory, we will place it inftp://info.cert.org/pub/cert_advisories/CA-95:09.README We encourage you to check our README files regularly for updates on advisories that relate to your site.
A race condition exists in at least one Solaris 2.x (SunOS 5.x) system program that can be exploited to gain root access if the user has access to the temporary files. Access to temporary files may be obtained if the permissions on the /tmp and /var/tmp directories are set incorrectly. The permissions on the /tmp directory are often reset incorrectly by the system if tmpfs (which is mounting swap as /tmp) is in use.
Users logged in to the system may gain unauthorized root privileges.
To determine if you are running tmpfs, the following command can be used to verify if the filesystem for /tmp is swap:
% /usr/sbin/df -k /tmp
Filesystem kbytes used avail capacity Mounted on
swap 28348 12 28336 0% /tmp
or look in the file /etc/vfstab for the configuration line:
#device device mount FS fsck mount mount
#to mount to fsck point type pass at boot options
swap - /tmp tmpfs - yes -
If either of these two conditions exist, then you are running tmpfs and the system may automatically reset the permission bits of /tmp at the next reboot.
To verify if your configuration is currently vulnerable, the following command may be used:
% /usr/bin/ls -ld /tmp
drwxrwxrwt 2 sys sys 61 Aug 15 12:12 /tmp
If the sticky bit (t) is not set (it will be an x), then the system is vulnerable.
These workarounds have been verified with Sun Microsystems. Sun Microsystems expects to release a patch in the near future.
A workaround that takes effect immediately is to set the sticky bit on the /tmp directory using the following command as root:
# /usr/bin/chmod 1777 /tmp
Note that this command must be performed after each reboot if you are mounting swap as /tmp (using tmpfs).
In addition, the ownership and group membership of the /tmp directory should be verified using /usr/bin/ls -ld /tmp, and if incorrect may be reset by:
# /usr/bin/chown sys /tmp
# /usr/bin/chgrp sys /tmp
The AUSCERT UNIX Security Checklist addresses this issue in Section 5.5. This section is reproduced in the appendix of this advisory. The entire AUSCERT checklist may be obtained from these locations.
Sites outside of Australia should use the info.cert.org FTP site.
ftp://info.cert.org/pub/tech_tips/AUSCERT_checklist_1.0 ftp://ftp.auscert.org.au/pub/auscert/papers/unix_security_checklist_1.0
The change noted in item B.1 above will be lost upon reboot. To make the changes permanent, create the following script as /etc/init.d/tmpfsfix:
#!/bin/sh
if [ -d /tmp ]
then
/usr/bin/chmod 1777 /tmp
/usr/bin/chgrp sys /tmp
/usr/bin/chown sys /tmp
fi
A symbolic link should then be created called /etc/rc3.d/S79tmpfix which points to /etc/init.d/tmpfsfix by issuing the following command as root:
# /usr/bin/ln -s /etc/init.d/tmpfsfix /etc/rc3.d/S79tmpfix
If you have done item B.1 above, you can reboot at your leisure.Otherwise, reboot your system now. In either case, verify the permissions of /tmp immediately after your next system reboot.
We recommend that you also check and correct the /var/tmp directory. Note that this directory is not usually mounted as tmpfs, so it normally would not be subject to automatic resetting of its permission bits on reboot.
% /usr/bin/ls -ld /var/tmp
drwxrwxrwt 2 sys sys 512 Aug 15 11:35 /var/tmp
The CERT Coordination Center staff thanks AUSCERT, the Australian response team, for their permission to reuse text from their advisory AA-95.07 and for their cooperation and assistance.
If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (FIRST). If you wish to send sensitive incident or vulnerability information to CERT staff by electronic mail, we strongly advise that the e-mail be encrypted. The CERT Coordination Center can support a shared DES key, PGP (public key available via anonymous FTP on info.cert.org), or PEM (contact CERT staff for details). Internet e-mail: cert@cert.org Telephone: +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax: +1 412-268-6989 Postal address: CERT Coordination Center , Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA 15213-3890, USA. CERT advisories and bulletins are posted on the USENET news group comp.security.announce. If you would like to have future advisories and bulletins mailed to you or to a mail exploder at your site, please send mail to cert-advisory-request@cert.org. Past CERT publications, information about FIRST representatives, and other information related to computer security are available by anonymous FTP from info.cert.org.
ENSURE that there are no unexpected world writable files or directories on your system. The following commands find world writeable files and directories.
# /bin/find / -type f -perm -22 -exec ls -l {} \;
# /bin/find / -type d -perm -22 -exec ls -ld {} \;
CHECK that files which have the SUID or SGID bit enabled, should have it enabled:
# /bin/find / -type f \( -perm -004000 -o -perm -002000 \) \
-exec ls -l {} \;
Thanks for visiting DataSure's CERT Advisory Pages. As the pages are developed further we hope to provide more, so please bear with us during the ongoing development process.
For more information on DataSure Services's products and services, please send e-mail to mackinnn@datasure.com phone us at ( 604) 598-6831, 1-800-598-6831, or FAX your request to (604) 598-6841. If you have problems or comments concerning our WWW service, please send e-mail to the above address.
This page has been accessed times.
Victoria, B.C. local time is Tuesday, 07-Feb-2012 22:27:50 PST
This page last modified Thursday, 15-Nov-2001 17:09:24 PST
This page, and all contents, are Copyright (C) 1996 by DataSure Services , Victoria, Canada.