-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AA-97.09 AUSCERT Advisory Solaris 2.x passwd buffer Overrun Vulnerability 26 February 1997 Last Revised: 13 May 1997 Added SUN Security bulletin in Appendix A Changed Section 3 to include vendor patch information. Updated information on obtaining pre-compiled versions of the wrapper. Updated information on obtaining overflow_wrapper.c. A complete revision history is at the end of this file. - ---------------------------------------------------------------------------- AUSCERT has received information that a vulnerability exists in the passwd(1) program under Solaris 2.x. This vulnerability may allow local users to gain root privileges. Exploit information involving this vulnerability has been made publicly available. Vendor patches have been released addressing this vulnerability. AUSCERT recommends that sites take the steps outlined in section 3 as soon as possible. This advisory will be updated as more information becomes available. - ---------------------------------------------------------------------------- 1. Description AUSCERT has received information that a vulnerability exists in the Solaris 2.x passwd(1) program. Under Solaris 2.5, yppasswd(1) and nispasswd(1) are hard links to the passwd program, and as such are also vulnerable. Under Solaris 2.3 and 2.4, passwd, yppasswd and nispasswd are separate programs, but they dynamically link unix_scheme and, as such are also affected. Due to insufficient bounds checking on arguments in the pluggable authentication module (PAM) (Solaris 2.5/2.5.1) and unix_scheme (Solaris 2.4/2.3), that are used by nispasswd, yppasswd, and passwd, it is possible to overwrite the internal stack space of these programs when they are executing. If exploited, this vulnerability may be used to gain root access on attacked systems. Exploit information involving this vulnerability has been made publicly available. passwd, yppasswd and nispasswd under Solaris 2.x are located by default in /usr/bin/. 2. Impact Local users may gain root privileges. 3. Workarounds/Solution Official vendor patches have been released by Sun Microsystems which address this vulnerability (Section 3.2). If the patches recommended by Sun Microsystems cannot be applied, AUSCERT recommends that sites prevent the exploitation of this vulnerability by immediately applying the workaround given in Section 3.1. 3.1 Install passwd wrapper AUSCERT has developed a wrapper to help prevent programs from being exploited using the vulnerability described in this advisory. Sites which have a C compiler can obtain the source, compile and install the wrapper. Please contact AUSCERT directly if pre-compiled binaries of the wrapper are required. The source for the wrapper, including installation instructions, can be found at: ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper/ overflow_wrapper.c This wrapper replaces the passwd program and checks the length of the command line arguments which are passed to it. If an argument exceeds a certain predefined value (MAXARGLEN), the wrapper exits without executing the passwd command. The wrapper program can also be configured to syslog any failed attempts to execute passwd with arguments exceeding MAXARGLEN. For further instructions on using this wrapper, please read the comments at the top of overflow_wrapper.c. Applying this wrapper program to passwd, following the instructions given in the comments at the start of the wrapper program, will also fix the overflow problems with yppasswd and nispasswd under Solaris 2.5, since these programs are merely hard links to passwd. Note that under Solaris 2.4 the wrapper will have to be generated for ypasswd and nispasswd as well. When compiling overflow_wrapper.c for use with passwd, AUSCERT recommends defining MAXARGLEN to be 32. The MD5 checksum for the current version of overflow_wrapper.c can be retrieved from: ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper/CHECKSUM 3.2 Install vendor patches Sun Microsystems has released patches which address the vulnerability described in this advisory. AUSCERT recommends that sites apply theses patches as soon as possible. Operating System Patch MD5 Checksum ~~~~~~~~~~~~~~~~ ~~~~~ ~~~~~~~~~~~~ Solaris 2.5.1 sparc: 104433-03.tar.Z 80C625D86DBFA06C107956EB4BD8126A Solaris 2.5.1 x86: 104434-02.tar.Z 4079E48BB8BA929F99EFE4D38877B023 Solaris 2.5 sparc: 103178-03.tar.Z 74547F3FDF850FAAF6B02176CF146AA4 Solaris 2.5 x86: 103179-03.tar.Z CA11D05845116F62FCC8DDCC6EDBCB2B Solaris 2.4 sparc: 101945-49.tar.Z (to be released) Solaris 2.4 x86: 101946-43.tar.Z (to be released) Solaris 2.3 101318-87.tar.Z (to be released) These patches can be retrieved from: ftp://sunsolve1.sun.com.au/pub/patches/ ftp://ftp.auscert.org.au/pub/mirrors/sunsolve1.sun.com/ Sun Microsystems has also released a security bulletin containing information on the above patches. The original release of this bulletin has been appended in Appendix A. .............................................................................. Appendix A - ----------------------BEGIN SUN SECURITY BULLETIN ---------------------------- ============================================================================= SUN MICROSYSTEMS SECURITY BULLETIN: #00139, 29 APRIL 1997 ============================================================================= BULLETIN TOPICS Sun announces the release of patches for Solaris 2.5.1 (SunOS 5.5.1) and Solaris 2.5 (SunOS 5.5) that relate to vulnerabilities in the pluggable authentication module (PAM), which can result in root access if exploited. The nispasswd, yppasswd, and passwd programs use PAM in these OS releases. Sun estimates that the release of patches for Solaris 2.4 (SunOS 5.4) and Solaris 2.3 (SunOS 5.3) that relate to the same vulnerability will be available within 5 weeks and 6 weeks respectively of the date of this bulletin. In Solaris 2.4 and 2.3, the passwd programs use unix_scheme instead of PAM. Sun strongly recommends that you install these patches immediately on every affected system. Exploit information is publicly available. I. Who is Affected, and What to Do II. Understanding the Vulnerabilities III. List of Patches IV. Checksum Table APPENDICES A. How to obtain Sun security patches B. How to report or inquire about Sun security problems C. How to obtain Sun security bulletins or short status updates Sun acknowledges with thanks the CERT Coordination Center (Carnegie Mellon University) and AUSCERT for their assistance in the preparation of this bulletin. Sun, CERT/CC, and AUSCERT are members of FIRST, the Forum of Incident Response and Security Teams. For more information about FIRST, visit the FIRST web site at "http://www.first.org/". Cross-Ref: AUSCERT AA-97.09 ----------- Permission is granted for the redistribution of this Bulletin, so long as the Bulletin is not edited and is attributed to Sun Microsystems. Portions may also be excerpted for re-use in other security advisories so long as proper attribution is included. Any other use of this information without the express written consent of Sun Microsystems is prohibited. Sun Microsystems expressly disclaims all liability for any misuse of this information by any third party. ============================================================================= SUN MICROSYSTEMS SECURITY BULLETIN: #00139, 29 APRIL 1997 ============================================================================= I. Who is Affected, and What to Do SunOS versions 5.5.1, 5.5.1_x86, 5.5, 5.5_x86, 5.4, 5.4_x86, and 5.3 are vulnerable. SunOS versions 4.1.4 and 4.1.3_U1 are not vulnerable. Install the patches listed in III. for SunOS versions 5.5.1, 5.5.1_x86, 5.5, and 5.5_x86. Sun estimates that patches for SunOS versions 5.4 and 5.4_x86 will be released within 5 weeks from the date of this bulletin. Sun also estimates that patches for SunOS version 5.3 will be released within 6 weeks from the date of this bulletin. In the meantime, Sun recommends, as a workaround, the installation of a passwd wrapper that was developed by AUSCERT (see AUSCERT Advisory AA-97.09). AUSCERT maintains an anonymous FTP service at ftp://ftp.auscert.org.au/pub/ and a World Wide Web service at http://www.auscert.org.au/. The same vulnerability has been fixed in the upcoming release of Solaris. II. Understanding the Vulnerability Due to insufficient bounds checking on arguments in PAM (5.5.1 and 5.5) and unix_scheme (5.4 and 5.3), it is possible to overwrite the internal stack space of the passwd program. If exploited, this vulnerability can be used to gain root access on attacked systems. Under SunOS 5.5.1 and 5.5, yppasswd and nispasswd are hard links to the passwd program and therefore are also vulnerable. Under SunOS 5.4 and 5.3, passwd, yppasswd, and nispasswd are separate programs but they dynamically link unix_scheme and are affected. III. List of Patches The vulnerabilities relating to passwd in PAM and unix_scheme are fixed by the following patches: OS version Patch ID ---------- -------- SunOS 5.5.1 104433-03 SunOS 5.5.1_x86 104434-02 SunOS 5.5 103178-03 SunOS 5.5_x86 103179-03 SunOS 5.4 101945-49 (to be released in 5 weeks) SunOS 5.4_x86 101946-43 (to be released in 5 weeks) SunOS 5.3 101318-87 (to be released in 6 weeks) IV. Checksum Table In the table below, we show the BSD checksums (SunOS 4.1.x: /bin/sum; SunOS 5.x: /usr/ucb/sum), SVR4 checksums (SunOS 5.x: /usr/bin/sum), and the MD5 digital signatures for the compressed tar files. File BSD SVR4 MD5 Name Checksum Checksum Digital Signature - --------------- --------- --------- -------------------------------- 104433-03.tar.Z 38148 225 11004 449 80C625D86DBFA06C107956EB4BD8126A 104434-02.tar.Z 22283 142 51656 284 4079E48BB8BA929F99EFE4D38877B023 103178-03.tar.Z 11476 212 51066 423 74547F3FDF850FAAF6B02176CF146AA4 103179-03.tar.Z 55629 192 1250 384 CA11D05845116F62FCC8DDCC6EDBCB2B APPENDICES A. How to obtain Sun security patches 1. If you have a support contract Customers with Sun support contracts can obtain any patches listed in this bulletin (and any other patches--and a list of patches) from: - SunSolve Online - Local Sun answer centers, worldwide - SunSITEs worldwide The patches are available via World Wide Web at http://sunsolve.sun.com. You should also contact your answer center if you have a support contract and: - You need assistance in installing a patch - You need additional patches - You want an existing patch ported to another platform - You believe you have encountered a bug in a Sun patch - You want to know if a patch exists, or when one will be ready 2. If you do not have a support contract Customers without support contracts may now obtain security patches, "recommended" patches, and patch lists via SunSolve Online. Sun does not furnish patches to any external distribution sites other than the ones mentioned here. The ftp.uu.net and ftp.eu.net sites are no longer supported. 3. About the checksums So that you can quickly verify the integrity of the patch files themselves, we supply in each bulletin checksums for the tar archives. Occasionally, you may find that the listed checksums do not match the patches on the SunSolve or SunSite database. This does not necessarily mean that the patch has been tampered with. More likely, a non-substantive change (such as a revision to the README file) has altered the checksum of the tar file. The SunSolve patch database is refreshed nightly, and will sometimes contain versions of a patch newer than the one on which the checksums were based. In the future we may provide checksum information for the individual components of a patch as well as the compressed archive file. This would allow customers to determine, if need be, which file(s) have been changed since we issued the bulletin containing the checksums. In the meantime, if you would like assistance in verifying the integrity of a patch file please contact this office or your local answer center. B. How to report or inquire about Sun security problems If you discover a security problem with Sun software or wish to inquire about a possible problem, contact one or more of the following: - Your local Sun answer centers - Your representative computer security response team, such as CERT - This office. Address postal mail to: Sun Security Coordinator MS MPK17-103 2550 Garcia Avenue Mountain View, CA 94043-1100 Email: security-alert@sun.com We strongly recommend that you report problems to your local Answer Center. In some cases they will accept a report of a security bug even if you do not have a support contract. An additional notification to the security-alert alias is suggested but should not be used as your primary vehicle for reporting a bug. C. How to obtain Sun security bulletins or short status updates 1. Subscription information Sun Security Bulletins are available free of charge as part of our Customer Warning System. It is not necessary to have a Sun support contract in order to receive them. To receive information or to subscribe or unsubscribe from our mailing list, send mail to security-alert@sun.com with a subject line containing one of the following commands. Subject Information Returned/Action Taken ------- --------------------------------- HELP An explanation of how to get information LIST A list of current security topics QUERY [topic] The mail containing the question is relayed to a Security Coordinator for a response. REPORT [topic] The mail containing the text is treated as a security bug report and forwarded to a Security Coordinator for handling. Please note that this channel of communications does not supersede the use of Sun Solution Centers for this purpose. Note also that we do not recommend that detailed problem descriptions be sent in plain text. SEND topic Summary of the status of selected topic. (To retrieve a Sun Security Bulletin, supply the number of the bulletin, as in "SEND #103".) SUBSCRIBE Sender is added to the CWS (Customer Warning System) list. The subscribe feature requires that the sender include on the subject line the word "cws" and the reply email address. So the subject line might look like the following: SUBSCRIBE cws your-email-address UNSUBSCRIBE Sender is removed from the CWS list. Should your email not fit into one of the above subjects, a help message will be returned to you. Due to the volume of subscription requests we receive, we cannot guarantee to acknowledge requests. Please contact this office if you wish to verify that your subscription request was received, or if you would like your bulletin delivered via postal mail or fax. 2. Obtaining old bulletins Sun Security Bulletins are available via the security-alert alias and on SunSolve. Please try these sources first before contacting this office for old bulletins. ---------- - -----------------------END SUN SECURITY BULLETIN ---------------------------- ............................................................................. - ---------------------------------------------------------------------------- AUSCERT thanks Jim Gifford (Board of Regents of the University System of Georgia) for supplying additional information and Sun Microsystems for their assistance in this matter. - ---------------------------------------------------------------------------- The AUSCERT team have made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The appropriateness of this document for an organisation or individual system should be considered before application in conjunction with local policies and procedures. AUSCERT takes no responsibility for the consequences of applying the contents of this document. If you believe that your system has been compromised, contact AUSCERT or your representative in FIRST (Forum of Incident Response and Security Teams). AUSCERT is located at The University of Queensland within the Prentice Centre. AUSCERT is a full member of the Forum of Incident Response and Security Teams (FIRST). AUSCERT maintains an anonymous FTP service which is found on: ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT Advisories, and other computer security information. AUSCERT also maintains a World Wide Web service which is found on: http://www.auscert.org.au/. Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 4477 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AUSCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. Postal: Australian Computer Emergency Response Team c/- Prentice Centre The University of Queensland Brisbane Qld. 4072. AUSTRALIA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Revision History 13 May 1997 Sun Microsystems has released a security bulletin addressing the vulnerability described in this advisory. This has been appended in Appendix A. Section 3 has been modified to include vendor patch information. Pre-compiled binaries of the overflow_wrapper program were only made available as an interim measure. As patches have been released, these binaries are no longer available and the advisory was updated to reflect this. The location of overflow_wrapper.c has changed. Section 3 was updated to show this. 3 March 1997 Fixed information concerning yppasswd and nispasswd under versions of Solaris prior to 2.5. Added information on pre-compiled versions of the wrapper program. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBM3iBfyh9+71yA2DNAQFHwQP/SzXqVLPJ8MmIubqHE26eGa3A+OGEbt9r 7cpaEaCq6RkGZi0bRIoSlj1F4OoVbWEUP8+s95+VRiZ/aLovOJKClSZRDDAnwKkZ k1j6ADMZskE74BhJKq/aDqwfPcsK0X6nWi0mxn4pYmPxl2IpYu/4/jwYbKnps1ly Bk8T9MkMqEE= =9wN4 -----END PGP SIGNATURE-----