-----BEGIN PGP SIGNED MESSAGE-----

===============================================================================
Security Advisory                                                       CERT-NL
===============================================================================
Author/Source : Teun Nijssen                                Index  :    S-96-57
Distribution  : World                                       Page   :          1
Classification: External                                    Version:          1
Subject       : Solaris 2.x Solstice Admintool Launcher     Date   :  16-Oct-96
===============================================================================

By courtesy of AUSCERT, our Australian counterpart, we received
information on a vulnerability in Solstice.

CERT-NL recommends to apply vendor patches as advised by AUSCERT in the
following text:


AUSCERT has received a report of a vulnerability in the Solaris 2.x Solstice
Admintool Launcher program "solstice".  solstice provides a graphical user
interface which can be used to launch system administration applications.

This vulnerability may allow local users to gain root privileges.

AUSCERT recommends that sites apply the vendor patches as recommended in
Section 3.2.  Until patches can be applied, sites should take the
necessary actions as stated in Section 3.1.

1.  Description

    Solaris 2.x has two separate GUI system administration tools, Desktop
    Admintool (admintool) and the Solstice Admintool Launcher (solstice).
    solstice provides a graphical interface which can be used to perform
    various system administration tasks which include the ability to manage
    users, groups, hosts and other services.  It also allows individual
    users to give extra functionality to the interface by adding their
    own applications.

    Due to the fact that all applications added by local users and launched
    from the Solstice Admintool Launcher (solstice) have the effective
    group-id of bin, local users have to ability to execute any command
    on the system with these privileges.  Under standard Solaris 2.x
    installations, this can easily be leveraged to gain root privileges.

    The Solstice Admintool Launcher (solstice) is installed, by default,
    as /usr/bin/solstice.  It is usually installed with the package
    SUNWsadml.  While this package was introduced in Solaris 2.5, it can
    also be installed under earlier versions of Solaris 2.x.

    Individual sites are encouraged to check their systems for this package
    and, if installed, take the recommended actions given in Section 3.
    To determine whether the SUNWsadml package is installed, use the command:

 % /usr/bin/pkginfo -l SUNWsadml

2.  Impact

    Local users may be able to execute commands with the effective group-id
    of bin.  This can be leveraged to gain root privileges.

3.  Workarounds/Solution

    Sun Microsystems has released patches addressing this vulnerability.
    Sites are advised to apply these patches (see Section 3.2) as soon as
    possible.  Until vendor patches are applied, sites are advised to take
    the necessary steps outlined in Section 3.1.

3.1 Remove permissions

    Until official patches are available, sites are encouraged to remove
    the set-group-id permissions from the /usr/bin/solstice executable.

     # /bin/chmod g-s /usr/bin/solstice
     # /bin/ls -l /usr/bin/solstice
         -r-xr-xr-x   1 bin   bin   88264 Oct 27  1995 /usr/bin/solstice

    AUSCERT believes that this will not remove any functionality of the
    solstice program.

3.2 Install vendor patches

    Sun Microsystems has released patches which address the vulnerability
    described in this advisory.  AUSCERT recommends that sites apply these
    patches as soon as possible.

    Patches have been released for:

    Operating System           Patch                MD5 Checksum
    ~~~~~~~~~~~~~~~~           ~~~~~                ~~~~~~~~~~~~
   Solaris 2.5 sparc:      103247-07.tar.Z  7ac1835d9604756dba94198f425dbcf6
   Solaris 2.5 x86:        103245-07.tar.Z  e17e049bb53f706782a2451340b27286
   Solaris 2.5.1 sparc:    103558-05.tar.Z  be967825e898f40620e3ae2390767158
   Solaris 2.5.1 x86:      103559-05.tar.Z  a1afcf2e7549308dbbbce154255d6d85
   Solaris 2.5.1 ppc:      103560-05.tar.Z  500600260ea1bb49b9079fe41dc36e77

    These patches can be retrieved from:

        ftp://sunsolve1.sun.com.au/pub/patches/
        ftp://ftp.auscert.org.au/pub/mirrors/sunsolve1.sun.com/

4.  Additional measures

    The standard Solaris 2.x installation consists of numerous important
    system files and directories which are writable by semi-privileged
    groups, such as "bin".  This has serious security implications, as
    intruders need only get the privileges of the these groups to alter
    critical system files on the system. This may easily be leveraged
    to gain root privileges.

    A script which establishes more secure permissions on critical files
    and directories under Solaris 2.x is available from:

    ftp://ftp.fwi.uva.nl/pub/solaris/fix-modes.tar.gz

    Sites should note that package or patch installs may reset the
    permissions to the default (less secure) settings.  Sites are
    encouraged to check permissions after doing installations and re-run
    the fix-modes script if necessary.

    Similar problems exist when system critical files and directories,
    owned by non-root users, are used with root privileges.  For a
    discussion of this and other security issues, see the AUSCERT security
    checklist:

    ftp://ftp.auscert.org.au/pub/auscert/papers/unix_security_checklist

AUSCERT thanks Marko Laakso (University of Oulu), CERT/CC, DFN-CERT and Sun
Microsystems for their help in this matter.
==============================================================================

CERT-NL is the Computer Emergency Response Team for SURFnet customers.
SURFnet is the Dutch network for educational, research and related institutes.
CERT-NL is a member of the Forum of Incident Response and Security Teams
(FIRST).

All CERT-NL material is available under:
  http://www.surfnet.nl/surfnet/security/cert-nl.html
  ftp://ftp.surfnet.nl/surfnet/net-security

In case of computer or network security problems please contact your
local CERT/security-team or CERT-NL  (if your institute is NOT a SURFnet
customer please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).
   Email:     cert-nl@surfnet.nl
   Phone:     +31 302 305 305
   Fax:       +31 302 305 329
   Snailmail: SURFnet bv
              Attn. CERT-NL
              P.O. Box 19035
              NL - 3501 DA  UTRECHT
              The Netherlands
   A 7 * 24 hours phone number is available to SURFnet SSC's and FIRST
   members on request.
==============================================================================


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: cp850

iQCVAgUBMmS+nWL2fnkJN/jpAQHibQP6A8XFFRWZZO+4ipJURWBxKA9ORGJ4UYHL
buueSFFM1bORowIa2Ba2RvGlLvq9axEA/N5rYQ5Tsl6kQkoKkm5EGYFy+aOywU77
PaKgJMnuhRFtkyzLO2JhlNAam0uZvEWZ346y+U6oI98aZ9u+DUREsWJ5scRwyKdf
8OG5fnVdkr0=
=EoPC
-----END PGP SIGNATURE-----