=============================================================================== Security Advisory CERT-NL =============================================================================== Author/Source : CERT-NL (Teun Nijssen) Index : S-93-26 Distribution : Public Page : 1 Classification: External Version: Final Subject : Solaris system startup vulnerability Date : 20-Dec-93 =============================================================================== CERT-NL has received information from several sources concerning the fact that a failure of the file system check (fsck) in Solaris 2.x systems can represent a security vulnerability. This vulnerability does not occur in 4.1.x systems. This vulnerability allows a person with physical access to a workstation with eeprom(1m) security enabled to force a startup failure and subsequently gain root privilege without supplying the eeprom or root password. Changing the system scripts as described below or restricting physical access to the workstations will eliminate this vulnerability. Note that without eeprom security enabled, a workstation is vulnerable to any unauthorized individual who has physical access. Without the script changes, if fsck(8) fails during boot, the system will run a privileged shell on the workstation. Since an attacker can force the failure, CIAC recommends application of the changes described below. If this is not possible, then restrict physical workstation access to only those users allowed root privilege. The changes will require the user to enter the root password before the system runs the privileged shell. To make the changes, edit both /sbin/rcS and /sbin/mountall. Change every occurrence of /sbin/sh < /dev/console to /sbin/sulogin < /dev/console The Sun distribution of /sbin/rcS contains an occurrence of the target string at line 152; the distribution of /sbin/mountall contains one at line 66 and one at line 250. An attacker with physical access to a workstation without eeprom security enabled can easily compromise the system by booting it in single user mode. It is thus recommended to enable eeprom security for all workstations without strict physical access controls. --------------------------------------------------------------------------- CERT-NL wishes to thank Sun Microsystems, Inc. for distributing the necessary information and solution. --------------------------------------------------------------------------- ============================================================================== CERT-NL is the Computer Emergency Response Team, located in The Netherlands. CERT-NL is a Full Member of the Forum of Incident Response and Security Teams (FIRST). The constituency of CERT-NL are the SURFnet connected institutions. Past CERT-NL Security Bulletins and other CERT-NL related material can be found on the anonymous FTP server of SURFnet bv: "ftp.nic.surfnet.nl" [192.87.46.3], in the directory "surfnet/net-security/cert-nl/docs/bulletin". This information is also available using email. Send an email saying "help" to "mailserv@nic.surfnet.nl". In case of computer or network security problems please contact CERT-NL or the CERT of your own constituency. Please be aware of the fact that we are one (when DST is in effect two) hour(s) ahead of Universal Time Coordinated (i.e. UTC+0100 (UTC+0200)). Email: cert-nl@surfnet.nl Phone: +31 30 310290 Fax: +31 30 340903 Snailmail: SURFnet bv Attn. CERT-NL P.O. Box 19035 NL - 3501 DA UTRECHT The Netherlands A 7 * 24 hours phone number is available to SURFnet SSC's and FIRST members on request. ==============================================================================