[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Sun] Schwachstelle im Sun Solaris rcp Kommando - Sun Alert ID 102978
-----BEGIN PGP SIGNED MESSAGE-----
Hash: MD5
Liebe Kolleginnen und Kollegen,
soeben erreichte uns das nachfolgende Bulletin des SUN Customer Warning
System. Wir geben diese Informationen unveraendert an Sie weiter.
CVE-2006-0225 - Doppelte Shell-Expansion in scp und rcp (OpenSSH)
In den Kommandos scp und rcp von OpenSSH existiert eine Schwachstelle,
die bei lokalen Kopierfunktionen (local-to-local copy)
Shell-Ausdruecke doppelt expandiert und dann in einem system()-Aufruf
verwendet. Ein Angreifer kann diese Schwachstelle durch einen speziell
konstruierten Dateinamen ausnutzen, um beliebige Befehle mit den
Rechten des Benutzers auszufuehren.
Betroffen sind die folgenden Software Pakete und Plattformen:
rcp Kommando
SPARC Plattform
* Solaris 8 ohne Patches 110670-04 und 114669-04
* Solaris 9 ohne Patch 114716-05
* Solaris 10 ohne Patch 121132-03
x86 Plattform
* Solaris 8 ohne Patches 110671-04 und 114670-04
* Solaris 9 ohne Patch 114717-05
* Solaris 10 ohne Patch 125794-02
Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.
Hersteller Advisory:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102978-1
(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.
Mit freundlichen Gruessen,
Klaus Moeller, DFN-CERT
Sun(sm) Alert Notification
* Sun Alert ID: 102978
* Synopsis: Security Vulnerability in the rcp(1) Command May Allow
Execution of Unintended Commands
* Category: Security
* Product: Solaris 9 Operating System, Solaris 10 Operating System,
Solaris 8 Operating System
* BugIDs: 6473508
* Avoidance: Patch, Workaround
* State: Resolved
* Date Released: 10-Jul-2007
* Date Closed: 10-Jul-2007
* Date Modified:
1. Impact
A security vulnerability in the way the rcp(1) command invokes helper
applications may allow a local unprivileged user (or a remote user in the
case of shared filesystems) to create files with specially crafted file
names which could lead to the execution of arbitrary commands with the
privileges of a local user when that local user executes the rcp(1) command
on the specially crafted file names.
Note: The scp(1) utility is also affected by this issue which is described
in the following documents:
CVE-2006-0225 at:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0225
Sun Alert 102961 at:
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102961-1
2. Contributing Factors
This issue can occur in the following releases:
SPARC Platform
* Solaris 8 without patches 110670-04 and 114669-04
* Solaris 9 without patch 114716-05
* Solaris 10 without patch 121132-03
x86 Platform
* Solaris 8 without patches 110671-04 and 114670-04
* Solaris 9 without patch 114717-05
* Solaris 10 without patch 125794-02
3. Symptoms
There are no predictable symptoms that would indicate the described issue
has been exploited to execute arbitrary commands.
Solution Summary Top
4. Relief/Workaround
This issue will only occur if the rcp(1) command is executed on files that
have specially crafted file names. Therefore, it may be possible to work
around this issue by avoiding the use of the rcp(1) command on untrusted
file names, for example, in directories that are writable by untrusted
users.
5. Resolution
This issue is addressed in the following releases:
SPARC Platform
* Solaris 8 with patches 110670-04 and 114669-04 or later
* Solaris 9 with patch 114716-05 or later
* Solaris 10 with patch 121132-03 or later
x86 Platform
* Solaris 8 with patches 110671-04 and 114670-04 or later
* Solaris 9 with patch 114717-05 or later
* Solaris 10 with patch 125794-02 or later
This Sun Alert notification is being provided to you on an "AS IS" basis.
This Sun Alert notification may contain information provided by third
parties. The issues described in this Sun Alert notification may or may not
impact your system(s). Sun makes no representations, warranties, or
guarantees as to the information contained herein. ANY AND ALL WARRANTIES,
EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE
HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL
IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR
CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE
INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun
proprietary and confidential information. It is being provided to you
pursuant to the provisions of your agreement to purchase services from Sun,
or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun
Alert notification may only be used for the purposes contemplated by these
agreements.
Copyright 2000-2006 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved.
- --
Dipl. Inform. Klaus Moeller (CSIRT)
DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-555
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iQEVAwUBRpTt1BYd1iQZmhQQAQH7Mgf9FZ7y3jg9/9ifuNdyi979qFIeaXK8Qd+k
VxLniEzW02V4ZCC9x475qOoUqFXEsrXJmWwLsDf93r0Y0pCIkHgVvv6GHTw3a5+w
IpgcrEK5VaC15C9ql/iLvfxpoPEEq03aVyZn3EHr7O7F1x9lqHqKvkp7AAQDhNKi
t5MpTAgeDws3Q5C6nQxMdwscRK8ssGjIl8LaBvmDigP2nMHgjBuxTmoczirt3CJ4
snN6FtuwXsK8a+ADpejYgCSfqRt55bY09CHxHNiEoxn0/0E4SZ0PIhp/k7vtpVSI
o2bFgg1BLiBT23sFB3ZqeUtbcuCKEXUye6c/67OEZFcLauqNSH/reA==
=igxg
-----END PGP SIGNATURE-----