[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 567/03 - Sun Microsystems Security Advisory



 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 567/03 dated 10.10.03  Time: 10:50
 UNIRAS is part of NISCC(National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====

Sun(sm) Alert Notification tcsh(1), csh(1), sh(1) and ksh(1) Create Predictable tmpfiles
When Using "here" ('<<') Documents.
                          

Detail
====== 

Unprivileged local users may be able to overwrite or create any file on the system if a root user
uses the tcsh(1), csh(1), sh(1) or ksh(1) shell to create a "here" document.
   



                ESB-2003.0707 -- Sun(sm) Alert Notification
 tcsh(1), csh(1), sh(1) and ksh(1) Create Predictable tmpfiles When Using
                          "here" ('<<') Documents
                              10 October 2003


Product:                tcsh(1), csh(1), sh(1) and ksh(1)
Publisher:              Sun Microsystems
Operating System:       Solaris
Impact:                 Overwrite Arbitrary Files
Access Required:        Existing Account

- --------------------------BEGIN INCLUDED TEXT--------------------


   DOCUMENT ID: 27694
   SYNOPSIS: tcsh(1), csh(1), sh(1) and ksh(1) Create Predictable
   tmpfiles
   DETAIL DESCRIPTION:
   
Sun(sm) Alert Notification

     * Sun Alert ID: 27694
     * Synopsis: tcsh(1), csh(1), sh(1) and ksh(1) Create Predictable
       tmpfiles When Using "here" ('<<') Documents
     * Category: Security
     * Product: Solaris
     * BugIDs: 4384076, 4384080, 4392404, 4477619
     * Avoidance: Patch, Workaround
     * State: Resolved
     * Date Released: 17-Jul-2001, 16-Apr-2002
     * Date Closed: 16-Apr-2002
     * Date Modified: 16-Nov-2001, 16-Apr-2002, 08-Oct-2003
       
   Note: the part of this issue related to the tcsh(1) is also reported
   in Sun(sm) Alert Document 27103.
   
1. Impact

   Unprivileged local users may be able to overwrite or create any file
   on the system if a root user uses the tcsh(1), csh(1), sh(1) or ksh(1)
   shell to create a "here" document.
   
   This issue is described in CERT Vulnerability Note VU#10277 (see
   [1]http://www.kb.cert.org/vuls/id/10277).
   
2. Contributing Factors

   This issue can occur in the following releases:
   
   For tcsh:
   
   SPARC
     * Solaris 8 without patch 110943-01
       
   Intel
     * Solaris 8 without patch 110944-01
       
   Note: Solaris 7 and below are not affected. Solaris 8 07/01 and later
   update releases are not vulnerable.
   
   For csh:
   
   SPARC
     * Solaris 2.5 without patch 102982-04
     * Solaris 2.5.1 without patch 104736-05
     * Solaris 2.6 without patch 106361-12
     * Solaris 7 without patch 108574-03
     * Solaris 8 without patch 110898-02
       
   Intel
     * Solaris 2.5 without patch 102983-04
     * Solaris 2.5.1 without patch 104737-05
     * Solaris 2.6 without patch 106362-12
     * Solaris 7 without patch 108575-03
     * Solaris 8 without patch 110899-02
       
   Note: Solaris 8 04/01 and later update releases are not vulnerable.
   
   For sh:
   
   SPARC
     * Solaris 2.5
     * Solaris 2.5.1 without patch 103867-04
     * Solaris 2.6 without patch 106361-13
     * Solaris 7 without patch 108162-04
     * Solaris 8 without patch 109324-03
       
   Intel
     * Solaris 2.5
     * Solaris 2.5.1 without patch 103868-04
     * Solaris 2.6 without patch 106362-13
     * Solaris 7 without patch 108163-04
     * Solaris 8 without patch 109325-03
       
   For ksh:
   
   SPARC
     * Solaris 2.5 without patch 103253-10
     * Solaris 2.5.1 without patch 103891-08
     * Solaris 2.6 without patch 106361-13
     * Solaris 7 without patch 108416-02
       
   Intel
     * Solaris 2.5 without patch 103254-10
     * Solaris 2.5.1 without patch 103892-08
     * Solaris 2.6 without patch 106362-13
     * Solaris 7 without patch 108417-02
       
   Note: Solaris 8 is not vulnerable.
   
3. Symptoms

   There are no predictable symptoms that would show the described issue
   has occurred, as it depends on what file was overwritten or created.
   SOLUTION SUMMARY:
   
4. Relief/Workaround

   Do not create "here" documents or run tcsh(1), csh(1), sh(1) or ksh(1)
   scripts which create "here" documents as the root user ID.
   
5. Resolution

   This issue is addressed in the following releases:
   
   For tcsh:
   
   SPARC
     * Solaris 8 with patch 110943-01 or later
     * Solaris 8 07/01
       
   Intel
     * Solaris 8 with patch 110944-01 or later
     * Solaris 8 07/01
       
   For csh:
   
   SPARC
     * Solaris 2.5 with patch 102982-04 or later
     * Solaris 2.5.1 with patch 104736-05 or later
     * Solaris 2.6 with patch 106361-12 or later
     * Solaris 7 with patch 108574-03 or later
     * Solaris 8 with patch 110898-02 or later
     * Solaris 8 04/01
       
   Intel
     * Solaris 2.5 with patch 102983-04 or later
     * Solaris 2.5.1 with patch 104737-05 or later
     * Solaris 2.6 with patch 106362-12 or later
     * Solaris 7 with patch 108575-03 or later
     * Solaris 8 with patch 110899-02 or later
     * Solaris 8 04/01
       
   For sh:
   
   SPARC
     * Solaris 2.5.1 with patch 103867-04 or later
     * Solaris 2.6 with patch 106361-13 or later
     * Solaris 7 with patch 108162-04 or later
     * Solaris 8 with patch 109324-03 or later
       
   Intel
     * Solaris 2.5.1 with patch 103868-04 or later
     * Solaris 2.6 with patch 106362-13 or later
     * Solaris 7 with patch 108163-04 or later
     * Solaris 8 with patch 109325-03 or later
       
   Customers using Solaris 2.5 should use the above workaround or
   consider upgrading to Solaris 2.5.1 and above with the appropriate
   patches.
   
   For ksh:
   
   SPARC
     * Solaris 2.5 with patch 103253-10 or later
     * Solaris 2.5.1 with patch 103891-08 or later
     * Solaris 2.6 with patch 106361-13 or later
     * Solaris 7 with patch 108416-02 or later
       
   Intel
     * Solaris 2.5 with patch 103254-10 or later
     * Solaris 2.5.1 with patch 103892-08 or later
     * Solaris 2.6 with patch 106362-13 or later
     * Solaris 7 with patch 108417-02 or later
       
Change History

   16-Nov-2001:
     * updated with available patches
       
   04-Dec-2001:
     * updated with available patches
       
   14-Dec-2001:
     * updated with available patches
       
   16-Apr-2002
     * All patches are available
     * State: Resolved
       
   08-Oct-2003:
     * Added link to CERT Vulnerability Note VU#10277
       ([2]http://www.kb.cert.org/vuls/id/10277)
       
   This Sun Alert notification is being provided to you on an "AS IS"
   basis. Sun makes no representations, warranties, or guaranties as to
   the quality, suitability, truth, accuracy or completeness of any of
   the information contained herein. This Sun Alert notification may
   contain information provided by third parties. ANY AND ALL WARRANTIES,
   EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF
   MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
   NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. The issues described in this
   Sun Alert notification may or may not impact your system(s). 
   
   BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT
   BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR
   CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE
   INFORMATION CONTAINED HEREIN. 
   
   This Sun Alert notification contains Sun proprietary and confidential
   information. It is being provided to you pursuant to the provisions of
   your Confidential Disclosure Agreement or the confidentiality
   provisions of your agreement to purchase services from Sun. In the
   event that you do not have one of the above-referenced agreements with
   Sun, this information is provided pursuant to the confidentiality
   provisions of the Sun.com Terms of Use. This Sun Alert notification
   may only be used for the purposes contemplated by these agreements. 
   
   Copyright 2001, 2002 Sun Microsystems, Inc., 901 San Antonio Road,
   Palo Alto, CA 94303 U.S.A. All rights reserved.
   APPLIES TO: Operating Systems/Solaris, Operating Systems/Solaris x86

References

   1. http://www.kb.cert.org/vuls/id/10277
   2. http://www.kb.cert.org/vuls/id/10277




- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of Sun for the information
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBP4Z/Y4pao72zK539AQGVcQP7B55yiOTWuIH0DNW693IObPCNzjmxOQo8
uRVvLVEcMdCFAE9RoKUbayc661N2iSgIQA7x/pK99WHSUk0oXCapLzJe1aQp8KQV
+mjjwH5J6uND2A2ZAoss59lxQ8UOXpJxVW7t9PdjEkJPgKQOtTNYo0TT8IuuPrlh
Qz/WO8DEBoQ=
=/30g
-----END PGP SIGNATURE-----