| Title: | Solaris 2.x ps Buffer Overflow Vulnerability |
| Date Issued: | May 21, 1997 |
| Last Modified: | August 19, 1997 |
| Code: | AA-97.17 |
| Source: | AusCERT |
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AA-97.17 AUSCERT Advisory
Solaris 2.x ps Buffer Overflow Vulnerability
21 May 1997
Last Revised: 19 August 1997
Corrected the MD5 checksums in Section 3.3.
A complete revision history is at the end of this file.
- ----------------------------------------------------------------------------
AUSCERT has received information that a vulnerability exists in the
ps(1) program under Solaris 2.x.
This vulnerability may allow local users to gain root privileges.
Exploit information involving this vulnerability has been made publicly
available.
Vendor patches have been released addressing this vulnerability.
AUSCERT recommends that sites take the steps outlined in section 3 as soon
as possible.
This advisory will be updated as more information becomes available.
- ----------------------------------------------------------------------------
1. Description
AUSCERT has received information that a vulnerability exists in the
Solaris 2.x ps(1) program.
ps is a program used to print information about active processes on
the system.
Due to insufficient bounds checking on arguments passed to the ps
program, it is possible to overwrite the internal data space of this
program while it is executing. This vulnerability may allow local
users to gain root privileges.
Exploit information involving this vulnerability has been made publicly
available.
Under Solaris 2.x there are two distinct vulnerable versions of ps.
These are installed by default in /usr/bin/ and /usr/ucb/.
2. Impact
Local users may gain root privileges.
3. Workarounds/Solution
Official vendor patches have been released by Sun Microsystems which
address this vulnerability (Section 3.3).
If the patches recommended by Sun Microsystems cannot be applied,
AUSCERT recommends that sites prevent the exploitation of this
vulnerability by immediately applying the workaround given in Section
3.1. To maintain the functionality of ps, AUSCERT recommends applying
the workaround given in Section 3.2
3.1 Remove setuid and non-root execute permissions
To prevent the exploitation of the vulnerability described in this
advisory, AUSCERT recommends that the setuid permissions be removed
from ps program immediately. As the ps program will no longer work
for non-root users, it is recommended that the execute permissions
for them also be removed.
# ls -l /usr/bin/ps /usr/ucb/ps
-r-sr-xr-x 1 root sys 23752 Oct 25 1995 /usr/bin/ps
-rwsr-xr-x 1 root sys 23408 Oct 25 1995 /usr/ucb/ps
# chmod 500 /usr/bin/ps /usr/ucb/ps
# ls -l /usr/bin/ps /usr/ucb/ps
-r-x------ 1 root sys 23752 Oct 25 1995 /usr/bin/ps
-r-x------ 1 root sys 23408 Oct 25 1995 /usr/ucb/ps
3.2 Install wrapper
AUSCERT has developed a wrapper to help prevent programs from being
exploited using the vulnerability described in this advisory. Sites
which have a C compiler can obtain the source, compile and install
the wrapper. Please contact AUSCERT directly if pre-compiled wrapper
binaries are required.
The source for the wrapper, including installation instructions, can
be found at:
ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper/
overflow_wrapper.c
This wrapper replaces the ps program and checks the length of the
command line arguments which are passed to it. If an argument exceeds
a certain predefined value (MAXARGLEN), the wrapper exits without
executing the ps command. The wrapper program can also be configured
to syslog any failed attempts to execute ps with arguments exceeding
MAXARGLEN. For further instructions on using this wrapper, please
read the comments at the top of overflow_wrapper.c.
When compiling overflow_wrapper.c for use with ps, AUSCERT recommends
defining MAXARGLEN to be 32.
The MD5 checksum for the current version of overflow_wrapper.c can be
retrieved from:
ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper/CHECKSUM
The CHECKSUM file has been digitally signed using the AUSCERT PGP key.
3.3 Install vendor patches
Sun Microsystems has released patches which address the vulnerability
described in this advisory. AUSCERT recommends that sites apply these
patches as soon as possible.
Operating System Patch MD5 Checksum
~~~~~~~~~~~~~~~~ ~~~~~ ~~~~~~~~~~~~
SunOS 5.5.1 105050-01 9E75E084879BAAAC785735188F09BD1A
SunOS 5.5.1_x86 105051-01 612A6C200D59BA69087FCD3EBA6DF3B2
SunOS 5.5 105052-01 41EE88EBC098B3E90E4FAEAA7E59E818
SunOS 5.5_x86 105053-01 D57C2E934B1AEE887535CBDB6E88D723
SunOS 5.4 102711-02 DE783A4320E5F1290E8CCBEA6A313EDF
SunOS 5.4_x86 102712-02 DA1C0188D4137E30934182CC23A648FC
SunOS 5.3 101545-03 12CF86B803C40842421DD284DAC7FDB0
These patches can be retrieved from:
ftp://sunsolve1.sun.com.au/pub/patches/patches.html
ftp://ftp.auscert.org.au/pub/mirrors/sunsolve1.sun.com/
Sun Microsystems has also released a security bulletin containing
information on the above patches. The original release of this bulletin
can be retrieved from:
http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-149.txt
- ----------------------------------------------------------------------------
AUSCERT thanks Nelson Marques (The University of Queensland) for his
assistance in this matter.
- ----------------------------------------------------------------------------
The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate. However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual
system should be considered before application in conjunction with local
policies and procedures. AUSCERT takes no responsibility for the
consequences of applying the contents of this document.
If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AUSCERT is located at The University of Queensland within the Prentice
Centre. AUSCERT is a full member of the Forum of Incident Response and
Security Teams (FIRST).
AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT
Advisories, and other computer security information.
AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 4477
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
Prentice Centre
Brisbane
Qld. 4072.
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
19 Aug 1997 Corrected the MD5 checksums in Section 3.3.
18 Aug 1997 Sun Microsystems has released a security bulletin and
patches addressing the vulnerability described in this
advisory.
Section 3 has been modified to include vendor patch
information.
22 May 1997 The name of ps_wrapper.tar.Z file has been changed to
AA-97.17-ps_wrapper.tar.Z.
The checksum has been changed.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBM/mBDSh9+71yA2DNAQHbwwP/bc4PeGfsRF3djTIRtROxl/zp9FiZ7COx
u2gZkpxgFyifuQ7rVtqWv2NMKOy92nrwr/7e3dlBKuga5C5cb0RNK9K2w0dl8BsZ
3CDFZ2taxX5VCyN+m4p7odHBeF4qLIgQbDjOJ/RyCEQZ4/gOmNsufsG+iyqn+dWo
VysXV0wr4Vk=
=5QHc
-----END PGP SIGNATURE-----