| Title: | Solaris 2.x chkey Buffer Overflow Vulnerability |
| Date Issued: | May 22, 1997 |
| Last Modified: | June 25, 1997 |
| Code: | AA-97.18 |
| Source: | AusCERT |
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AA-97.18 AUSCERT Advisory
Solaris 2.x chkey Buffer Overflow Vulnerability
22 May 1997
Last Revised: 25 June 1997
Added SUN Security bulletin in Appendix A.
Changed Section 3 to include vendor patch information.
A complete revision history is at the end of this file.
- ----------------------------------------------------------------------------
AUSCERT has received information that a vulnerability exists in the
chkey(1) program under Solaris 2.x.
This vulnerability may allow local users to gain root privileges.
Exploit information involving this vulnerability has been made publicly
available.
Vendor patches have been released addressing this vulnerability.
AUSCERT recommends that sites take the steps outlined in section 3 as soon
as possible.
This advisory will be updated as more information becomes available.
- ----------------------------------------------------------------------------
1. Description
AUSCERT has received information that a vulnerability exists in the
Solaris 2.x chkey(1) program.
chkey is used to change a user's secure RPC public key and secret key
pair.
Due to insufficient bounds checking on arguments passed to the chkey
program, it is possible to overwrite the internal data space of this
program while it is executing. As chkey has setuid root permissions,
this vulnerability may allow local users to gain root privileges.
Exploit information involving this vulnerability has been made publicly
available.
chkey under Solaris 2.x is located by default in /usr/bin/.
2. Impact
Local users may gain root privileges.
3. Workarounds/Solution
Official vendor patches have been released by Sun Microsystems which
address this vulnerability (Section 3.3).
If the patches recommended by Sun Microsystems cannot be applied,
AUSCERT recommends that sites prevent the exploitation of this
vulnerability by immediately applying the workaround given in Section
3.1. To maintain the functionality of chkey, AUSCERT recommends
applying the workaround given in Section 3.2.
3.1 Remove setuid and non-root execute permissions
To prevent the exploitation of the vulnerability described in this
advisory, AUSCERT recommends that the setuid permissions be removed
from the chkey program immediately. As the chkey program will no
longer work for non-root users, it is recommended that the execute
permissions for them also be removed.
# ls -l /usr/bin/chkey
-r-sr-xr-x 1 root sys 19608 Oct 25 1995 /usr/bin/chkey
# chmod 500 /usr/bin/chkey
# ls -l /usr/bin/chkey
-r-x------ 1 root sys 19608 Oct 25 1995 /usr/bin/chkey
For those sites which require the chkey functionality, AUSCERT
recommends applying the workaround given in Section 3.2.
3.2 Install wrapper
AUSCERT has developed a wrapper to help prevent programs from being
exploited using the vulnerability described in this advisory. Sites
which have a C compiler can obtain the source, compile and install
the wrapper. Please contact AUSCERT directly if pre-compiled wrapper
binaries are required.
The source for the wrapper, including installation instructions, can
be found at:
ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper/
overflow_wrapper.c
This wrapper replaces the chkey program and checks the length of the
command line arguments which are passed to it. If an argument exceeds
a certain predefined value (MAXARGLEN), the wrapper exits without
executing the chkey command. The wrapper program can also be
configured to syslog any failed attempts to execute chkey with
arguments exceeding MAXARGLEN. For further instructions on using this
wrapper, please read the comments at the top of overflow_wrapper.c.
When compiling overflow_wrapper.c for use with chkey, AUSCERT
recommends defining MAXARGLEN to be 32.
The MD5 checksum for the current version of overflow_wrapper.c can be
retrieved from:
ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper/CHECKSUM
The CHECKSUM file has been digitally signed using the AUSCERT PGP key.
3.3 Install vendor patches
Sun Microsystems has released patches which address the vulnerability
described in this advisory. AUSCERT recommends that sites apply theses
patches as soon as possible.
Operating System Patch MD5 Checksum
~~~~~~~~~~~~~~~~ ~~~~~ ~~~~~~~~~~~~
SunOS 5.5.1 104968-01.tar.Z D468EDAF62453686D9744601BC69B52B
SunOS 5.5.1_x86 104969-01.tar.Z 4C6F5D9D18A38BD8B54B76B8137F63BD
SunOS 5.5 104971-01.tar.Z 34AD0B220C2495B73DBC621D88CF988B
SunOS 5.5_x86 104972-01.tar.Z D6CF025F259437335625EF325196F51D
SunOS 5.4 104973-01.tar.Z D50F404FC7DB918DB556F38F7DBF8816
SunOS 5.4_x86 104974-01.tar.Z 42B484654CD4C7F8EB7A9B54BC9061FB
SunOS 5.3 101318-89.tar.Z (to be released in 16 weeks)
These patches can be retrieved from:
ftp://sunsolve1.sun.com.au/pub/patches/
ftp://ftp.auscert.org.au/pub/mirrors/sunsolve1.sun.com/
Sun Microsystems has also released a security bulletin containing
information on the above patches. The original release of this bulletin
has been appended in Appendix A.
.........................................................................
Appendix A
- ----------------------- BEGIN SUN SECURITY BULLETIN ----------------------
- -------------------------------------------------------------------------------
Sun Microsystems, Inc. Security Bulletin
Bulletin Number: #00144
Date: June 24 1997
Cross-Ref: AUSCERT AA 97.18
Title: Vulnerability in chkey
- -------------------------------------------------------------------------------
Permission is granted for the redistribution of this Bulletin, so long as
the Bulletin is not edited and is attributed to Sun Microsystems. Portions
may also be excerpted for re-use in other security advisories so long as
proper attribution is included.
Any other use of this information without the express written consent of
Sun Microsystems is prohibited. Sun Microsystems expressly disclaims all
liability for any misuse of this information by any third party.
- -------------------------------------------------------------------------------
1. Bulletins Topics
Sun announces the release of patches for Solaris 2.5.1, 2.5, and 2.4,
(SunOS 5.5.1, 5.5, and 5.4), that relate to a vulnerability in the
chkey program.
Sun estimates that the release of a patch for Solaris 2.3 (SunOS 5.3) that
relate to the same vulnerability will be available within 16 weeks of the
date of this bulletin.
Sun strongly recommends that you install the patches listed in section 4
immediately on systems running SunOS 5.5.1, 5.5, and 5.4. Sun also strongly
recommends that you install the workaround listed in section 5 immediately
on systems running SunOS 5.3. Exploit information for chkey is publicly
available.
2. Who is Affected
Vulnerable: SunOS versions 5.5.1, 5.5.1_x86, 5.5, 5.5_x86,
5.4, 5.4_x86, and 5.3.
Not vulnerable: All other supported versions of SunOS
The vulnerability is fixed in the upcoming release of Solaris.
3. Understanding the Vulnerability
The program chkey is used to change a user's secure RPC Diffie-Hellman
public key and secret key pair. Due to insufficient bounds checking on
arguments passed to the chkey program, it is possible to overwrite the
internal data space of chkey while it is executing. As chkey has setuid
root permissions, this vulnerability may allow non-privileged users to
gain root access.
4. Workaround
Sun recommends, as a workaround, the installation of a wrapper that was
developed by AUSCERT (see AUSCERT Advisory AA-97.18). AUSCERT maintains an
FTP service at ftp://ftp/auscert/org.au/pub and a World Wide Web service
at http://www.auscert.org.au.
5. List of Patches
The vulnerability in chkey is fixed by the following patches:
OS version Patch ID
---------- --------
SunOS 5.5.1 104968-01
SunOS 5.5.1_x86 104969-01
SunOS 5.5 104971-01
SunOS 5.5_x86 104972-01
SunOS 5.4 104973-01
SunOS 5.4_x86 104974-01
SunOS 5.3 101318-89 (to be released in 16 weeks)
6. Checksum Table
The checksum table below shows the BSD checksums (SunOS 5.x: /usr/ucb/sum),
SVR4 checksums (SunOS 5.x: /usr/bin/sum), and the MD5 digital signatures
for the above-mentioned patches that are available from:
ftp://sunsolve1.sun.com/pub/patches/patches.html
These checksums may not apply if you obtain patches from your answer
centers.
File Name BSD SVR4 MD5
- ---------------- --------- --------- --------------------------------
104968-01.tar.Z 42439 112 58380 224 D468EDAF62453686D9744601BC69B52B
104969-01.tar.Z 29618 112 5311 224 4C6F5D9D18A38BD8B54B76B8137F63BD
104971-01.tar.Z 31970 112 5776 223 34AD0B220C2495B73DBC621D88CF988B
104972-01.tar.Z 49195 112 35168 224 D6CF025F259437335625EF325196F51D
104973-01.tar.Z 64330 115 23425 230 D50F404FC7DB918DB556F38F7DBF8816
104974-01.tar.Z 54484 112 33221 223 42B484654CD4C7F8EB7A9B54BC9061FB
- -------------------------------------------------------------------------------
Sun acknowledges with thanks AUSCERT for their assistance in the preparation
of this bulletin.
Sun and AUSCERT are members of FIRST, the Forum of Incident Response and
Security Teams. For more information about FIRST, visit the FIRST web site at
"http://www.first.org/".
- -------------------------------------------------------------------------------
APPENDICES
A. Patches listed in this bulletin are available to all Sun customers via
World Wide Web at:
ftp://sunsolve1.sun.com/pub/patches/patches.html
Customers with Sun support contracts can also obtain patches from local
Sun answer centers and SunSITEs worldwide.
B. Sun security bulletins are available via World Wide Web at:
http://sunsolve1.sun.com/sunsolve/secbulletins
C. To report or inquire about a security problem with Sun software, contact
one or more of the following:
- Your local Sun answer centers
- Your representative computer security response team, such as CERT
- Sun Security Coordination Team. Send email to:
security-alert@sun.com
D. To receive information or subscribe to our CWS (Customer Warning System)
mailing list, send email to:
security-alert@sun.com
with a subject line (not body) containing one of the following commands:
Command Information Returned/Action Taken
------- ---------------------------------
help An explanation of how to get information
key Sun Security Coordination Team's PGP key
list A list of current security topics
query [topic] The email is treated as an inquiry and is forwarded to
the Security Coordination Team
report [topic] The email is treated as a security report and is
forwarded to the Security Coordinaton Team. Please
encrypt sensitive mail using Sun Security Coordination
Team's PGP key
send topic A short status summary or bulletin. For example, to
retrieve a Security Bulletin #00138, supply the
following in the subject line (not body):
send #138
subscribe Sender is added to our mailing list. To subscribe,
supply the following in the subject line (not body):
subscribe cws your-email-address
Note that your-email-address should be substituted
by your email address.
unsubscribe Sender is removed from the CWS mailing list.
- -------------------------------------------------------------------------------
- ----------------------- END SUN SECURITY BULLETIN --------------------------
...........................................................................
- ----------------------------------------------------------------------------
AUSCERT thanks Nelson Marques (The University of Queensland) for his
assistance in this matter. Thanks also to the Department of Mathematics
(The University of Queensland) for providing temporary test equipment.
- ----------------------------------------------------------------------------
The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate. However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual
system should be considered before application in conjunction with local
policies and procedures. AUSCERT takes no responsibility for the
consequences of applying the contents of this document.
If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AUSCERT is located at The University of Queensland within the Prentice
Centre. AUSCERT is a full member of the Forum of Incident Response and
Security Teams (FIRST).
AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT
Advisories, and other computer security information.
AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 4477
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
Prentice Centre
Brisbane
Qld. 4072.
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
25 Jun, 1997 Sun Microsystems has released a security bulletin
addressing the vulnerability described in this advisory.
This has been appended in Appendix A. Section 3 has been
modified to include this information.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBM7Dn/ih9+71yA2DNAQEYvQP/Xtu6OkpSGEcdJZYG7IvR199u/Re1f9B4
SkrfEaFypaP2hS4L3qA81nTkTMZ4FXHC+rSmg9dCVnnaZ4xcu8j28omN7JmJXHUN
PQCvrB2Y8FVwTiJvcqoBd34Ne9UyMlb5HzKxa3+cL4Suj9oAKHDvJ76KIJ/EVykp
gticr0964Yo=
=lGCq
-----END PGP SIGNATURE-----