NASIRC BULLETIN #93-09 December 14, 1993 SunOS Security vulnerability in /usr/etc/modload and $OPENWINHOME/bin/loadmodule =========================================================================== __ __ __ ___ ___ ____ ____ /_/\ /_/| /_/ / _/\ /_/| / __/ \ / __/\ | |\ \| || / \ \ | /\/ | || | /\ \/ | | \/ | ||\ \ || / /\ \ \ \ \ | || |_\/ /\ | | | || \ \|| / /--\ \ \ /\_\\ | || | |\ \ \ | \_/\ |_|/ \_|//_/ \_\/ \/__/ |_|/ |_| \_\/ \___\/ NASA Automated Systems Incident Response Capability =========================================================================== NASIRC has learned of security vulnerabilities that exist within SunOS pertaining to /usr/etc/modload and $OPENWINHOME/bin/loadmodule. In order to prevent a system from being vulnerable to compromise, it is important that SunOS sites install both patches described below, since patching only loadmodule will not close the system security vulnerability. These security vulnerabilities do not exist in Solaris 2.x or in Sun 3 architecture or any other verions of open windows. Patch information on /usr/openwin/bin/loadmodule: ------------------------------------------------ A vulnerability exists in /usr/openwin/bin/loadmodule which could allow root access via the manipulation of environmental variables. The program is a suid root program that calls /usr/etc/modload as part of it's operation. An individual must be able to execute a shell script on the system to exploit this vulnerability. The recently discussed Sendmail vulnerability (refer to NASIRC Bulletin # 93-06), could allow an attacker to execute such a script without having to physically login to your system. The individual only needs to know basic UNIX commands to exploit this particular vulnerability. Patch ID: 100448-02 (SunOS 4.1.x, Open Windows version 3.0 only) Checksum: 19410 5 100448-02.tar.Z *NOTE*: The modload patch, described below, must also be installed to close these security vulnerabilities. Patch information from Sun on /usr/etc/modload: ---------------------------------------------- A vulnerability exists within /usr/etc/modload that allows root access via the manipulation of environmental variables. This process is called via /usr/openwin/bin/loadmodule during normal operation. Since /usr/openwin/bin/loadmodule is a suid root process, this called process /usr/etc/modload must also be patched to secure all known bugs. Patch ID: 101200-01 (SunOS 4.1.1, 4.1.2, 4.1.3 and 4.1.3C) Checksum: 47050 29 101200-02.tar.Z *NOTE*: The loadmodule patch described above must also be installed to close this security vulnerability. ADDITIONAL INFORMATION: ---------------------- One indicator that shows that the hole might have been exploited is to check the system for /var/tmp/modload.out. You might also want to run COPS or similar system-integrity checking software after applying the patches to make sure no unauthorized setuid scripts were created. All SunOS security patches are available to customers who do not have support contract, via anonymous ftp: - In the US, from /systems/sun/sun-dist on ftp.uu.net - In Europe, from ~ftp/sun/fixes on ftp.eu.net Patches announced by Sun are uploaded to these two sites just before the release of a bulletin and are seldom updated. In contrast, the "supported" patch databases are refreshed nightly and will often contain newer versions of a patch incorporating changes which are not security-related. If you require assistance obtaining or installing these patches, contact the NASIRC helpdesk. Security checklists, toolkits and guidance are available from the NASIRC online archives which are available to the NASA community via anonymous FTP from NASIRC.NASA.GOV. You will be required to enter your valid e-mail address. Contact the NASIRC Helpdesk for more information and assistance with toolkits or security measures. NASIRC ACKNOWLEDGES: Jim Simmons of the University of Arizona for bringing this vulnerability to our attention. We would like to formally thank Mark Graff of SUN Microsystems for his assistance with coordinating this alert and providing patch and security information about these vulnerabilities. A special thank you to Rob Jensen, Goddard Space Flight Center, for providing technical assistance. ================================================================== For further assistance, please contact the NASIRC Helpdesk: Phone: 1-800-7-NASIRC Fax: 1-301-441-1853 Internet Email: nasirc@nasa.gov 24 Hour/Emergency Pager: 1-800-759-7243/Pin:5460866 ================================================================== This bulletin may be forwarded without restrictions to sites and system administrators within the NASA community ----------------- PLEASE NOTE: Users outside of the NASA community may receive NASIRC bulletins. If you are not part of the NASA community, please contact your agency's response team to report incidents. Your agency's team will coordinate with NASIRC, who will ensure the proper internal NASA team(s) are notified. NASIRC is a member of the Forum of Incident Response and Security Teams (FIRST), a world-wide organization which provides for coordination between incident response teams in handling computer-security-related issues. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. =========================================================================== HOW TO INSTALL THE PATCHES TO /usr/etc/modload and /usr/openwin/bin/loadmodule INSTALL /usr/etc/modload patch: ------------------------------ As root: Make a backup copy of the files to be installed: mv /usr/kvm/etc/modload /usr/kvm/modload.orig Now install the patched files: cp sun4/modload /usr/kvm/modload chmod 755 /usr/kvm/modload NOTE: You need to make sure that you set the file protection correctly on /usr/kvm/modload.orig by doing the following: chmod 400 /usr/kvm/modload.orig INSTALL /usr/bin/loadmodule: --------------------------- As root, make a backup copy of loadmodule and then copy over the patched version: mv $OPENWINHOME/bin/loadmodule $OPENWINHOME/bin/loadmodule.orig chmod 400 $OPENWINHOME/bin/loadmodule.orig cp sun4/loadmodule $OPENWINHOME/bin/loadmodule chown root $OPENWINHOME/bin/loadmodule chmod 4755 $OPENWINHOME/bin/loadmodule