************************************************************************** Security Bulletin 9535 DISA Defense Communications System August 23, 1995 Published by: DISN Security Coordination Center (SCC@NIC.DDN.MIL) 1-(800) 365-3642 DEFENSE INFORMATION SYSTEM NETWORK SECURITY BULLETIN The DISN SECURITY BULLETIN is distributed by the DISN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DISN facilities. Back issues may be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.112.36.5] using login="anonymous" and password="guest". The bulletin pathname is scc/disn-security-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/disn-security-95313131). ************************************************************************** + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the Automated ! ! Systems Security Incident Support Team (ASSIST) and is being ! ! relayed unedited via the Defense Information Systems Agency's ! ! Security Coordination Center distribution system as a means ! ! of providing DISN subscribers with useful security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + -----BEGIN PGP SIGNED MESSAGE----- <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Automated Systems Security Incident Support Team _____ ___ ___ _____ ___ _____ | / /\ / \ / \ | / \ | | / Integritas / \ \___ \___ | \___ | | < et /____\ \ \ | \ | | \ Celeritas / \ \___/ \___/ __|__ \___/ | |_____\ <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Bulletin 95-33 Release date: 18 August, 1995, 7:50 AM EDT (GMT -4) SUBJECT: Incorrect permissions on /tmp may allow root access. SUMMARY: Information has been distributed in various forums about a vulnerability in Solaris systems which allows a race condition to be exploited to gain root access. The vulnerability results from the sticky bit sometimes not being set on the /tmp directory, allowing users access to other user's files in /tmp. BACKGROUND: A race condition exists in at least one Solaris 2.x system program that can be exploited to gain root access if the user has access to the temporary files. Access to temporary files may be obtained if the permissions on the /tmp and /var/tmp directories are set incorrectly. The permissions on the /tmp directory are often reset incorrectly by the system if tmpfs (which is mounting swap as /tmp) is in use. This vulnerability affects Solaris 2.x (SunOS 5.x) systems. A similar problem has affected SunOS 4.1.x (Solaris 1.x) systems in the past (see ASSIST 92-67), and these systems should also be checked for the correct permission bits. The remainder of this Advisory uses Solaris 2.x commands as examples. Similar commands and configurations exist for SunOS 4.1.x users. To determine if you are running tmpfs, the following command can be used to verify if the filesystem for /tmp is swap: % /usr/sbin/df /tmp Filesystem kbytes used avail capacity Mounted on swap 28348 12 28336 0% /tmp or look in the file /etc/vfstab for the configuration line: #device device mount FS fsck mount mount #to mount to fsck point type pass at boot options swap - /tmp tmpfs - yes - If either of these two conditions exist, the system is running tmpfs and may automatically reset the permission bits of /tmp at the next reboot. To verify if your configuration is vulnerable, the following command may be used: % ls -ld /tmp drwxrwxrwt 2 root 61 Aug 15 12:12 /tmp If the sticky bit (t) is not set ("t" would be an "x" in the permissions string above), then the system is vulnerable. IMPACT: Users logged in to the system may gain unauthorized root privileges. An exploit script for this vulnerability has been published and distributed on the Internet. ASSIST strongly recommends DoD sites take action (see RECOMMENDED SOLUTIONS below) to eliminate this problem from all vulnerable DoD systems as soon as possible. RECOMMENDED SOLUTIONS: The information below has been verified by Sun Microsystems, which expects to release a patch in the near future. Immediate Workaround - -------------------- The immediate workaround is to set the sticky bit on the /tmp directory using the following command as root: # /usr/bin/chmod 1777 /tmp Note that this command must be performed after each reboot if you are mounting swap as /tmp (using tmpfs). In addition, the ownership and group membership of the /tmp directory should be verified using ls -ld /tmp and if incorrect may be reset by: # /usr/bin/chown root /tmp # /usr/bin/chgrp root /tmp System Reboot workaround - ------------------------ It is possible to perform these commands automatically at reboot by creating the following script as /etc/init.d/tmpfsfix: - - ----------------------8<-------------------------------------- #!/bin/sh if [ -d /tmp ] then /usr/bin/chmod 1777 /tmp /usr/bin/chgrp root /tmp /usr/bin/chown root /tmp fi - - ----------------------8<-------------------------------------- A symbolic link should be then be created called /etc/rc3.d/S79tmpfix which points to /etc/init.d/tmpfsfix by issuing the following command as root: # /usr/bin/ln -s /etc/init.d/tmpfsfix /etc/rc3.d/S79tmpfix /var/tmp permissions - -------------------- The /var/tmp directory should be similarly checked and corrected. Note that this directory is not usually mounted as tmpfs, and therefore is not subject to automatic resetting of its permission bits on reboot. % ls -ld /var/tmp drwxrwxrwt 2 root 512 Aug 15 11:35 /var/tmp <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ASSIST would like to thank the Australian CERT for information contained in this bulletin. <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ASSIST is an element of the Defense Information Systems Agency (DISA), Center for Information Systems Security (CISS), that provides service to the entire DoD community. Constituents of the DoD with questions about ASSIST or computer security issues, can contact ASSIST using one of the methods listed below. Non-DoD organizations/ institutions, contact the Forum of Incident Response and Security Teams (FIRST) representative. To obtain a list of FIRST member organizations and their constituencies send an email to docserver@first.org with an empty "subject" line and a message body containing the line "send first-contacts". ASSIST Information Resources: To be included in the distribution list for the ASSIST bulletins, send your Milnet (Internet) e-mail address to assist-request@assist.mil. Back issues of ASSIST bulletins, and other security related information, are available from the ASSIST BBS at 703-607-4710, 327-4710, and through anonymous FTP from assist.mil (IP address 199.211.123.11). Note: assist.mil will only accept anonymous FTP connections from Milnet addresses that are registered with the NIC or DNS. If your system is not registered, you must provide your MILNET IP address to ASSIST before access can be provided. ASSIST Contact Information: PHONE: 800-357-4231, COMM 703-607-4700, DSN 327-4700. ELECTRONIC MAIL: assist@assist.mil. ASSIST BBS: COMM 703-607-4710, DSN 327-4710, leave a message for the "sysop". FAX: COMM 703-607-4735, DSN 607-4735 ASSIST uses Pretty Good Privacy (PGP) 2.6.2 as the digital signature mechanism for bulletins. PGP 2.6.2 incorporates the RSAREF(tm) Cryptographic Toolkit under license from RSA Data Security, Inc. A copy of that license is available via anonymous FTP from net-dist.mit.edu (IP 18.72.0.3) in the file /pub/PGP/rsalicen.txt, and through the world wide web from http://net-dist.mit.edu/pgp.html. In accordance with the terms of that license, PGP 2.6.2 may be used for non-commercial purposes only. Instructions for downloading the PGP 2.6.2 software can also be obtained from net-dist.mit.edu in the pub/PGP/README file. PGP 2.6.2 and RSAREF may be subject to the export control laws of the United States of America as implemented by the United States Department of State Office of Defense Trade Controls. The PGP signature information will be attached to the end of ASSIST bulletins. Reference herein to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by ASSIST. The views and opinions of authors expressed herein shall not be used for advertising or product endorsement purposes. - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6 mQCNAi4uZ40AAAEEAM1uraimCNeh5PtzX7KoGxC2u8uMTdl8V5sujk3MHbWvCuOM W0FqDy5s9iwfQLZWzJ7cbM6L0mNOj8eJGoz7TqGKZDDRFlKAwg0x8joleZLC2gXw FVdF/g6Mdv7ok7heoa+Y//YMeADnsSrmzqLCnhFbKYffww3EbdH6sbnW3Io9AAUR tB9BU1NJU1QgVGVhbSA8YXNzaXN0QGFzc2lzdC5taWw+iQCVAwUQL1xx7tH6sbnW 3Io9AQEBYwP9FvIJbnKjtMLUj8ghd6hophSx8WZnfQsOmZX/BbX8vKz1a5BkBn4q ANvW+uKGdUlE8LLMEm1PD59Cihcb3OoWDOU8zIOIErvry4eqa+LzEXV8nnBdes+A a1MCMGSz+K3OaP78lQ7JCGoY9TXTWIelfAdBVBG4VQcSQRn8tjRdG2e0KEFTU0lT VCBUZWFtIDxhc3Npc3RAYXNzaXN0Lmltcy5kaXNhLm1pbD6JAJUCBRAuLnHoh0Y9 0jC+b6kBAU0TA/4yXSL7K6tcfVm9ACnP4crCoutFM2w10e7YKxD850ajhWrh6rI9 O+sjU5WObqiPJ7sZHdEw/KARzPSijH/5h8HlyYa6ClksWxYuymzCsUYYJctdjcGr uakfXgYQ1TkkyUfNrN5G90NuRK/vTRe7bkmyGNYjN9Njac1Q18WVF59Chg== =d5rP - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBMDR9sdH6sbnW3Io9AQG7DwP+MzhA/hZg8KnBnkF+Ouv2SXrdhtCOZbkJ Sx5/bamg72uKTkNd2MN4mAcRMwU67kKY7w5wf9whEO2zvudE9da2/pzGElGTyd71 GK/7IQTz4cKeY/Dg/gUPa4rF/h2yOtysdZNsAiEPKL+g8aTe1xaIqsSAWV9LLtRI eJlop+hk8JQ= =JAum -----END PGP SIGNATURE----- **************************************************************************** * * * The point of contact for NIPRNET security-related incidents is the * * Security Coordination Center (SCC). * * * * E-mail address: SCC@NIC.DDN.MIL * * * * Telephone: 1-(800)-365-3642 * * * * NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, * * Monday through Friday except on federal holidays. * * * **************************************************************************** PLEASE NOTE: Some users outside of the DOD computing communities may receive DISN Security Bulletins. If you are not part of the DOD community, please contact your agency's incident response team to report incidents. Your agency's team will coordinate with DOD. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an service to the DOD community. Neither the United States Government nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government. The opinions of the authors expressed herein do not necessarily state or reflect those of the United States Government, and shall not be used for advertising or product endorsement purposes.