solaris-mkcookie.txt

1999-08-17T00:00:00
ID PACKETSTORM:15316
Type packetstorm
Reporter Packet Storm
Modified 1999-08-17T00:00:00

Description

                                        
                                            `RSI.0012.12-03-98.SOLARIS.MKCOOKIE  
  
  
  
|:::. |::::: |::::. |::::: |::::: |::::.  
.. :: .. .. :: .. .. .. ::  
|:::: |:::: |:::: :::::: |::::: |:::: |:  
|: :: |: |: |:: |: |: ::  
|: :: |::::: |: |::::: |::::: |:::::  
  
  
Repent Security Incorporated, RSI  
[ http://www.repsec.com ]  
  
  
*** RSI ALERT ADVISORY ***  
  
  
--- [CREDIT] --------------------------------------------------------------  
  
Nick Dubee: Discovered the vulnerability  
Mark Zielinski: Author of the advisory  
  
--- [SUMMARY] -------------------------------------------------------------  
  
Announced: November 12, 1998  
Report code: RSI.0012.12-03-98.SOLARIS.MKCOOKIE  
Report title: Solaris x86 mkcookie  
  
Vulnerability: Please see the details section   
Vendor status: Sun Microsystems contacted on November 12, 1998  
Patch status: No patch is currently available  
  
Platforms: Solaris 2.5 x86, 2.5.1 x86, 2.6 x86, 2.7 x86  
  
Reference: http://www.repsec.com/advisories.html  
Impact: If exploited, an attacker could potentially compromise  
root access locally on your server  
  
NOTE: Solaris versions 2.3 x86, and 2.4 x86 were NOT tested  
however they could be subject to the same vulnerability.  
  
  
--- [DETAILS] -------------------------------------------------------------  
  
Description: The mkcookie program is a Solaris utility used to   
generate fresh 'Magic Cookies' each time the X server  
is run. This program is installed SUID root as  
/usr/openwin/lib/mkcookie.  
  
Problem: A programming fault has been discovered in the way  
mkcookie copies the contents of the $HOME evironment  
variable into a buffer that has a predefined limit with  
no bounds checking.  
  
Details: Local users on the system can set their $HOME  
environment variable to machine code that will  
execute commands as root when mkcookie is run.  
  
This particular problem is not exploitable on the  
Sparc architecture due to the way the register values  
are saved.  
  
  
--- [FIX] -----------------------------------------------------------------  
  
Solution: Sun is working on patches which relate to this mkcookie  
vulnerability. The patches will be made available to all  
Sun customers via the World Wide Web at:  
  
  
  
In the meantime, take the SUID bit off mkcookie until  
a patch is released for the version of Solaris you are using.  
  
repent% su  
Password:  
# chmod 711 /usr/openwin/lib/mkcookie  
  
  
---------------------------------------------------------------------------  
  
Repent Security Incorporated (RSI)  
13610 N. Scottsdale Rd.  
Suite #10-326  
Scottsdale, AZ 85254  
  
E-Mail: advise@repsec.com  
FTP: ftp://ftp.repsec.com  
WWW: http://www.repsec.com  
  
---------------------------------------------------------------------------  
  
-----BEGIN PGP PUBLIC KEY BLOCK-----  
Version: 2.6.2  
  
mQCNAzU6dqAAAAEEAOHt9a5vevjD8ZjsEmncEbFp2U7aeqvPTcF/8FJMilgOVp75  
dshXvZixHsYU7flgCNzA7wLIQPWBQBrweLG6dx9gE9e5Ca6yAJxZg8wNsi06tZfP  
nvmvf6F/7xoWS5Ei4k3YKuzscxlyePNNKws6uUe2ZmwVoB+i3HHT44dOafMhAAUT  
tBpSZXBTZWMgPGFkdmlzZUByZXBzZWMuY29tPg==  
=ro8H  
-----END PGP PUBLIC KEY BLOCK-----  
  
Copyright December 1998 RepSec, Inc.  
  
The information in this document is provided as a service to customers  
of RepSec, Inc. Neither RepSec, Inc., nor any of it's employees, makes  
any warranty, express or implied, or assumes any legal liability or  
responsibility for the accuracy, completeness, or usefulness of any  
information, apparatus, product, or process contained herein, or  
represents that its use would not infringe any privately owned rights.  
Reference herein to any specific commercial products, process, or  
services by trade name, trademark, manufacturer, or otherwise, does not  
necessarily constitute or imply its endorsement, recommendation or  
favoring by RepSec, Inc. The views and opinions of authors express  
herein do no necessarily state or reflect those of RepSec, Inc., and may  
not be used for advertising or product endorsement purposes.  
  
The material in this alert advisory may be reproduced and distributed,  
without permission, in whole or in part, by other security incident  
response teams (both commercial and non-commercial), provided the above  
copyright is kept intact and due credit is given to RepSec, Inc.  
  
This alert advisory may be reproduced and distributed, without  
permission, in its entirety only, by any person provided such  
reproduction and/or distribution is performed for non-commercial  
purposes and with the intent of increasing the awareness of the Internet  
community.  
  
---------------------------------------------------------------------------  
  
RepSec, Inc. are trademarks of RepSec, Inc. All other trademarks are  
property of their respective holders.   
  
  
`