-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AA-97.06 AUSCERT Advisory Solaris ffbconfig Buffer Overrun Vulnerability 13 February 1997 Last Revised: 04 June 1997 Added SUN Security bulletin in Appendix A - --------------------------------------------------------------------------- AUSCERT has received information that a vulnerability exists in ffbconfig(1m), distributed under Solaris 2.5 and 2.5.1. This vulnerability may allow local users to gain root privileges. Exploit information involving this vulnerability has been made publicly available. Vendor patches have been released addressing this vulnerability. AUSCERT recommends that sites take the steps outlined in section 3 as soon as possible. This advisory will be updated as more information becomes available. - --------------------------------------------------------------------------- 1. Description ffbconfig is a program used to configure the Fast Frame Buffer (FFB) Graphics Accelerator, and is part of the FFB Configuration Software package, SUNWffbcf. This software is only of use if the FFB Graphics accelerator card is installed. If the device /dev/fbs/ffb0 exists, it may indicate that the card is installed. Due to insufficient bounds checking on arguments which are supplied by users, it is possible to overwrite the internal stack space of the ffbconfig program while it is executing. By supplying a carefully designed argument to the ffbconfig program, intruders may be able to force ffbconfig to execute arbitrary commands. As ffbconfig is setuid root, this may allow intruders to run arbitrary commands with root privileges. ffbconfig was first released under Solaris 2.5 and 2.5.1, and this vulnerability is known to affect both these releases. Sites can determine if this package is installed by checking for the SUNWffbcf package: % /usr/bin/pkginfo -l SUNWffbcf ffbconfig is installed by default in /usr/sbin. Sites are encouraged to check for the presence of this program regardless of the version of Solaris installed. Exploit information involving this vulnerability has been made publicly available. 2. Impact Local users may gain root privileges. 3. Workarounds/Solution Official vendor patches have been released by Sun Microsystems which address this vulnerability (Section 3.3). If the patches recommended by Sun Microsystems cannot be applied, AUSCERT recommends that sites prevent the exploitation of this vulnerability in ffbconfig by immediately applying the workaround given in Section 3.1. If the SUNWffbcf package is not required, it is recommended that sites remove it from their systems (Section 3.2). 3.1 Remove setuid and non-root execute permissions To prevent the exploitation of the vulnerability described in this advisory, AUSCERT recommends that the setuid permissions be removed from the ffbconfig program immediately. As ffbconfig will no longer work for non-root users, it is recommended that the execute permissions also be removed. # ls -l /usr/sbin/ffbconfig -r-sr-xr-x 1 root bin 31436 Oct 14 1995 /usr/sbin/ffbconfig # chmod 500 /usr/sbin/ffbconfig # ls -l /usr/sbin/ffbconfig -r-x------ 1 root bin 31436 Oct 14 1995 /usr/sbin/ffbconfig 3.2 Remove the SUNWffbcf package If the FFB graphics accelerator card is not installed, the SUNWffbcf package will not be required and sites are encouraged to remove it completely from their systems. This can be done by running, as root, the command: # /usr/sbin/pkgrm SUNWffbcf There are also a number of other packages which are also associated with the FFB Graphics Accelerator: SUNWffb FFB System Software (Device Driver) SUNWffbmn On-Line FFB Manual Pages SUNWffbw FFB Window System Support SUNWffbxg FFB XGL support Although there is nothing to suggest that these packages contain vulnerabilities, if you do not require their functionality, you may also wish to remove them with the /usr/sbin/pkgrm command. 3.3 Install vendor patches Sun Microsystems has released patches which address the vulnerability described in this advisory. AUSCERT recommends that sites apply theses patches as soon as possible. Operating System Patch MD5 Checksum ~~~~~~~~~~~~~~~~ ~~~~~ ~~~~~~~~~~~~ Solaris 2.5 103076-09.tar.Z 0a8aa3c106c4f09448220c1b0b714cd1 Solaris 2.5.1 103796-09.tar.Z 4994176b4c03215bd2707b87921c5096 These patches can be retrieved from: ftp://sunsolve1.sun.com.au/pub/patches/ ftp://ftp.auscert.org.au/pub/mirrors/sunsolve1.sun.com/ Sun Microsystems has also released a security bulletin containing information on the above patches. The original release of this bulletin has been appended in Appendix A. 4. Additional measures Most Unix systems ship with numerous programs which have setuid or setgid privileges. Often the functionality supplied by these privileged programs is not required by many sites. The large number of privileged programs that are shipped by default are to cater for all possible uses of the system. AUSCERT encourages sites to examine all the setuid/setgid programs and determine the necessity of each program. If a program does not absolutely require the setuid/setgid privileges to operate (for example, it is only run by the root user), the setuid/setgid privileges should be removed. Furthermore, if a program is not required at your site, then all execute permissions should be removed. A sample command to find all setuid/setgid programs is (run as root): # find / \( -perm -4000 -o -perm -2000 \) -type f -exec ls -l {} \; It is AUSCERT's experience that many vulnerability are being discovered in setuid/setgid programs which are not necessary for the correct operation of most systems. Sites can increase their security by removing unnecessary setuid/setgid programs. For example, the functionality provided by the ffbconfig program is not needed by many sites. If sites had previously disabled this program, they would not have been susceptible to this latest vulnerability. ......................................................................... Appendix A - ---------------------- BEGIN SUN SECURITY BULLETIN ---------------------- ______________________________________________________________________________ Sun Microsystems, Inc. Security Bulletin Bulletin Number: #00140 Date: 14 May 1997 Cross-Ref: AUSCERT AA-97.06 Title: Vulnerability in ffbconfig ______________________________________________________________________________ Permission is granted for the redistribution of this Bulletin, so long as the Bulletin is not edited and is attributed to Sun Microsystems. Portions may also be excerpted for re-use in other security advisories so long as proper attribution is included. Any other use of this information without the express written consent of Sun Microsystems is prohibited. Sun Microsystems expressly disclaims all liability for any misuse of this information by any third party. ______________________________________________________________________________ 1. Bulletins Topics Sun announces the release of patches for Solaris 2.5.1 (SunOS 5.5.1) and Solaris 2.5 (SunOS 5.5) that relate to vulnerabilities in the ffbconfig program, which can result in root access if exploited. Sun strongly recommends that you install these patches immediately on every affected system. Exploitation information for ffbconfig is publicly available. 2. Who is Affected Vulnerable: SunOS versions 5.5.1 and 5.5 SPARC running the Creator FFB Graphics Accelerator. See section 4. Understanding the Vulnerability, for a way to test if a system is affected. Not vulnerable: All other supported versions of SunOS This vulnerability does not exist in the upcoming release of Solaris 2.6. 3. What to Do Install the patches listed in 5. 4. Understanding the Vulnerability The ffbconfig program configures the Creator Fast Frame Buffer (FFB) Graphics Accelerator, which is part of the FFB Configuration Software Package, SUNWffbcf. This software is used when the FFB Graphics accelerator card is installed. Due to insufficient bounds checking on arguments, it is possible to overwrite the internal stack space of the ffbconfig program. If exploited, this vulnerability can be used to gain root access on attacked systems. To test if a system is vulnerable, run the following command to check for the presence of SUNWffbcf package which is installed when the FFB Graphics accelerator card is present: /usr/bin/pkginfo -l SUNWffbcf If it is not present, you will get an error message stating that SUNWffbcf was not found. If it is present, ffbconfig is installed in /usr/sbin. 5. List of Patches The vulnerability relating to ffbconfig is fixed by the following patches: OS version Patch ID ---------- -------- SunOS 5.5.1 103796-09 SunOS 5.5 103076-09 The above-mentioned patches are listed in the Graphics section under Unbundled Products at ftp://sunsolve1.sun.com/pub/patches/patches.html. 6. Checksum Table The checksum table below shows the BSD checksums (SunOS 5.x: /usr/ucb/sum), SVR4 checksums (SunOS 5.x: /usr/bin/sum), and the MD5 digital signatures for the above-mentioned patches that are available from: ftp://sunsolve1.sun.com/pub/patches/patches.html These checksums may not apply if you obtain patches from your answer centers. File Name BSD SVR4 MD5 - --------------- --------- --------- -------------------------------- 103796-09.tar.Z 37854 2479 55959 4957 4994176B4C03215BD2707B87921C5096 103076-09.tar.Z 33438 2435 42064 4869 0A8AA3C106C4F09448220C1B0B714CD1 ______________________________________________________________________________ Sun acknowledges with thanks CERT/CC and AUSCERT for their assistance in the preparation of this bulletin. Sun, CERT/CC, and AUSCERT are members of FIRST, the Forum of Incident Response and Security Teams. For more information about FIRST, visit the FIRST web site at "http://www.first.org/". ______________________________________________________________________________ APPENDICES A. Patches listed in this security bulletin are available to all Sun customers via World Wide Web at: ftp://sunsolve1.sun.com/pub/patches/patches.html Customers with Sun support contracts can also obtain patches from local Sun answer centers and SunSITEs worldwide. B. To report or inquire about a security problem with Sun software, contact one or more of the following: - Your local Sun answer centers - Your representative computer security response team, such as CERT - Sun Security Coordination Team. Send email to: security-alert@sun.com C. To receive information or subscribe to our CWS (Customer Warning System) mailing list, send email to: security-alert@sun.com with a subject line (not body) containing one of the following commands: Command Information Returned/Action Taken ------- --------------------------------- HELP An explanation of how to get information LIST A list of current security topics QUERY [topic] The mail containing the question is relayed to the Security Coordination Team for response. REPORT [topic] The mail containing the text is treated as a security report and forwarded to the Security Coordination Team. We do not recommend that detailed problem descriptions be sent in plain text. SEND topic A short status summary or bulletin. For example, to retrieve a Security Bulletin #00138, supply the following in the subject line (not body): SEND #138 SUBSCRIBE Sender is added to our mailing list. To subscribe, supply the following in the subject line (not body): SUBSCRIBE cws your-email-address Note that your-email-address should be substituted by your email address. UNSUBSCRIBE Sender is removed from our mailing list. ______________________________________________________________________________ - ---------------------- END SUN SECURITY BULLETIN -------------------------- ........................................................................... - --------------------------------------------------------------------------- AUSCERT thanks Brian Meilak (Queensland University of Technology), Sun Microsystems and DFN-CERT for their assistance in this matter. - --------------------------------------------------------------------------- The AUSCERT team have made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The appropriateness of this document for an organisation or individual system should be considered before application in conjunction with local policies and procedures. AUSCERT takes no responsibility for the consequences of applying the contents of this document. If you believe that your system has been compromised, contact AUSCERT or your representative in FIRST (Forum of Incident Response and Security Teams). AUSCERT is located at The University of Queensland within the Prentice Centre. AUSCERT is a full member of the Forum of Incident Response and Security Teams (FIRST). AUSCERT maintains an anonymous FTP service which is found on: ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT Advisories, and other computer security information. AUSCERT also maintains a World Wide Web service which is found on: http://www.auscert.org.au/. Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 4477 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AUSCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. Postal: Australian Computer Emergency Response Team Prentice Centre Brisbane Qld. 4072. AUSTRALIA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Revision History 04 Jun, 1997 Sun Microsystems has released a security bulletin addressing the vulnerability described in this advisory. This has been appended in Appendix A. Section 3 has been modified to include this information. 12 May, 1997 Changed Section 3 to include vendor patch information. 13 Feb, 1997 Updated acknowledgment section ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBM5VbICh9+71yA2DNAQH+EQQAlIyV80UAsLb7p75gp58mZvP8252oNKly tPN9Gz0Py5BdrbQYuUC9bZXkeWt2a0q8Ux59dq8Vwc47UyBckD2SjurSB+YpI2ZG LP7vm3wY2amgqFPcWsJfemiAUw55qw0Zxy0aw32pmREGfUZR/RgIBvnq3i6v9IM5 qKFVH10k4ks= =aC1V -----END PGP SIGNATURE-----