-----BEGIN PGP SIGNED MESSAGE-----

- ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---

                  =======  ============    ======       ======
                  =======  ==============  =======     =======
                    ===      ===     ====    ======   ======
                    ===      ===========     ======= =======
                    ===      ===========     === ======= ===
                    ===      ===     ====    ===  =====  ===
                  =======  ==============  =====   ===   =====
                  =======  ============    =====    =    =====

                           EMERGENCY RESPONSE SERVICE
			OUTSIDE ADVISORY REDISTRIBUTION

05 August 1996 12:00 GMT                         Number: ERS-OAR-E01-1996:012.1
===============================================================================

The IBM-ERS Outside Advisory Redistribution is designed to provide customers
of the IBM Emergency Response Service with access to the security advisories
sent out by other computer security incident response teams, vendors, and
other groups concerned about security.

IBM makes no representations and assumes no responsibility for the contents or
accuracy of the advisories themselves.

IBM-ERS is forwarding the following information from AUSCERT.  Contact
information for AUSCERT is included in the forwarded text below; please
contact them if you have any questions or need further information.

===============================================================================

********************** FORWARDED INFORMATION STARTS HERE **********************

AL-96.04                        AUSCERT Alert
			Vulnerability in Solaris 2.x vold
                                2 August 1996
- -----------------------------------------------------------------------------

AUSCERT has received a report of a vulnerability in the Sun Microsystems
Solaris 2.x distribution involving the Volume Management daemon, vold(1M).
This program is used to help manage CDROM and floppy devices.

This vulnerability may allow a local user to gain root privileges.

Exploit details involving this vulnerability have been made publicly
available.

At this stage, AUSCERT is not aware of any official patches.  AUSCERT
recommends that sites take the actions suggested in Section 3 until official
patches are available.

- -----------------------------------------------------------------------------

1.  Description

    The Volume Management daemon, vold(1M), manages the CDROM and floppy
    devices.  For example, it provides the ability to automatically detect,
    and then mount, removable media such as CDROMs and floppy devices.

    vold is part of the Solaris 2.x Volume Management package (SUNWvolu).
    It is executed as a background daemon on system startup and runs as root.

    When vold detects that a CDROM or floppy has been inserted into a drive,
    it is configured to automatically mount the media, making it available
    to users.  Part of this process includes the creation of temporary files,
    which are used to allow the Openwindows File Manager, filemgr(1), to
    determine that new media has been mounted.  These files are created by
    the action_filemgr.so shared object which is called indirectly by vold
    through rmmount(1M).  The handling of these files is not performed in a
    secure manner.  As vold is configured to access these temporary files
    with root privileges, it may be possible to manipulate vold into creating
    or over-writing arbitrary files on the system.

    This vulnerability requires that vold be running and media managed by
    vold, such as a CDROM or floppy, be physically loaded into a drive.  Note
    that a local user need not have physical access to the media drive to
    exploit this vulnerability.  It is enough to wait until somebody else
    loads the drive, exploiting the vulnerability at that time.

    This vulnerability is known to be present in Solaris 2.4 and Solaris 2.5.
    Solaris distributions prior to Solaris 2.4 are also expected to be
    vulnerable.

2.  Impact

    Local users may be able to create or over-write arbitrary files on the
    system.  This can be leveraged to gain root privileges.

3.  Workaround

    AUSCERT believes the workarounds given in Sections 3.1 or 3.2 will address
    this vulnerability.  Vendor patches may also address this vulnerability
    in the future (Section 3.3).

3.1 Edit /etc/rmmount.conf

    The temporary files which are susceptible to attack are created by the
    /usr/lib/rmmount/action_filemgr.so.1 shared object which is called
    indirectly by vold through rmmount(1M).  rmmount(1M) can be
    configured so that it does not create the temporary files, thereby
    removing this vulnerability.

    To our knowledge, configuring rmmount(1M) in this fashion will not
    affect the functionality of vold.  It will, however, remove the
    ability of the Openwindows File Manager, filemgr(1), to automatically 
    detect newly mounted media.

    To prevent rmmount(1M) creating temporary files, sites must edit the
    /etc/rmmount.conf file and comment out (or remove) any entry which
    references action_filemgr.so.

    The standard /etc/rmmount.conf contains the following entries which
    must be commented out (or deleted) to remove this vulnerability:

	action cdrom action_filemgr.so
	action floppy action_filemgr.so

    After applying this workaround, an example of /etc/rmmount.conf may look
    like:

    	# @(#)rmmount.conf 1.2     92/09/23 SMI
    	#
    	# Removable Media Mounter configuration file.
    	#
	
    	# File system identification
    	ident hsfs ident_hsfs.so cdrom
    	ident ufs ident_ufs.so cdrom floppy pcmem
    	ident pcfs ident_pcfs.so floppy pcmem
	
    	# Actions
    	#
    	# Following two lines commented out to remove vold vulnerability
    	#
    	# action cdrom action_filemgr.so
    	# action floppy action_filemgr.so


    Note that vold does not have to be restarted for these changes to 
    take effect.


3.2 Remove the Volume Management system

    Sites who do not require the vold functionality should remove the complete
    set of Volume Management packages.  These are SUNWvolg, SUNWvolu and
    SUNWvolr.  These packages can be removed using pkgrm(1M).

3.3 Install vendor patches

    Currently, AUSCERT is not aware of any official patches which address
    this vulnerability.  When official patches are made available, AUSCERT
    suggests that they be installed.

- -----------------------------------------------------------------------------
AUSCERT wishes to thanks to Leif Hedstrom, Mark McPherson(QTAC), 
Marek Krawus(UQ), DFN-CERT and CERT/CC for their assistance in this matter.
- -----------------------------------------------------------------------------

The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate.  However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual system
should be considered before application in conjunction with local policies
and procedures.  AUSCERT takes no responsibility for the consequences of
applying the contents of this document.

If you believe that your system has been compromised, contact AUSCERT or your
representative in FIRST (Forum of Incident Response and Security Teams).

AUSCERT is located at The University of Queensland within the Prentice Centre.
AUSCERT is a full member of the Forum of Incident Response and Security Teams
(FIRST).

AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT and AUSCERT
Advisories, and other computer security information.

AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 4477
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AUSCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

Postal:
Australian Computer Emergency Response Team
c/- Prentice Centre
The University of Queensland
Brisbane
Qld.  4072.
AUSTRALIA

*********************** FORWARDED INFORMATION ENDS HERE ***********************

===============================================================================

IBM's Internet Emergency Response Service (IBM-ERS) is a subscription-based
Internet security response service that includes computer security incident
response and management, regular electronic verification of your Internet
gateway(s), and security vulnerability alerts similar to this one that are
tailored to your specific computing environment.  By acting as an extension
of your own internal security staff, IBM-ERS's team of Internet security
experts helps you quickly detect and respond to attacks and exposures across
your Internet connection(s).

As a part of IBM's Business Recovery Services organization, the IBM Internet
Emergency Response Service is a component of IBM's SecureWay(tm) line of
security products and services.  From hardware to software to consulting,
SecureWay solutions can give you the assurance and expertise you need to
protect your valuable business resources.  To find out more about the IBM
Internet Emergency Response Service, send an electronic mail message to
ers-sales@vnet.ibm.com, or call 1-800-742-2493 (Prompt 4).

IBM-ERS maintains a site on the World Wide Web at http://www.ers.ibm.com/.
Visit the site for information about the service, copies of security alerts,
team contact information, and other items.

IBM-ERS uses Pretty Good Privacy* (PGP*) as the digital signature mechanism for
security vulnerability alerts and other distributed information.  The IBM-ERS
PGP* public key is available from http://www.ers.ibm.com/team-info/pgpkey.html.
"Pretty Good Privacy" and "PGP" are trademarks of Philip Zimmerman.

IBM-ERS is a Member Team of the Forum of Incident Response and Security Teams
(FIRST), a global organization established to foster cooperation and response
coordination among computer security teams worldwide.

The information in this document is provided as a service to customers of
the IBM Emergency Response Service.  Neither International Business Machines
Corporation, Integrated Systems Solutions Corporation, nor any of their
employees, makes any warranty, express or implied, or assumes any legal
liability or responsibility for the accuracy, completeness, or usefulness of
any information, apparatus, product, or process contained herein, or
represents that its use would not infringe any privately owned rights.
Reference herein to any specific commercial products, process, or service by
trade name, trademark, manufacturer, or otherwise, does not necessarily
constitute or imply its endorsement, recommendation or favoring by IBM or
its subsidiaries.  The views and opinions of authors expressed herein do not
necessarily state or reflect those of IBM or its subsidiaries, and may not be
used for advertising or product endorsement purposes.

- ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---

-----BEGIN PGP SIGNATURE-----
Version: 2.7.1

iQCVAwUBMgXr9vWDLGpfj4rlAQHuIAQA9pWiYiaa+MtxwUZY0xtT3UXV8x2G5exy
9Yw5bpiv82LChSK97MsPgYOqvir3rUe54mluvJ5gh4qArq5QGAtsgEDtmriMiUlS
Aav6W7mTUuQFZhPaz+V6Wi42J2xTadiUPrj2HTSi99JhHLg2ckUiMNeBj9Lsl+rX
gHmK0jWoDjU=
=/OV9
-----END PGP SIGNATURE-----