Local Root Vulnerability in passwd(1) on Solaris 8, 9

so-1997-and-1994 writes "There is a new vulnerability in the passwd command on solaris 8 and 9. Looks like a local user privilege escalation is possible. Patch your systems. This not the first nor the last time something like this has shown up."

Thanks Tim, here's some spam

[utahjazz]

Sun acknowledges, with thanks, Tim Wort (Tim.Wort@InklingResearch.com) for contacting
us regarding this issue.

I'm glad Sun thanked him by publishing his email address on a page now linked directly from the front of Slashdot.

Re:Thanks Tim, here's some spam

[nichomoff]

You've now thanked him by pointing that out to all! ;)

What? How does this make sense?

[anothy]

// This not the first nor the last time something like this has shown up.

what? doesn't that mean that the next root vulnerability would have had to already have shown up? or is the author precognitive? the link given as "last" certainly isn't...
can we please think about these little jabs before tossing them around?

Re:What? How does this make sense?

can we please think about these little jabs before tossing them around?

"Won't somebody please think of the pedants?!"

Re:Risk assessment

yes, it's spelled m-e-d-i-u-m but pronounced "LOCAL"

Thank God..

[tarunthegreat]

I upgraded to XP. You people and your insecure operating systems. Next thing you know, you'll be able to bypass passwords by hitting the ESC key.

WE ARE THE INDIANS. YOUR TECHNOLOGICAL DISTINCTIVENESS SHALL BE OUTSOURCED. RESISTANCE IS FUTILE

Solution

[acceptera]

Solution: Stop using local user-accounts and distribute the rootpassword to the public. Simple!

Re:Solution

[ratsnapple+tea]

I wasn't sure whether to believe you at first, so I looked it up and it turns out you weren't kidding! This is just too fucking funny.

Why GNU su does not support the `wheel' group
(This section is by Richard Stallman.)

Sometimes a few of the users try to hold total power over all the rest. For example, in 1984, a few users at the MIT AI lab decided to seize power by changing the operator password on the Twenex system and keeping it secret from everyone else. (I was able to thwart this coup and give power back to the users by patching the kernel, but I wouldn't know how to do that in Unix.)

However, occasionally the rulers do tell someone. Under the usual su mechanism, once someone learns the root password who sympathizes with the ordinary users, he can tell the rest. The "wheel group" feature would make this impossible, and thus cement the power of the rulers.

I'm on the side of the masses, not that of the rulers. If you are used to supporting the bosses and sysadmins in whatever they do, you might find this idea strange at first.

Typical RMS.

Re:Sigh...

[Pond823]

It's ok, I already patched it for you ;)

Finally...

[EmagGeek]

Some news for nerds that actually matters... :)

Further Proof

[rixstep]

'This is but further proof of the superiority of Microsoft Windows. Microsoft Windows has never had a problem with its passwd commands or files. I personally recommend Microsoft Windows for serious enterprise computing precisely for this reason.'
- J Allchin

Re:so how does on go about exploiting this... expl

[Goldfinger7400]

So how does one go about exploiting this... exploit?

This is left as an excercise to the reader.

Intelligent advertising system?

When I first ran into this post, an ad of Sun appeared at the top of Slashdot's page which mentioned:
"SUN MICROSYSTEMS TECHNOLOGY HELPS TAKE YOU PLACES YOU'VE NEVER BEEN BEFORE."

Places I've never been before... Rootland?

Concerned

While I'm glad its local only, I'm still worried. I have a Sun Blade 60 that I bought to learn Solaris on, and while I'm the only one using it, I don't know if I trust me cat. Should I be worried? I'll still patch as soon as possible...

fingers crossed, suspiciously stares at kitten....

Root vulnerability in passwd(5)

I heard if you throw the password file at the filesystem hard enough, the root password falls out!

Re:solaris bashing?

[lewp]

Sarcasm wasted on clueless reader. Film at eleven.

How are you gentlemen?

All your Solaris root password are belong to me.

phew

I'm glad I never updated from Solaris 7, I'll be perfectly secure now.

I wuv you CDE.

Too easy...

[KillerHamster]

You're worried you may have a script kitty?

Solaris 10

[kyoko21]

Good thing I just finished my download of Solaris 10. Why patch when you can just install a whole new OS? Oh wait, that's Microsoft's Security system. Looks like I'm going to get sued for reverse engineering... :-(

it's slashdotted

[Joe_NoOne]

Wow... sunsolve has been "slashdotted". Good thing they're the "dot in dot com" ;)

Re:There but for the Grace of God go I

[russellh]

So there's no workaround and no symptoms of it having been used. Ouch. Essentially if you want to be certain that a multi-user system has not been hacked, you need to reinstall the operating system from scratch, formatting all the disks...

My Ultra 10 with Solaris 8 is absolutely secure. I have every confidence it has not and will not be hacked. This is Sun we're talking about. They are the dot in dot com. The network is the computer. As a vote of confidence, I have placed my Ultra 10 in my closet, off.

Re:There but for the Grace of God go I

[TobiasSodergren]

There's a lot of positive side effects with that tactic:

1) The computer will be secured no matter what OS you install
2) You'll get smaller electricity bills

As long as your closet is above earth level, the computer will also be reasonably safe from being infected by worms too!

Re:There but for the Grace of God go I

[BlackHorse]

Just bring in help from the Windows department. They are very experienced in the sort of repair you suggest. What would you like to format today?