Slashdot Mirror

← Back to Stories (view on slashdot.org)

Local Root Vulnerability in passwd(1) on Solaris 8, 9

Posted by CowboyNeal on from the heads-up dept.

so-1997-and-1994 writes "There is a new vulnerability in the passwd command on solaris 8 and 9. Looks like a local user privilege escalation is possible. Patch your systems. This not the first nor the last time something like this has shown up."

6 of 283 comments (clear)

  1. Re:Slowlaris is Dying! by prat393 · · Score: 5, Informative

    First, Solaris now runs on x86 architectures, so the idea of "expensive hardware" doesn't really add up - at least, not more than for any server. Second, as to insecure software; let he who is without sin cast the first stone - who among us has used a multiuser system without some sort of security flaws? As to "failure of security through obscurity," I really believe that Sun spends a good amount of time working on security fixes, and seems to actually care about these issues, unlike some companies I could mention.

  2. Re:Not surprising by mst76 · · Score: 5, Informative
    > Shouldn't need to be; most of that should be handed off to the PAM modules.

    A quote from the changelogs of Slackware 9.1, just to offer a different perspective:
    openssh-3.7.1p2.
    This fixes security problems with PAM authentication. It also includes several code cleanups from Solar Designer. Slackware does not use PAM and is not vulnerable to any of the fixed problems. Please indulge me for this brief aside (as requests for PAM are on the rise):
    If you see a security problem reported which depends on PAM, you can be glad you run Slackware. I think a better name for PAM might be SCAM, for Swiss Cheese Authentication Modules, and have never felt that the small amount of convenience it provides is worth the great loss of system security. We miss out on half a dozen security problems a year by not using PAM, but you can always install it yourself if you feel that you're missing out on the fun. (No, don't do that)
    OK, I'm done ranting here. :-)
  3. Re:Risk assessment by achurch · · Score: 4, Informative

    That's why I said "or your favorite buffer overflow exploit"; I just picked HTTP for an example because it's one of the better-known cases. My point is that "local" vulnerabilities become remote ones when paired with buffer overflows in programs accepting remote input.

    Besides, you can break out of a chroot jail.

  4. Workaround plus bad hyperlinks by ziegast · · Score: 5, Informative

    So there's no workaround ...

    How about "chmod ug-s /bin/passwd"? Someone running passwd wouldn't be able to escallate their uid/gid. To change passwords, run su(do) first. On systems wehre users arn't expected to change their passwords (web servers, etc.), this is usually a good preventative step for most setuid programs.

    And for the Love of Scott, if you're going to tell the world about a patch, please, oh please, make sure the hyperlinks work.

    Here's Sun's announcement, and if I click on the links to get patches,....

    Sparc
    Solaris 8 with patch 108993-32 or later
    Solaris 9 with patch 113476-11 or later

    .... the links give me:

    Sorry! We couldn't find your document.

    The file that you requested could not be found on this server.

    G'dammit!

    -ez

    Karma: Whore (you look at your score after posting)

  5. Re:PAM by six809 · · Score: 4, Informative

    I wouldn't be at all surprised if this bug was in the PAM library or a module.

    Neither would I. From the patch details:

    Files included with this patch:

    /usr/lib/libpam.so.1
    /usr/lib/llib-lpas swdutil
    /usr/lib/llib-lpasswdutil.ln
    /usr/lib/pa sswdutil.so.1
    /usr/lib/security/pam_authtok_check .so.1
    /usr/lib/security/pam_authtok_get.so.1
    /us r/lib/security/pam_authtok_store.so.1
    /usr/lib/se curity/pam_dhkeys.so.1
    /usr/lib/security/pam_ldap .so.1
    /usr/lib/security/pam_passwd_auth.so.1
    /us r/lib/security/pam_unix_account.so.1
    /usr/lib/sec urity/pam_unix_auth.so.1
    /usr/lib/security/sparcv 9/pam_authtok_check.so.1
    /usr/lib/security/sparcv 9/pam_authtok_get.so.1
    /usr/lib/security/sparcv9/ pam_authtok_store.so.1
    /usr/lib/security/sparcv9/ pam_dhkeys.so.1
    /usr/lib/security/sparcv9/pam_lda p.so.1
    /usr/lib/security/sparcv9/pam_passwd_auth. so.1
    /usr/lib/security/sparcv9/pam_unix_account.s o.1
    /usr/lib/security/sparcv9/pam_unix_auth.so.1
    /usr/lib/sparcv9/libpam.so.1
    /usr/lib/sparcv9/ll ib-lpasswdutil.ln
    /usr/lib/sparcv9/passwdutil.so. 1
  6. This will linger on for quite a while... by lythander · · Score: 4, Informative

    The patch for Solaris 8 is a giant PITA. Install in single user mode only, lots of patch incompatibilities, very sysadmin and uptime unfriendly. Many won't apply it because of the downtime it involves. At least not until there's an exploit. Then there will be hell to pay.