Slashdot Mirror


Local Root Vulnerability in passwd(1) on Solaris 8, 9

so-1997-and-1994 writes "There is a new vulnerability in the passwd command on solaris 8 and 9. Looks like a local user privilege escalation is possible. Patch your systems. This not the first nor the last time something like this has shown up."

4 of 283 comments (clear)

  1. Risk assessment by achurch · · Score: 5, Interesting

    The risk is MEDIUM. A local unprivileged user may be able to gain unauthorized root privileges. [...] There are no reliable symptoms that would show the described issue has been exploited to gain unauthorized elevated privileges to a host.

    . . . and this is "medium"?

    1. Re:Risk assessment by Octorian · · Score: 5, Interesting

      Furthermore, the UltraSPARC has this nice feature you can enable where the stack space is non-executable memory. (a feature easily enabled in Solaris, and now OpenBSD as well) While it is still possible to exploit a buffer overflow with this feature, it us MUCH more difficult (google around, and you may find some writeups)

  2. Judge this based on what? by kd4evr · · Score: 5, Interesting

    Obviusly, security is the reason why the
    flaw isn't explanied in detail. Without
    more explanation, however, there is no
    way to tell how serious this really is.

    What's yellow and dangerous? A canary w/ root
    password.

    In my understanding of systems security,
    every security issue may be serious, but
    this one is definitely less than serious.

    A system that has no test:test accounts or
    guest logins, with all non-privileged users
    somehow known and/or affiliated with a systems
    administrator, chances of a major breach are
    slim.

    Incidental damage by a less skilled
    non-privileged user is another matter, though;
    likely and depending on the circumstances -
    reminds me of a poll once taken: would you trust
    your significant other with your root password?

    I hope this haiku style editing doesn't offend anyone.

  3. Re:PAM by dmiller · · Score: 5, Interesting

    It is possible to build a useful and generic authentication system without dynamic loading.

    OpenBSD and BSD/OS have one (bsd_auth) that exec()s small helper programs which implement the actual auth methods. These helpers speak a little protocol to the library via stdio.

    The use of dynamic linking here is just lazyness on the part of people who would rather throw hidden complexity at problems rather than solving them through careful design.