Slashdot Mirror
Local Root Vulnerability in passwd(1) on Solaris 8, 9
so-1997-and-1994 writes "There is a new vulnerability in the passwd command on solaris 8 and 9. Looks like a local user privilege escalation is possible. Patch your systems. This not the first nor the last time something like this has shown up."
So there's no workaround and no symptoms of it having been used. Ouch. Essentially if you want to be certain that a multi-user system has not been hacked, you need to reinstall the operating system from scratch, formatting all the disks...
So, what are the chances of it happening on Linux ? Well, probably less (the many-eyes scenario), but certainly possible. This isn't a time to be smug about not running Solaris...
Simon
Physicists get Hadrons!
These days with files, nis, nis+, ldap, and different encryption schemes, passwd is a complicated program.
The risk is MEDIUM. A local unprivileged user may be able to gain unauthorized root privileges. [...] There are no reliable symptoms that would show the described issue has been exploited to gain unauthorized elevated privileges to a host.
. . . and this is "medium"?
Sun acknowledges, with thanks, Tim Wort (Tim.Wort@InklingResearch.com) for contacting
us regarding this issue.
I'm glad Sun thanked him by publishing his email address on a page now linked directly from the front of Slashdot.
First, Solaris now runs on x86 architectures, so the idea of "expensive hardware" doesn't really add up - at least, not more than for any server. Second, as to insecure software; let he who is without sin cast the first stone - who among us has used a multiuser system without some sort of security flaws? As to "failure of security through obscurity," I really believe that Sun spends a good amount of time working on security fixes, and seems to actually care about these issues, unlike some companies I could mention.
It's ok, I already patched it for you ;)
So it's a local privilege escalation, already fixed, with no published exploit in the wild? I have a feeling if this were linux then it wouldn't make the front page. (Which is a moot point as everyone knows you don't get security holes in linux. Just Windows and now Solaris.)
And those two links make it look like Sol is plagued by root exploits. One's from a 1994 release of SunOS 4, the other's from nearly seven years ago.
Some news for nerds that actually matters... :)
can we please think about these little jabs before tossing them around?
"Won't somebody please think of the pedants?!"
'This is but further proof of the superiority of Microsoft Windows. Microsoft Windows has never had a problem with its passwd commands or files. I personally recommend Microsoft Windows for serious enterprise computing precisely for this reason.'
- J Allchin
Obviusly, security is the reason why the
flaw isn't explanied in detail. Without
more explanation, however, there is no
way to tell how serious this really is.
What's yellow and dangerous? A canary w/ root
password.
In my understanding of systems security,
every security issue may be serious, but
this one is definitely less than serious.
A system that has no test:test accounts or
guest logins, with all non-privileged users
somehow known and/or affiliated with a systems
administrator, chances of a major breach are
slim.
Incidental damage by a less skilled
non-privileged user is another matter, though;
likely and depending on the circumstances -
reminds me of a poll once taken: would you trust
your significant other with your root password?
I hope this haiku style editing doesn't offend anyone.
Let's not overreact here:
a: vulnerability identified
b: patches released to fix vulnerability
all done *without* publishing a proof of concept / exploit for would-be skript0rs. There are no known exploits in the wild that abuse this vulnerability. Also bear in mind that user rights already need to be in place.
Super Awesome Broadband
This is left as an excercise to the reader.
When I first ran into this post, an ad of Sun appeared at the top of Slashdot's page which mentioned:
"SUN MICROSYSTEMS TECHNOLOGY HELPS TAKE YOU PLACES YOU'VE NEVER BEEN BEFORE."
Places I've never been before... Rootland?
It's not as though Linux or the BSDs have never had one.
At this point it becomes a matter of "how much do I trust the users on my systems?". Since none of my boxes are exposed to the public, and all my users are known/trusted employees, I can't say that this is really that big of a deal.
Don't think I won't be patching it, all I'm saying is that the mere fact that the machine is powered on and connected to a network doesn't mean it's going to be 0wn3d.
Save your energy/bashing for the next Windows worm that comes along that doesn't require having an account on the machine to break in.
I wasn't sure whether to believe you at first, so I looked it up and it turns out you weren't kidding! This is just too fucking funny.
Typical RMS.
Each time a new local/remote root vulnerability is found the only way to be certain you haven't been cracked is to reinstall from scratch.
No, the only time that a new vulnerability is found, the only way to be certain that you won't be cracked in the future is to reinstall, or patch. Reinstalling doesn't retroactively guarantee that you haven't already been the victim of an exploit, which is what your post suggests.
"Accept that some days you are the pigeon, and some days you are the statue." - David Brent, Wernham Hogg
No passwords may seem strange to us, but try to try to keep in mind the context that created that attitude.
m l. htm l
The MIT AI lab was a tight knit community. It was very open, like a family for stallman. Passwords were just a way for the school to exercise control.
http://www.oreilly.com/openbook/freedom/ch06.ht
http://catb.org/~esr/jargon/html/os-and-jedgar
Yes, PAM creates more problems through its complexity, poor specification and an absolutely shocking API than it solves. I wouldn't be at all surprised if this bug was in the PAM library or a module.
Don't believe me? Try writing a program that doesn't block during authentication. Try writing something cross-platform (there are at least three subtly different PAM implementations). Still not convinced? Have a look at the hoops that OpenSSH has jump through to work around this and other issues. Don't get me started on the busted config file that doesn't separate mechanism from policy or the stupid idea of dynamically loading modules in a security context....
I'm surprised that the major distributions haven't moved on to something more sane. It's good that that Slackware, at least, has demonstrated some critical thinking and has not just mindlessly followed the flock.
(disclaimer: I am an OpenSSH developer, very jaded for working with PAM for too long. OTOH, I'm not the only one)
The kernel may be great and uber-stable, but the user-space utilities shipped with the OS are ancient and full of bugs long ago resolved in *BSD or Linux offerings.
I am talking about awk, grep, diff (still no unified diffs!) and the like. The default shells -- sh and csh -- do not even allow for command line editing. make is outdated. vi borks if you extend your xterm too wide.
Sure, you change the login shell to bash or tcsh, you can install the GNU utilities. Or BSD, for that matter (I ported FreeBSD's make(1) myself to use the bsd.*.mk files). But then, hey. you can even customize Windows to be almost like Un*x...
The "out of the box" installation should be -- and can be -- much better...
To bring this back on topic, it seems to me, the major thrust of the Solaris development is on kernel. The user space side -- including the passwd(1) -- is neglected.
In Soviet Washington the swamp drains you.
Just curious.
I used to download the patch clusters, but for single patches (or just few patches) that seems a little excessive.
I'm trying out PatchPro now - you can get it from Sun for free. But it's some 100MB+ java monster process, requires WBEM, and god knows what. Not exactly light weight or minimal by any means.
I was hoping for something roughly equivalent to "apt-get update; apt-get upgrade" - right now I'm at "smpatch update" which would be allright I guess if the WBEM services didn't take up half the memory in the box, all the CPU, and generally just took ages to run.
Bigadmins (with enough time on your hands to read slashdot), what do you do?
So there's no workaround ...
/bin/passwd"? Someone running passwd wouldn't be able to escallate their uid/gid. To change passwords, run su(do) first. On systems wehre users arn't expected to change their passwords (web servers, etc.), this is usually a good preventative step for most setuid programs.
How about "chmod ug-s
And for the Love of Scott, if you're going to tell the world about a patch, please, oh please, make sure the hyperlinks work.
Here's Sun's announcement, and if I click on the links to get patches,....
Sparc
Solaris 8 with patch 108993-32 or later
Solaris 9 with patch 113476-11 or later
.... the links give me:
Sorry! We couldn't find your document.
The file that you requested could not be found on this server.
G'dammit!
-ez
Karma: Whore (you look at your score after posting)
It's nice to have Slashdot posts about important security flaws.
But why is there nothing about the highly more critical and remotely exploitable tcp/ip denial of service discovered in all versions of FreeBSD ?
{{.sig}}
You're worried you may have a script kitty?
The patch for Solaris 8 is a giant PITA. Install in single user mode only, lots of patch incompatibilities, very sysadmin and uptime unfriendly. Many won't apply it because of the downtime it involves. At least not until there's an exploit. Then there will be hell to pay.