Slashdot Mirror
Local Root Vulnerability in passwd(1) on Solaris 8, 9
so-1997-and-1994 writes "There is a new vulnerability in the passwd command on solaris 8 and 9. Looks like a local user privilege escalation is possible. Patch your systems. This not the first nor the last time something like this has shown up."
These days with files, nis, nis+, ldap, and different encryption schemes, passwd is a complicated program.
The risk is MEDIUM. A local unprivileged user may be able to gain unauthorized root privileges. [...] There are no reliable symptoms that would show the described issue has been exploited to gain unauthorized elevated privileges to a host.
. . . and this is "medium"?
Sun acknowledges, with thanks, Tim Wort (Tim.Wort@InklingResearch.com) for contacting
us regarding this issue.
I'm glad Sun thanked him by publishing his email address on a page now linked directly from the front of Slashdot.
First, Solaris now runs on x86 architectures, so the idea of "expensive hardware" doesn't really add up - at least, not more than for any server. Second, as to insecure software; let he who is without sin cast the first stone - who among us has used a multiuser system without some sort of security flaws? As to "failure of security through obscurity," I really believe that Sun spends a good amount of time working on security fixes, and seems to actually care about these issues, unlike some companies I could mention.
Essentially if you want to be certain that a multi-user system has not been hacked, you need to reinstall the operating system from scratch, formatting all the disks...
Each time a new local/remote root vulnerability is found the only way to be certain you haven't been cracked is to reinstall from scratch.
Even if this vulnerability would cause some log messages or other symptoms an attacker with root privileges could easily erase them.
It's ok, I already patched it for you ;)
Some news for nerds that actually matters... :)
can we please think about these little jabs before tossing them around?
"Won't somebody please think of the pedants?!"
"So there's no workaround..."
No, there are patches.
"... and no symptoms of it having been used."
As a previous poster pointed out, traces left by any root exploit can be removed once the attacker is root (unless you redirect syslog to a printer or another "secure" machine) and it is not really rare for a root exploit to leave not trace (I don't know if the recet Linux kernel mremap exploits left any).
"So, what are the chances of it happening on Linux ? Well, probably less (the many-eyes scenario), but certainly possible. This isn't a time to be smug about not running Solaris..."
What the f**k are you talking about? Most recently there was the mremap local root exploit which affected 2.4 and 2.6 Linux kernels. What is so different about that?
-- kryps
Obviusly, security is the reason why the
flaw isn't explanied in detail. Without
more explanation, however, there is no
way to tell how serious this really is.
What's yellow and dangerous? A canary w/ root
password.
In my understanding of systems security,
every security issue may be serious, but
this one is definitely less than serious.
A system that has no test:test accounts or
guest logins, with all non-privileged users
somehow known and/or affiliated with a systems
administrator, chances of a major breach are
slim.
Incidental damage by a less skilled
non-privileged user is another matter, though;
likely and depending on the circumstances -
reminds me of a poll once taken: would you trust
your significant other with your root password?
I hope this haiku style editing doesn't offend anyone.
Let's not overreact here:
a: vulnerability identified
b: patches released to fix vulnerability
all done *without* publishing a proof of concept / exploit for would-be skript0rs. There are no known exploits in the wild that abuse this vulnerability. Also bear in mind that user rights already need to be in place.
Super Awesome Broadband
When I first ran into this post, an ad of Sun appeared at the top of Slashdot's page which mentioned:
"SUN MICROSYSTEMS TECHNOLOGY HELPS TAKE YOU PLACES YOU'VE NEVER BEEN BEFORE."
Places I've never been before... Rootland?
I wasn't sure whether to believe you at first, so I looked it up and it turns out you weren't kidding! This is just too fucking funny.
Typical RMS.
Or just go back and run a filesystem scan against your known-good tripwire or AIDE database you keep on CD to see which files have been modified. Of course, you need to do it from single user mode after booting off a known-clean boot media like the install CD, but that's a helluva lot better than reinstalling everything. Sure, if you don't have a good tripwire database setup then you need to reinstall.
Sarcasm wasted on clueless reader. Film at eleven.
Game... blouses.
No passwords may seem strange to us, but try to try to keep in mind the context that created that attitude.
m l. htm l
The MIT AI lab was a tight knit community. It was very open, like a family for stallman. Passwords were just a way for the school to exercise control.
http://www.oreilly.com/openbook/freedom/ch06.ht
http://catb.org/~esr/jargon/html/os-and-jedgar
Yes, PAM creates more problems through its complexity, poor specification and an absolutely shocking API than it solves. I wouldn't be at all surprised if this bug was in the PAM library or a module.
Don't believe me? Try writing a program that doesn't block during authentication. Try writing something cross-platform (there are at least three subtly different PAM implementations). Still not convinced? Have a look at the hoops that OpenSSH has jump through to work around this and other issues. Don't get me started on the busted config file that doesn't separate mechanism from policy or the stupid idea of dynamically loading modules in a security context....
I'm surprised that the major distributions haven't moved on to something more sane. It's good that that Slackware, at least, has demonstrated some critical thinking and has not just mindlessly followed the flock.
(disclaimer: I am an OpenSSH developer, very jaded for working with PAM for too long. OTOH, I'm not the only one)
So there's no workaround ...
/bin/passwd"? Someone running passwd wouldn't be able to escallate their uid/gid. To change passwords, run su(do) first. On systems wehre users arn't expected to change their passwords (web servers, etc.), this is usually a good preventative step for most setuid programs.
How about "chmod ug-s
And for the Love of Scott, if you're going to tell the world about a patch, please, oh please, make sure the hyperlinks work.
Here's Sun's announcement, and if I click on the links to get patches,....
Sparc
Solaris 8 with patch 108993-32 or later
Solaris 9 with patch 113476-11 or later
.... the links give me:
Sorry! We couldn't find your document.
The file that you requested could not be found on this server.
G'dammit!
-ez
Karma: Whore (you look at your score after posting)