Note: This is an archival copy of Security Sun Alert 200030 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000025.1.
Solaris 9 Operating System
Solaris 2.6 Operating System
Solaris 7 Operating System
Solaris 8 Operating System
Date of Workaround Release
Date of Resolved Release
A local unprivileged user may be able to gain unauthorized root privileges due to a security vulnerability involving the priocntl(2) system call.
This issue is described in the CERT Vulnerability VU#683673 (see http://www.kb.cert.org/vuls/id/683673).
This issue can occur in the following releases:
There are no reliable symptoms that would show the described issue has been exploited to gain unauthorized root access.
The following workaround can be implemented as the root user to prevent an exploit for this issue from succeeding:
# for dir in /kernel /usr/kernel > do > cd $dir > mkdir -p a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p > mv sched a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p > ln -s a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/sched . > done
This creates enough directory levels to prevent a user from referencing a user supplied module using a directory path of "../../../a" since PC_CLNMSZ (see priocntl(2)) is fixed in size.
The above workaround can be undone by the following commands:
# for dir in /kernel /usr/kernel > do > cd $dir > rm sched # remove symlink > mv a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/sched . > rm -fr a > done
Warning: The above procedure needs to be "undone" before installing any revision of the Kernel Update Patch (KUP).
The above script is provided "AS IS" and it is the users responsibility to verify it has been implemented correctly. If the above script is not implemented correctly the system may become unbootable.
Note: Sun would like to direct customers to the Sun BluePrints Program:
which contains in-depth technical information on security best practices for Sun systems.
This issue is addressed in the following releases:
Note: Solaris 2.5.1 will require an upgrade to a later release with appropriate patches.
This solution has no attachment