Note: This is an archival copy of Security Sun Alert 200030 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000025.1.
Article ID : 1000025.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2003-04-13
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability Involving the priocntl(2) System Call



Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System
Solaris 2.5.1
Solaris 2.6 Operating System
Solaris 7 Operating System
Solaris 8 Operating System

Bug Id
4708822

Date of Workaround Release
27-NOV-2002

Date of Resolved Release
14-APR-2003

Impact

A local unprivileged user may be able to gain unauthorized root privileges due to a security vulnerability involving the priocntl(2) system call.

This issue is described in the CERT Vulnerability VU#683673 (see http://www.kb.cert.org/vuls/id/683673).


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 2.5.1
  • Solaris 2.6 without patch 105181-34
  • Solaris 7 without patch 106541-24
  • Solaris 8 without patch 108528-18
  • Solaris 9 without patch 112233-04

x86 Platform

  • Solaris 2.5.1
  • Solaris 2.6 without patch 105182-34
  • Solaris 7 without patch 106542-24
  • Solaris 8 without patch 108529-18
  • Solaris 9 without patch 112234-04

Symptoms

There are no reliable symptoms that would show the described issue has been exploited to gain unauthorized root access.


Workaround

The following workaround can be implemented as the root user to prevent an exploit for this issue from succeeding:

   # for dir in /kernel /usr/kernel
> do
>   cd $dir
>   mkdir -p a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p
>   mv sched a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p
>   ln -s a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/sched .
> done

This creates enough directory levels to prevent a user from referencing a user supplied module using a directory path of "../../../a" since PC_CLNMSZ (see priocntl(2)) is fixed in size.

The above workaround can be undone by the following commands:

   # for dir in /kernel /usr/kernel
> do
>   cd $dir
>   rm sched    # remove symlink
>   mv a/b/c/d/e/f/g/h/i/j/k/l/m/n/o/p/sched .
>   rm -fr a
> done

Warning: The above procedure needs to be "undone" before installing any revision of the Kernel Update Patch (KUP).

The above script is provided "AS IS" and it is the users responsibility to verify it has been implemented correctly. If the above script is not implemented correctly the system may become unbootable.

Note: Sun would like to direct customers to the Sun BluePrints Program:

   http://www.sun.com/security/blueprints/

which contains in-depth technical information on security best practices for Sun systems.


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 2.6 with patch 105181-34 or later
  • Solaris 7 with patch 106541-24 or later
  • Solaris 8 with patch 108528-18 or later
  • Solaris 9 with patch 112233-04 or later

x86 Platform

  • Solaris 2.6 with patch 105182-34 or later
  • Solaris 7 with patch 106542-24 or later
  • Solaris 8 with patch 108529-18 or later
  • Solaris 9 with patch 112234-04 or later

Note: Solaris 2.5.1 will require an upgrade to a later release with appropriate patches.



Modification History
Date: 28-NOV-2002
  • Workaround added to "Relief/Workaround" section

Date: 17-DEC-2002
  • Date Released: added 17-Dec-2002
  • Updated Impact section
  • Updated Relief/Workaround section

Date: 23-DEC-2002
  • Updated Contributing Factors and Resolution sections
  • Date Released: added 23-Dec-2002

Date: 06-FEB-2003
  • Updated Contributing Factors, Relief/Workaround and Resolution sections

Date: 13-MAR-2003
  • Updated Relief/Workaround section with Temporary patches

Date: 14-APR-2003
  • State: Resolved
  • Updated Contributing Factors, Relief/Workaround and Resolution sections



References

108528-18
108529-18
112233-04
112234-04
105181-34
105182-34
106541-24
106542-24




Attachments
This solution has no attachment