Note: This is an archival copy of Security Sun Alert 200145 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000105.1.
Date of Resolved Release
AnswerBook2 (AB2) administrative commands ...
Unprivileged local or remote users may be able to execute AnswerBook2 (AB2) administrative commands, such as creating new AB2 administrator accounts on systems configured as AnswerBook2 servers.
This issue is one of two vulnerabilities discussed in S21sec advisory s21sec-004 at: http://www.s21sec.com/en/avisos/s21sec-004-en.txt
This issue is also described in Sun Security Bulletin #00196 at:
http://sunsolve.sun.com/pub-cgi/secBulletin.pl (similar to SA 23412).
The other vulnerability discussed in the S21sec advisory is described in Sun Alert 23412.
2. Contributing Factors
This issue can occur in the following releases:
Note: AnswerBook2 is no longer supported as of Solaris 9, and thus Solaris 9 is not affected.
To determine the version of the currently installed AnswerBook2 Server, run the following command:
$ grep SUNW_PRODVERS /var/sadm/pkg/SUNWab2[rsu]/pkginfo /var/sadm/pkg/SUNWab2r/pkginfo:SUNW_PRODVERS=1.4.4 /var/sadm/pkg/SUNWab2s/pkginfo:SUNW_PRODVERS=1.4.4 /var/sadm/pkg/SUNWab2u/pkginfo:SUNW_PRODVERS=1.4.4
The appearance of suspicious (unknown) AnswerBook2 administrator accounts in the file "/usr/lib/ab2/dweb/data/config/admin_passwd" may indicate that the described issue has been exploited to add additional AB2 administrator accounts. Each line in this file starts with the name of an AnswerBook2 administrator account. For example, the lines:
ab2admin:AA7Zghd5fFgfF peter:AA65RfgdtzHggdh mary:AAFgdt569Uhgf
indicate that there are currently three AnswerBook2 administrator accounts named "ab2admin", "peter" and "mary".
There are no predictable symptoms that would show the described issue has been exploited to execute other AnswerBook2 (AB2) administrative commands on a system.
To prevent the unauthorized addition of AB2 administrators, change the permissions of the AB2 "password" file as the root user:
# chmod a-w /usr/lib/ab2/dweb/data/config/admin_passwd
This will prevent additional AB2 administrators from being added.
If additional admins are required, one can add write access to the file temporarily, add the admin, remove write access once again - then check the file to make sure the listed admins are correct.
Sites which have configured AnswerBook2 Documentation Servers may wish to disable AB2 and instead refer to Sun documentation at the Sun Product Documentation web site: http://docs.sun.com or view the documentation on the Solaris Documentation CD.
To disable the AnswerBook2 Documentation Server, the following commands can be run as the root user:
# /usr/lib/ab2/bin/ab2admin -o stop # /usr/lib/ab2/bin/ab2admin -o autostart_no
Please see the "Relief/Workaround" section for the resolution to this issue.
Copyright 2000-2010 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.
AnswerBook2 Documentation Server 1.4
This solution has no attachment