Category
Security
Release Phase
Resolved
ProductSolaris 2.5
Solaris 2.4
Solaris 2.5.1
Solaris 2.6 Operating System
Solaris 7 Operating System
Solaris 8 Operating System
Bug Id
4458476
Date of Workaround Release27-JUN-2001
Date of Resolved Release11-APR-2003
Impact
Local users may be able to gain unauthorized root access, due to a buffer overflow in the XView library.
Contributing Factors
This issue can occur in the following releases:
SPARC Platform
-
Solaris 2.4
-
Solaris 2.5
-
Solaris 2.5.1
-
Solaris 2.6 without patch 106331-05
-
Solaris 7 without patch 107374-02
-
Solaris 8 without patch 111626-01
x86 Platform
-
Solaris 2.4
-
Solaris 2.5
-
Solaris 2.5.1
-
Solaris 6 without patch 106353-05
-
Solaris 7 without patch 107375-02
-
Solaris 8 without patch 111627-01
Notes:
Only systems with XView applications that have the "set user ID bit" (suid) or the "set group ID bit" (sgid) set are at risk.
To check if an application has the "set user ID bit" or the "set group ID bit" set use the "ls -l" command. In the output an "s" in the user or group permissions will indicate a "set user ID bit" or "set group ID bit" respectively:
% ls -l testapp
-r-sr-sr-x 5 root
To check if an application is an XView application, use the "ldd" command. In the output a line listing "libxview.so" indicates that the application uses the XView library and is an XView application.
The find and xargs command can also be used to look for XView applications that are set user or set group id. For example, to check the /usr/openwin directory for such applications, use the command:
% find /usr/openwin/ \( -perm -4000 -o -perm -2000 \) -print | xargs ldd
In the output a line listing "libxview.so" indicates that the application uses the XView library and is an XView application.
The issue described in this document can only be exploited by users already having an account on the affected system.
Symptoms
There are no symptoms that would show the described issue has already been exploited to gain unauthorized root access to a system.
Workaround
As a possible workaround the set user or set group bit of all affected XView applications might be removed using the "chmod" command. Removing the set user or set group bit of an application might keep it from functioning as expected.
The following application that is supplied with Solaris is potentially affected by the described issue:
/usr/openwin/bin/mailtool
Resolution
SPARC Platform
-
Solaris 6 with patch 106331-05 or later
-
Solaris 7 with patch 107374-02 or later
-
Solaris 8 with patch 111626-01 or later
x86 Platform
-
Solaris 6 with patch 106353-05 or later
-
Solaris 7 with patch 107375-02 or later
-
Solaris 8 with patch 111627-01 or later
Note: Solaris 2.4, 2.5, 2.5.1 will require an upgrade to a later release.
Modification History
Date: 17-OCT-2001
-
Updated Contributing Factors and Resolution patch list
Date: 11-APR-2003
-
State Resolved
-
Updated Contributing Factors and Resolution sections
References
107374-02
111626-01
107375-02
111627-01
106353-05
106331-05
AttachmentsThis solution has no attachment