Category
Security
Release Phase
Resolved
ProductSolaris 9 Operating System
Solaris 8 Operating System
Bug Id
4798073
Date of Resolved Release27-MAR-2006
Impact
A security vulnerability in the "/usr/ucb/ps" (see ps(1B)) command may allow unprivileged local users the ability to see environment variables and their values for processes which belong to other users.
Contributing Factors
This issue can occur in the following releases:
SPARC Platform
- Solaris 8 without patch 109023-05
- Solaris 9 without patch 120240-01
x86 Platform
- Solaris 8 without patch 109024-05
- Solaris 9 without patch 120239-01
Note 1: Solaris 10 is not affected by this issue.
Note 2: The ps(1m) command is used for reporting process status. The full path for this command is "/usr/bin/ps". In addition, there is "/usr/ucb/ps" which is documented in the ps(1b) manual page. Only the "/usr/ucb/ps" command is affected by the vulnerability described in this Sun Alert.
In general users will use the "/usr/bin/ps" version as most will not have the directory "/usr/ucb" in their command search path (see the appropriate PATH section of relevant shell manual pages).
Symptoms
As an unprivileged user, running the "/usr/ucb/ps axe" command shows all processes, and with the "e" flags, it also includes their environment.
$ /usr/ucb/ps axe
PID TT S TIME COMMAND
...
53 ? S 0:00 /usr/lib/devfsadm/devfseventd LD_LIBRARY_PATH= PATH=/sbin:
/usr/sbin:/usr/bin TZ=GB-Eire _INIT_PREV_LEVEL=0
...
In the example above we can see a root owned daemon, along with its environment variables and their values.
Workaround
To work around the described issue, remove the set-id bit from "/usr/ucb/ps".
Resolution
This issue is addressed in the following releases:
SPARC Platform
- Solaris 8 with patch 109023-05 or later
- Solaris 9 with patch 120240-01 or later
x86 Platform
- Solaris 8 with patch 109024-05 or later
- Solaris 9 with patch 120239-01 or later
References
109023-05
120240-01
109024-05
120239-01
AttachmentsThis solution has no attachment