Note: This is an archival copy of Security Sun Alert 201462 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001101.1.
Article ID : 1001101.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2003-04-27
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

The wall(1M) Command May be Used to Send Messages Containing a Forged User ID

Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System
Solaris 2.6 Operating System
Solaris 7 Operating System
Solaris 8 Operating System

Bug Id
4803267

Date of Workaround Release
19-MAR-2003

Date of Resolved Release
28-APR-2003

Impact

A local unprivileged user may be able to write messages to logged-in users which appear to originate from another user ID due to a security issue with the wall(1M) command. The forged user ID may be the "root" user.


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 2.6 without patch 114889-01
  • Solaris 7 without patch 114891-01
  • Solaris 8 without patch 114673-01
  • Solaris 9 without patch 114861-01

x86 Platform

  • Solaris 2.6 without patch 114890-01
  • Solaris 7 without patch 114892-01
  • Solaris 8 without patch 114674-01
  • Solaris 9 without patch 114862-01

Solaris 2.5.1 will not be evaluated regarding the potential impact of the issue described in this Sun Alert document.


Symptoms

A wall messages may state it is from the "root" or any other user although it has originated from a different local logged-in user: 

  ---
Broadcast Message from root (rpc.rwalld) on sun-hostname Fri Jan 1 00:00:00...
From root@sun-hostname: <Any message here>
---

For forged wall messages, the output message header will look like in any other regular wall message.


Workaround

There is no workaround.

If sensitive information is asked for via a wall message, check with a trusted system administrator in person before revealing any security sensitive data.


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 2.6 with patch 114889-01 or later
  • Solaris 7 with patch 114891-01 or later
  • Solaris 8 with patch 114673-01 or later
  • Solaris 9 with patch 114861-01 or later

x86 Platform

  • Solaris 2.6 with patch 114890-01 or later
  • Solaris 7 with patch 114892-01 or later
  • Solaris 8 with patch 114674-01 or later
  • Solaris 9 with patch 114862-01 or later


Modification History
Date: 28-APR-2003
  • Updated Contributing Factors and Resolution sections



References

114889-01
114891-01
114673-01
114861-01
114890-01
114892-01
114674-01
114862-01




Attachments
This solution has no attachment