Note: This is an archival copy of Security Sun Alert 233284 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1019015.1.
Solaris 10 Operating System
Date of Resolved Release
Security Vulnerability in inetd(1M) Daemon When Debug Logging is Enabled
1. ImpactThe inetd(1M) daemon will log debug messages to the log file /var/tmp/inetd.log if this file exists. A local unprivileged user may be able to create a link from this log file to another file on the system, allowing the user to modify that file. This could result in a Denial of Service (DoS).
2. Contributing FactorsThis issue can occur in the following releases:
To determine if inetd(1M) is logging messages to a file, the following command can be run:
$ ls /var/tmp/inetd.logThe presence of the inetd.log file indicates inetd(1M) is logging messages.
3. SymptomsThere are no predictable symptoms that would indicate the described issue has been exploited.
4. WorkaroundTo prevent this issue from being exploited to modify any file on the system, the root user (uid 0) can create the debug log file "/var/tmp/inetd.log". If a root owned /var/tmp/inetd.log file exists, a local unprivileged user will not be able to create a link from the inetd debug log to another file. For example:
# /usr/bin/rm /var/tmp/inetd.log
5. ResolutionThis issue is addressed in the following releases:
Copyright 2000-2008 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.
28-Apr-2008: Updated Resolution section to add link for Security Technical Instruction doc
This solution has no attachment