Note: This is an archival copy of Security Sun Alert 240101 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1019497.1.
Solaris 8 Operating System
Solaris 9 Operating System
Solaris 10 Operating System
Date of Resolved Release
Security Vulnerability in Solaris snoop(1M) when Displaying SMB Traffic
A security vulnerability in the snoop(1M) network utility relating to the display of SMB traffic may allow a remote user the ability to execute arbitrary commands as the user "nobody" or possibly another local user.
Sun acknowledges with thanks, Gael Delalleau working with the iDefense VCP, for bringing these issues to our attention.
These issues are also described in the following documents:
CVE-2008-0964 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0964
CVE-2008-0965 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0965
2. Contributing Factors
This issue can occur in the following releases:
In order for a system to be affected by this issue, a user must run the snoop(1M) utility without using the "-o" option. The interpretation by snoop of a maliciously crafted packet can trigger the issue and allow arbitrary commands to be run as the user running snoop. This can happen whether or not the packet is captured "live" from an interface or is already in a snoop capture file and is being read via the "-i" flag.
When run as the user "root", the snoop utility changes the effective user to "nobody", so in this case the commands will run as the user "nobody" and not as the user "root". For all other users the commands will run as that user.
There are no predictable symptoms that would indicate this issue has been exploited to execute arbitrary code.
There is no workaround that would allow the snoop(1M) command to be used without risking exposure to this issue. To defend completely against this issue, the snoop command should not be used until the patches listed in the Resolution section can be applied.
This issue is addressed in the following releases:
This solution has no attachment