Category
Security
Release Phase
Resolved
ProductSolaris 7 Operating System
Solaris 8 Operating System
Bug Id
4468138
Date of Resolved Release25-JUL-2005
Impact
A security vulnerability in the multilanguage environment library, "libmle" (shipped with the Japanese locale) may allow a local unprivileged user to be able to execute arbitrary code or commands with elevated privileges. The code or commands executed by the user would run with the privileges of the application dynamically linked to the libmle library.
Contributing Factors
This issue can occur in the following releases:
SPARC Platform
- Solaris 7 without patch 111646-01
- Solaris 8 without patch 111647-01
Notes:
- Solaris 9 and Solaris 10 are not affected by this issue.
- Solaris on the x86 platform is not affected by this issue.
- Systems without the SUNWjbcp package are not affected by this issue. The SUNWjbcp package includes libraries and input method systems to run Japanese SunOS 4.x binaries on Solaris 2.x. The Solaris installer installs the SUNWjbcp package if the user instructs the installer to install one or more Japanese locales.
- Running any BCP applications that are linked with the Japanese BCPlibmle library and which have the "set user ID bit" (suid) or the "setgroup ID bit" (sgid), or which run as root and accept input from non-privileged users, may allow this vulnerability to be exploited. This includes the "kkcv" and "ccv" daemon processes, meaning that systems with one or both of these processes running are at risk. The Japanese BCP libmle library and the "kkcv" and "ccv" daemons are included in the SUNWjbcp package.
To check if the SUNWjbcp package is installed, the following command can be run:
$ pkginfo SUNWjbcp
system SUNWjbcp Japanese (EUC) SunOS 4.x Binary Compatibility
To check if "/usr/4lib/libmle.so" is a link to the Japanese BCP libmle library, the "file -h" command can be run as in the following example:
$ file -h /usr/4lib/libmle.so*
/usr/4lib/libmle.so.1.4: symbolic link to locale/ja/libmle.so.1.4
To check if an application is linked with the BCP libmle library, the ldd(1) command can be used. In the output, a line listing "/usr/4lib/libmle.so" indicates that the application uses the BCP libmle library and is a BCP application.
To check if the kkcv or ccv processes are running, both of which can be vulnerable to this issue, the following command can be run:
$ ps -fe | egrep 'kkcv|ccv'
Symptoms
There are no symptoms that would indicate the described issue has been exploited to gain unauthorized root access to a system.
Workaround
If programs that are compiled on Japanese SunOS 4.x will not be used on the system, the SUNWjbcp package can be removed with the following command:
# pkgrm SUNWjbcp
Resolution
This issue is addressed in the following releases:
SPARC Platform
- Solaris 7 with patch 111646-01 or later
- Solaris 8 with patch 111647-01 or later
References
111646-01
111647-01
AttachmentsThis solution has no attachment