Note: This is an archival copy of Security Sun Alert 200793 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000608.1.
Article ID : 1000608.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2003-12-11
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

In Solaris 8 and Solaris 9 a Buffer Overflow in the LDAP Name Service May Lead to Unauthorized Root Access

Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System
Solaris 8 Operating System

Bug Id
4830525

Date of Workaround Release
26-MAR-2003

Date of Resolved Release
12-DEC-2003

Impact

On Solaris 8 and Solaris 9 systems with the LDAP name service enabled, an unprivileged local user may be able to gain unauthorized root access due to a buffer overflow in the "nss_ldap.so.1" library.


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 8 without patch 108993-29
  • Solaris 9 without patch 112960-09

x86 Platform

  • Solaris 8 without patch 108994-29
  • Solaris 9 without patch 114328-02

Note: Solaris 2.6 and Solaris 7 are not affected.

Solaris 2.5.1 will not be evaluated regarding the potential impact of the issue described in this Sun Alert document.

Only Solaris 8 and Solaris 9 systems with the LDAP name service enabled in the "/etc/nsswitch.conf" file for any of the following databases are affected by this issue:

  • bootparams
  • ethers
  • hosts
  • ipnodes
  • netgroup
  • netmasks
  • networks

The LDAP name service is enabled for a database if the "ldap" keyword is present in the "/etc/nsswitch.conf" as shown for the "hosts", "networks", and "netgroup" databases in the following example: 

    $ grep ldap /etc/nsswitch.conf
hosts:      ldap dns [NOTFOUND=return] files
networks:   ldap [NOTFOUND=return] files
netgroup:   ldap

Symptoms

There are no predictable symptoms that would show the described issue has been exploited to gain root privileges.


Workaround

To work around the described issue, edit the "/etc/nsswitch.conf" file to not use LDAP with the following databases (i.e. remove the "ldap" keyword for these database entries):

  • bootparams
  • ethers
  • hosts
  • ipnodes
  • netgroup
  • netmasks
  • networks

For example, edit the following line in "/etc/nsswitch.conf" from: 

    hosts:      ldap dns [NOTFOUND=return] files

to 

    hosts:      dns [NOTFOUND=return] files

Editing the "/etc/nsswitch.conf" file requires root access rights.


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 8 with patch 108993-29 or later
  • Solaris 9 with patch 112960-09 or later

x86 Platform

  • Solaris 8 with patch 108994-29 or later
  • Solaris 9 with patch 114328-02 or later


Modification History
Date: 22-OCT-2003
  • Updated Relief/Workaround section with temporary patches

Date: 23-OCT-2003
  • Updated Relief/Workaround section

Date: 30-OCT-2003
  • Patches are available

Date: 06-NOV-2003
  • Updated Contributing Factors, Relief/Workaround and Resolution sections

Date: 12-DEC-2003
  • Updated Contributing Factors and Resolution sections
  • State: Resolved

Date: 15-DEC-2003
  • Minor modification to Contributing Factors and Resolution sections



References

112960-09
114328-02
108993-29
108994-29




Attachments
This solution has no attachment