Note: This is an archival copy of Security Sun Alert 200896 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000684.1.
Article ID : 1000684.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2006-05-10
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Multiple Buffer Overflows in "/usr/bin/uucp" May Allow Unauthorized uucp(1C) User ID Access

Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System
Solaris 2.6 Operating System
Solaris 7 Operating System
Solaris 8 Operating System

Bug Id
4804089, 4756979

Date of Resolved Release
04-MAR-2004

Impact

Local unprivileged users may be able to gain unauthorized uucp(1C) user ID access due to multiple buffer overflows in the uucp binary. Users with uucp(1C) user ID access may subsequently gain unauthorized "root" user access rights.


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 2.6 without patch 106468-06
  • Solaris 7 without patch 106952-04
  • Solaris 8 without patch 111570-03
  • Solaris 9 without patch 113322-02

x86 Platform

  • Solaris 2.6 without patch 106469-06
  • Solaris 7 without patch 106953-04
  • Solaris 8 without patch 111571-03
  • Solaris 9 without patch 115880-01

Symptoms

There are no symptoms that would indicate the described issue has been exploited to gain unauthorized uucp(1C) or root user ID access to a system.


Workaround

To work around the described issue, remove the set-user-ID bit from the uucp binary by issuing the following command: 

    # chmod u-s /usr/bin/uucp

Note: Removing the set-user-ID bit from the uucp binary will prevent unprivileged users from using the "uucp" command to access calling devices (i.e. modems).

Another option is to set "noexec_user_stack" options to defeat the most common form of buffer overflow attacks that store executable exploit code on the stack. This can be achieved by editing the "/etc/system" file and adding the lines: 

    set noexec_user_stack = 1
set noexec_user_stack_log = 1

Note: A reboot will be necessary in order for the "/etc/system" change to take effect.


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 2.6 with patch 106468-06 or later
  • Solaris 7 with patch 106952-04 or later
  • Solaris 8 with patch 111570-03 or later
  • Solaris 9 with patch 113322-02 or later

x86 Platform

  • Solaris 2.6 with patch 106469-06 or later
  • Solaris 7 with patch 106953-04 or later
  • Solaris 8 with patch 111571-03 or later
  • Solaris 9 with patch 115880-01 or later


Modification History

References
 106468-06

 106952-04

 111570-03

 113322-02

 106469-06

 106953-04

 111571-03

 115880-01



                                                                                                             


Attachments
This solution has no attachment