Note: This is an archival copy of Security Sun Alert 201231 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000918.1.
Article ID : 1000918.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2010-01-24
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

A Vulnerability in "Sun Management Center (SunMC) Change Manager" Program May Allow Unauthorized Root Privileges

Category
Security

Release Phase
Resolved

Bug Id
4767176

Date of Resolved Release
30-MAY-2003

Impact

A local or remote unprivileged user may be able to gain unauthorized root privileges due to a buffer overflow vulnerability in the "pamverifier" program. The "pamverifier" program is part of the "Sun Management Center (SunMC) Change Manager" web application.


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Sun Management Center Change Manager 1.0 (for Solaris 8) without patch 113105-01
  • Sun Management Center Change Manager 1.0 (for Solaris 9) without patch 113106-01

Notes:

  • "SunMC Change Manager" 1.0 is an unbundled Sun Management Center (SunMC) 3.0 add-on. It is not a part of the SunMC "base" product.
  • Solaris 2.6 and 7 are not affected. Solaris on the x86 platform is not affected.

To determine if "SunMC Change Manager" is installed on your system, run the following command: 

    # pkginfo | grep SUNWic
system      SUNWicam             SunMC Change Manager Agent Component
system      SUNWicapp            Change Manager Web Console Application
system      SUNWicaudit          SunMC Change Manager Basic Audit
Reporting Tool
system      SUNWiccli            SunMC Change Manager CLI Commands
system      SUNWicclifw          SunMC Change Manager CLI Framework
system      SUNWicsvc            SunMC Change Manager Server Component

The console that SunMC Change Manager uses is started and stopped by the "/usr/sadm/bin/smcwebserver" script. This script starts the underlying web server as user "noaccess", and then calls the "pamverifier" program to assist (using "setuid root").

To determine the version of the SunMC Change Manager package on your system that contains "pamverifier", run the following command: 

    # pkgparam SUNWmcon VERSION

To determine the current patch levels of SunMC Change Manager, run the following command: 

    # pkgparam SUNWmcon PATCHLIST

Symptoms

There are no symptoms to indicate that the overflow has been successfully exploited to gain unauthorized root access on a host.


Workaround

To work around the described issue, restrict access to the directory in which the "pamverifier" binary resides. This directory must be owned by the "noaccess" user and by the "other" group. This will make the program ("pamverifier) only accessible by the SunMC Change Manager. Run the the following commands to change the ownership and permissions of the directory: 

    # chown noaccess /usr/sadm/lib/webconsole/bin
# chgrp other /usr/sadm/lib/webconsole/bin
# chmod 500 /usr/sadm/lib/webconsole/bin

Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Sun Management Center Change Manager 1.0 (for Solaris 8) with patch 113105-01 or later
  • Sun Management Center Change Manager 1.0 (for Solaris 9) with patch 113106-01 or later


Modification History

Product
Sun Management Center Change Manager 1.0

References
 113105-01

 113106-01



                                                                                    



Attachments
This solution has no attachment