Note: This is an archival copy of Security Sun Alert 228521 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1017424.1.
Article ID : 1017424.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2003-04-16
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability with /usr/dt/bin/dtsession

Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System
Common Desktop Environment 1.0
Solaris 2.6 Operating System
Solaris 7 Operating System
Solaris 8 Operating System

Bug Id
4788212

Date of Workaround Release
03-APR-2003

Date of Resolved Release
17-APR-2003

Impact

A local user may be able to execute arbitrary code or commands with the privileges of the dtsession(1) CDE Session Manager. The dtsession(1) CDE Session Manager runs with root privileges.

This issue is described in NSFOCUS Security Bulletin SA2003-03 available from http://www.nsfocus.com/english/homepage/sa2003-03.htm .

Sun acknowledges with thanks, NSFOCUS Information Technology, for bringing this issue to our attention.


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 2.6 without patch 106027-12
  • Solaris 7 without patch 107702-12
  • Solaris 8 without patch 109354-19
  • Solaris 9 without patch 114497-01

x86 Platform

  • Solaris 2.6 without patch 106028-12
  • Solaris 7 without patch 107703-12
  • Solaris 8 without patch 109355-18
  • Solaris 9 without patch 114498-01

Note: Solaris 2.5.1 will not be evaluated regarding the potential impact of the issue described in this Sun Alert document.


Symptoms

There are no predictable symptoms that show this issue has been exploited.


Workaround

To work around the described issue, turn off the set-user-ID ("setuid") bit for dtsession as root, shown below: 

	# chmod 0555 /usr/dt/bin/dtsession

This will cause dtsession to not be able to unlock the screen by the list of keyholders (including root), see dtsession(1) for further information. Furthermore, this will cause locally defined users in /etc/passwd to not be able to unlock the screen. NIS/NIS+ users will be able to continue to unlock the screen.

Thus caution should be used for local users. For these users once the set-user-ID bit has been turned off they should use xlock(1) and turn off automatic locking by dtsession. Auto locking can be turned off by using dtstyle manager's ("dtstyle") screen option. Once the screen option popup appears, turn off auto locking by selecting the "off" choice for the Screen Saver and Screen Lock options. Then in order to lock the screen the user will need to use "xlock" from the command line of a terminal window.


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 2.6 with patch 106027-12 or later
  • Solaris 7 with patch 107702-12 or later
  • Solaris 8 with patch 109354-19 or later
  • Solaris 9 with patch 114497-01 or later

x86 Platform

  • Solaris 2.6 with patch 106028-12 or later
  • Solaris 7 with patch 107703-12 or later
  • Solaris 8 with patch 109355-18 or later
  • Solaris 9 with patch 114498-01 or later


Modification History
Date: 11-APR-2003
  • Updated Relief/Workaround with Temporary patches

Date: 17-APR-2003
  • Updated Contributing Factors and Resolution sections


References

114497-01
114498-01
106027-12
106028-12
107702-12
107703-12
109354-19
109355-18




Attachments
This solution has no attachment