A Security Vulnerability in Sun Ray Kiosk Mode 4.0 May Allow Escalation of Privileges

Category
Security

Release Phase
Resolved

Bug Id
6612948

Product
Sun Ray Server Software 4.0

Date of Resolved Release
06-May-2008

A Security Vulnerability in Sun Ray Kiosk Mode 4.0 May Allow Escalation of Privileges

1. Impact

A security vulnerability in the Sun Ray Kiosk Mode software included with Sun Ray Server Software (SRSS) 4.0 may allow a local or remote user with Sun Ray administration privileges to execute arbitrary commands with root privileges.

2. Contributing Factors

This issue can occur in the following releases:

SPARC Platform

Sun Ray Server Software 4.0 (for Solaris 10) without patch 128165-01

x86 Platform

Sun Ray Server Software 4.0 (for Solaris 10) without patch 128166-01

Linux

Sun Ray Server Software 4.0 (for RHEL AS 4, SLES 9) without patch 128167-01

Notes:

1. Sun Ray Server Software 3.1.1, Sun Ray Server Software 3.1 and earlier releases of Sun Ray Server Software are not affected.

2. This issue only affects systems which have the Sun Ray Server Software installed and Sun Ray Kiosk Mode configured and enabled. Kiosk mode is enabled if the -k <type> option is present in the current policy, where <type> may be 'pseudo', 'card' or 'both'. Example output, if kiosk mode is enabled for non-smartcard sessions:

$ /opt/SUNWut/sbin/utpolicy
# Current Policy: 
-a -z both -k pseudo -g

To determine if kiosk mode is enabled for individual tokens, regardless of global policy, the utuser(1M) command can be run. Example output if kiosk mode is enabled for an individual smartcard:

$ /opt/SUNWut/sbin/utuser -L -s kiosk

Token ID Server             Port User      Name       Session Type   Other Info
------------                --------     --------     ------------   -----------
Payflex.500d9b5c00130200       0         User Name      kiosk                 
1 token total

3. Exploiting this issue requires Sun Ray administration privileges. The shared 'admin' account is used by default for administering Sun Ray services.

If the PAM configuration for the utadmingui service has been modified to use UNIX accounts, the following command may be used to list authorized Sun Ray administrator accounts:

$ /opt/SUNWut/sbin/utadminuser

4. Access to the Sun Ray Web Administration GUI is necessary in order to exploit this issue. The following command may be run to check if the Sun Ray Web Administration GUI is enabled:

# /opt/SUNWut/lib/utwebadmin status
Sun Ray Web Administration is running (pid 1392)

To detect whether the Sun Ray Web Administration GUI permits remote access, the following command can be run:

$ grep remote.access
/etc/opt/SUNWut/webadmin/webadmin.conf
# use ".*" to enable remote access from any host.
remote.access=.*

3. Symptoms

There are no predictable symptoms that would indicate the described issue has been exploited.

To detect an ongoing attempt to exploit the described issue, inspect the output of the following command for unexpected kiosk-related settings:

# /opt/SUNWut/sbin/utkiosk -e session

Presence of arbitrary code execution constructs in the output of this command may indicate that this issue is being exploited.

4. Workaround

To work around the described issue, either temporarily disable the Sun Ray Web Administration GUI or temporarily disable Sun Ray Kiosk Mode. To reduce network exposure for this vulnerability, configure the Sun Ray Web Administration GUI to accept connections only from the local host.

To disable the Sun Ray Web Administration GUI, the following command can be run:

# /opt/SUNWut/sbin/utconfig -uw

To disable Sun Ray Kiosk Mode, use the following procedure in the Sun Ray Web Administration GUI:

1. Select the Advanced/System Policy tab.
2. Uncheck both 'Kiosk Mode' check boxes (if they are checked).
3. Click Save to save your changes.
4. Select the Servers tab.
5. Select all listed servers.
6. Click Cold Restart to restart Sun Ray services.
WARNING: This will terminate all current Sun Ray sessions

To reconfigure the Sun Ray Web Administration GUI with the option to allow access only from the local host, run the following command:


# /opt/SUNWut/sbin/utconfig -w

5. Resolution

This issue is addressed in the following releases:

SPARC Platform

Sun Ray Server Software 4.0 (for Solaris 10) with patch 128165-01 or later

x86 Platform

Sun Ray Server Software 4.0 (for Solaris 10) with patch 128166-01 or later

Linux

Sun Ray Server Software 4.0 (for RHEL AS 4, SLES 9) with patch 128167-01 or later

For more information on Security Sun Alerts, see 1009886.1.

This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements.

Copyright 2000-2008 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved.

References

128165-01
128166-01
128167-01

Attachments

This solution has no attachment