[6946] in bugtraq
Re: Solaris 2.5.1 patch not effective?
daemon@ATHENA.MIT.EDU (Steve Siirila)
Thu Jun 11 19:32:03 1998
Date: Thu, 11 Jun 1998 16:28:09 -0500
Reply-To: Steve Siirila <sfs@TC.UMN.EDU>
From: Steve Siirila <sfs@TC.UMN.EDU>
X-To: tep@SDSC.EDU
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199806100018.RAA24119@galt> from "Tom Perrine" at Jun 9,
98 05:18:28 pm
I can confirm that the patch 104490-05 is indeed ineffective against at least
one root compromise bug. We experienced such a compromise recently even with
the latest security patches (including 104490-05) installed.
We decided to simply make ufsdump/ufsrestore non-setuid, non-setgid as they
are never run by non-root users at our site anyways.
Tom Perrine wrote:
>
> I have two reports from other UC campuses that exploits of the Solaris
> ufsrestore bug are being used against *sparc* hosts.
>
> At least one of the sites reports that patch 104490-05 (Solaris 2.5.1,
> sparc arch) was applied on a system that was compromised (presumably
> via this method).
>
> Consider this an *inconclusive* warning that the Sun ufsrestore patch
> *may* not be effective. I have a call into Sun on this one. If we
> can get the binary of the exploit, it might be interesting.
>
> [The reporting sites are BCC'ed on this note. If they want to go
> public, its up to them.]
>
> --tep
>
> --
> Tom E. Perrine (tep@SDSC.EDU) | San Diego Supercomputer Center
> http://www.sdsc.edu/~tep/ | Voice: +1.619.534.5000
> Been there, done that, erased the evidence, blackmailed the witnesses...
>
--
Steven F. Siirila
Enterprise Internet Services Office: Lind Hall, Room 130B
Academic and Distributed Computing Services E-mail: sfs@umn.edu
Office of Information Technology Voice: (612) 626-0244
University of Minnesota Fax: (612) 626-7593
