[2139] in bugtraq
Re: BUGTRAQ ALERT: Solaris 2.x vulnerability
daemon@ATHENA.MIT.EDU (Mark Graff)
Fri Aug 18 13:38:25 1995
Date: Fri, 18 Aug 1995 10:07:27 -0700
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: Mark Graff <Mark.Graff@Eng.Sun.COM>
X-To: BUGTRAQ@CRIMELAB.COM
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
----------
X-Sun-Data-Type: text
X-Sun-Data-Description: text
X-Sun-Data-Name: text
X-Sun-Charset: us-ascii
X-Sun-Content-Lines: 87
Scott Chasin said,
> Mark Graff relayed to me...
Yup. I also thought I sent a note out to this list, on August 14th.
I'll attach that message.
Our general policy is not to announce a problem until we have a fix.
Since Scott disclosed the hole here I responded (or tried to respond)
with the information that we knew about the problem and were testing
fixes. Sorry if it didn't get out for some reason!
On this bug the update is that I expect to release the patches and a
corresponding bulletin next week, perhaps as early as Wednesday.
BTW we have been working on a patch (for all affected platforms) since
July. (We got a second report on August 1, but it turns out the fix was
already in the works.) The traffic on this list, including Scott's
disclosure and followup exploitation script, has had no effect on our
schedule. We were already in the final stages of testing when he
acted.
So far as the "sticky bit" workaround goes, it looks good to me so
far. By the time I issue the bulletin I will be sure one way or the
other. Over the last couple of days, in parallel with the testing
effort, I have been looking into the conditions under which the bit is
not set by the startup scripts. (Don't send me all the traffic on this
list about that--I've been following it here too).
-mg-
p.s. Followup inquiries or other questions should generally be sent
to security-alert@sun.com, not to me directly. That addressed is
covered when I'm out of the office.
/\
\\ \ Mark G. Graff
\ \\ / Sun Security Coordinator
/ \/ / / MS MPK3
/ / \//\ 2550 Garcia Avenue
\//\ / / Mountain View, CA 94043-1100
/ / /\ / Phone: 415-688-9151
/ \\ \ Email: mark.graff@Sun.COM
\ \\ security-alert@sun.com
\/
From owner-bugtraq@CRIMELAB.COM Fri Aug 18 09:15:55 1995
Approved-By: Scott Chasin <chasin@CRIMELAB.COM>
Date: Fri, 18 Aug 1995 10:03:33 MDT
Subject: Re: BUGTRAQ ALERT: Solaris 2.x vulnerability
X-To: bugtraq@crimelab.com
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
[casper@HOLLAND.SUN.COM wrote]:
> > Just to add my two cents to the discussion:
> > - this is a known problem
> So why wasn't it more publically announced. Sun could easily have issued a
> new binary very publically and without saying what they had fixed.
>
Mark Graff relayed to me that Sun has known about this for about 2 weeks
or so.
[casper@HOLLAND.SUN.COM wrote]:
> > - it is fixed in 2.5 (by using fchown, not chown, both versions of ps)
Apparently this is *NOT* fixed in the 2.5 release. At least not the copy I
have. And I believe someone else has contested to this fact as well.
> So why didnt you tell people instead of negligently leaving them exposed
This is the old full-disclosure debate. I don't think we should be getting
into this here.
> Otherwise known as the majority of people who are less technically clued up.
> Vendors need to improve their methods.
>
> Alan
--Scott
chasin@crimelab.com
----------
X-Sun-Data-Type: sun-deskset-message
X-Sun-Data-Name: sun-deskset-message
X-Sun-Encoding-Info: uuencode
X-Sun-Content-Lines: 44
begin 600 sun-deskset-message
M1G)O;2!G<F%F9B!-;VX@075G(#$T(#$X.C(Y.C T(#$Y.34*5&\Z($)51U12
M05% 0U))345,04(N0T]-"E-U8FIE8W0Z(%)E.B!3;VQA<FES(#(N>"!V=6YE
M<F%B:6QI='D*6"U3=6XM0VAA<G-E=#H@55,M05-#24D*0V]N=&5N="U,96YG
M=&@Z(#$V,S4*6"U,:6YE<SH@-3 *4W1A='5S.B!23PH*4W5N(&ES(&%W87)E
M(&]F('1H92!P<F]B;&5M+B!792!A<F4@<W1I;&P@979A;'5A=&EN9R!B=70@
M22!D;R!E>'!E8W0*=7,@=&\@<')O9'5C92!A('!A=&-H+B!)(&1O;B=T(&AA
M=F4@86X@97-T:6UA=&4@>65T(&]N('=H96X@;VYE('=I;&P*8F4@879A:6QA
M8FQE+B!)(&AA=F4@<V%I9"!P<F5V:6]U<VQY(&EN('1H:7,@<W!A8V4@=&AA
M="!T=V\@=V5E:W,*:7,@;F]R;6%L;'D@=&AE(&UI;FEM=6T@=&EM92!N965D
M960N"@I4:&4@<W5G9V5S=&5D('=O<FMA<F]U;F0@;&]O:W,@9V]O9"!T;R!M
M92X*"E=H96X@22!H879E(&$@<&%T8V@@22!W:6QL(&ES<W5E(&$@4W5N(%-E
M8W5R:71Y($)U;&QE=&EN(&%N9"!P;W-T"G1H870@:&5R92X*"BUM9RT*"B @
M(" @("]<(" @(" @(" @"B @(" @7%P@7" @(" @(" @36%R:R!'+B!'<F%F
M9@H@(" @7"!<7" O(" @(" @(%-U;B!396-U<FET>2!#;V]R9&EN871O<@H@
M(" O(%PO("\@+R @(" @($U3($U02S,*(" O("\@("!<+R]<(" @(" R-34P
M($=A<F-I82!!=F5N=64*("!<+R]<(" @+R O(" @("!-;W5N=&%I;B!6:65W
M+"!#02 Y-# T,RTQ,3 P"B @("\@+R O7" O(" @(" @4&AO;F4Z(#0Q-2TV
M.#@M.3$U,0H@(" @+R!<7"!<(" @(" @($5M86EL.B!M87)K+F=R869F0%-U
M;BY#3TT*(" @("!<(%Q<(" @(" @(" )<V5C=7)I='DM86QE<G1 <W5N+F-O
M;0H@(" @("!<+PH*($9R;VT@;W=N97(M8G5G=')A<4!#4DE-14Q!0BY#3TT@
M($UO;B!!=6<@,30@,3,Z,# Z-# @,3DY-0H@07!P<F]V960M0GDZ("!38V]T
M="!#:&%S:6X@/&-H87-I;D!#4DE-14Q!0BY#3TT^"B!$871E.B @(" @(" @
M($UO;BP@,30@075G(#$Y.34@,3(Z,SDZ,3$@3414"B!3=6)J96-T.B @(" @
M(%-O;&%R:7,@,BYX('9U;F5R86)I;&ET>0H@6"U4;SH@(" @(" @("!B=6=T
M<F%Q0&-R:6UE;&%B+F-O;0H@5&\Z($UU;'1I<&QE(')E8VEP:65N=',@;V8@
M;&ES="!"54=44D%1(#Q"54=44D%10$-224U%3$%"+D-/33X*( H@02!M86IO
M<B!H;VQD(&AA<R!B965N(&9O=6YD(&]N(%-O;&%R:7,@,BYX('=H:6-H('=I
M;&P@86QL;W<*(&%N>6]N92!W:71H(&$@=7-E<B!A8V-O=6YT('1O(&=A:6X@
M<F]O="!A8V-E<W,N"B *($D@=VEL;"!B92!S96YD:6YG('1H92!E>'!L;VET
M(&-O9&4@=&\@>6]U(&EN(&$@9F5W(&AO=7)S(&9R;VT@;F]W+@H@"B!4:&4@
M8G5G(&5X<&QO:71S(&$@8V]M;6]N('9U;F5R86)I;&ET>2!T:&%T(&-A;B!B
M92!F:7AE9"!W:71H"B!A;B!E87-Y('=O<FMA<F]U;F0Z(&-H;6]D("MT("]T
M;7 *( H@37D@<W5G9V5S=&EO;B!T;R!Y;W4@:7,@=&AA="!Y;W4@8VAE8VL@
M86QL(&UA8VAI;F5S(')U;FYI;F<@4V]L87)I<R R+G@*('1O('-E92!I9B!T
M:&4@+W1M<"!D:7)E8W1O<GD@:&%S('1H92!S=&EC:WD@8FET('-E="X*( H@
M1T]/1#H@(&1R=WAR=WAR=W0@(" S(')O;W0@(" @(')O;W0@(" @(" @(" X
M-S<@075G(#$T(#$R.C0S("]T;7 *($5624PZ("!D<G=X<G=X<G=X(" @,R!R
M;V]T(" @("!R;V]T(" @(" @(" @.#<W($%U9R Q-" Q,CHT,R O=&UP"B *
M( H@268@>6]U(&AA=F4@86YY('%U97-T:6]N<R!A="!A;&PL('!L96%S92!%
M;6%I;"!M92X*( H@4V-O='0@0VAA<VEN"B!C:&%S:6Y 8W)I;65L86(N8V]M
$"B *"B!M
end
