Home page logo

bugtraq logo Bugtraq mailing list archives

Re: [8lgm]-Advisory-22.UNIX.syslog.2-Aug-1995
From: sten () ergon CH (Sten Gunterberg)
Date: Thu, 21 Sep 1995 15:59:03 +0200

From goetz () open CH Wed Sep 20 00:18:14 1995
On Sep 19,  4:33pm, Sten Gunterberg wrote:

There's no patch yet, but Sun is apparently working on one. The Bug-IDs
are 1219835 for Solaris 1.x (SunOS 4.x) and 1220257 for Solaris 2.x.
Try to give those to local Sun support and see what happens :-)

Solaris 2.x ??? - I thought this is a BSD problem? Are you telling
me that *all* my Solaris boxes are vulnerable too?

I don't know if Solaris 2.x is vulnerable too and Sun does not know for sure
either. On the SunSolve gateway (sunsolve.sun.ch) the following info regarding
bug ID 1220257 can be found (the original included the 8lgm advisory, which I
deleted, we've seen it enough times):

--- begin quoted material ---

    Bug Id: 1220257
    Category: library
    Subcategory: libc
    State: fixed
    Release summary: 5.4, sol2.4_hw11_94, 2.3, s495_beta, 5.3, 2.4, s495
    Synopsis: Syslog(3) possibly can be abused to gain root access on
              Solaris 2.x systems
    Integrated in releases:
    Patch id:

    The following advisory has been issued from 8LGM. Only SunOS 4.1.x is known
    to be affected by this security hole, but the Solaris 2 code is very similar
    in this area, so we should plug the hole, hopefully before 2.5 FCS.

    This bug is intended for all Solaris 2.x reports of this problem. The
    problem will be addressed for SunOS 4.x through Bug ID 1219835.

        [ included 8lgm advisory deleted ]

    Although the security hole has not yet been replicated on a Solaris 2.x
    system, the syslog code is very similar between SunOS 4.1.x and Solaris
    2.x. Therefore, it may be possible to break security on a Solaris 2 system
    in the same way as has been done on SunOS 4.

    Copyright 1994 Sun Microsystems, Inc.
    2550 Garcia Ave., Mt. View, CA 94043-1100 USA
    All rights reserved

--- end of quoted material ---

Note that this claims the bug to be fixed, but not integrated in any release.
Therefore it's almost certainly not fixed in 4.1.4. Also, no patch has been
issued yet.

Also local Sun support told me that the patch for Bug 1219835 has been
integrated into SunOS 4.1.4 and there probably won't be a patch for
older versions! Here's the bug info they sent me:

 Bug Id:     1219835
 Product:  sunos
 Category:  utility
 Subcategory:  other
 Release summary: 4.1.3, 4.1.4, 4.1.3_U1, 4.1
 Bug/Rfe:  bug
 State:  integrated

Hmm. The SunSolve gateway mentioned above states the following for 1219835:

   Bug Id: 1219835
   Category: utility
   Subcategory: other
   State: fixed
   Release summary: 4.1.3_U1, 4.1.4, 4.1.3, no-v4, 4.1, 5.4, 5.3
   Synopsis: Syslog(3) can be abused to gain root access on 4.X systems
   Integrated in releases:
   Patch id:

---> Not integrated in any release and no patch.

So why would there be a test patch for SunOS 4.1.4 if it was fixed
in that release? I guess one of you guys is wrong.

Either Sun does not tell its left hand what the right is doing ;-)
or their SunSolve gateways don't get the updated/fed with the
correct info.

-- Sten

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]