Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Report a vulnerability that you have found to SecurityTracker
|
|
|
|
Want to learn about the SecurityTracker archives? We've got answers to frequently asked questions right here
|
|
|
|
|
|
|
|
|
|
|
(Sun Issues Workaround) Re: Common Desktop Environment (CDE) DtSvc Library Buffer Overflow May Let Local Users Obtain Root Privileges
|
Date: Dec 6 2001
|
Impact: Execution of arbitrary code via local system, Root access via local system, User access via local system
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Description: IBM reported a buffer oveflow vulnerability in CDE DtSvc library for IBM's AIX operating system. A local user can execute arbitrary code and gain elevated privileges on the host, potentially including root level privileges.
It is reported that a buffer overflow vulnerability has been found in the Common Desktop Environment (CDE) libDtSvc.a library. The
vulnerability can be triggered when a local user passes a specially coded string to any of the "dt" commands (e.g., dtprintinfo,
dtterm) using the "-session" option.
|
Impact: A local user can execute arbitrary code with root level privileges, gaining root level access on the host.
|
Solution: Sun has issued the following workaround:
1) Disable the "dtspc" service in the /etc/inetd.conf file by commenting out the line
following line by putting a "#" at the beginning of the line:
dtspc stream tcp nowait root /usr/dt/bin/dtspcd /usr/dt/bin/dtspcd
Tell the inetd(1M) process to reread the newly modified /etc/inetd.conf file by sending it a hangup signal, SIGHUP:
$ ps -ef | grep inetd
$ kill -HUP <PID of "inetd" from above "ps" output>
By disabling
"dtspcd", the system no longer executes remote CDE actions. To execute remote CDE actions on the system, login to the remote system
and execute the commands. If you want to remotely execute X/Motif-based applications, set the DISPLAY variable to the appropriate
value.
2) Use tcp-wrappers to protect access to the "dtspcd" daemon if it is not convenient to disable it. This is available
in the tcpd-7.6 package at:
http://www.sun.com/solaris/freeware.html
3) Block access to network
port 6112/tcp (dtspc) at all appropriate network perimeters.
Sun notes that a final solution is pending completion.
|
Vendor URL: www.ibm.com/ (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: UNIX (AIX), UNIX (Any)
|
Underlying OS Comments: SPARC and Intel: CDE 1.0.1 on Solaris 2.4, 2.5; CDE 1.0.2 on Solaris 2.4, 2.5, 2.5.1; Solaris 2.6, 7, and 8
|
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Thu, 06 Dec 2001 10:02:37 -0500
Subject: Buffer Overflow in CDE Subprocess Control Service Daemon
|
Sun(sm) Alert Notification
Sun Alert ID: 41764
Synopsis: Buffer Overflow in CDE Subprocess Control Service Daemon
(dtspcd)
Category: Security
Product: Solaris
BugIDs: 4527363
Avoidance: Workaround
State: Engineering Completed
Date Released: 03-Dec-2001
Date Closed:
Date Modified:
1. Impact
A library that the CDE Subprocess Control Service (dtspcd) daemon uses
contains a buffer overflow vulnerability that could allow a remote user
to gain root access to the affected system.
This issue is described in the CERT Vulnerability VU#172583 (see
http://www.kb.cert.org/vuls/id/172583) which is referenced in CA-2000-31
(see http://www.cert.org/advisories/CA-2001-31.html).
2. Contributing Factors
This issue can occur in the following releases:
SPARC
CDE 1.0.1 on Solaris 2.4, 2.5
CDE 1.0.2 on Solaris 2.4, 2.5, 2.5.1
Solaris 2.6
Solaris 7
Solaris 8
Intel
CDE 1.0.1 on Solaris 2.4, 2.5
CDE 1.0.2 on Solaris 2.4, 2.5, 2.5.1
Solaris 2.6
Solaris 7
Solaris 8
3. Symptoms
There are no reliable symptoms that would show the described issue has
been exploited to gain unauthorized root access to a host.
Solution Summary
Top
4. Relief/Workaround
1) Disable the "dtspc" service in the /etc/inetd.conf file by commenting
out the line following line by putting a "#" at the beginning of the
line:
dtspc stream tcp nowait root /usr/dt/bin/dtspcd
/usr/dt/bin/dtspcd
Tell the inetd(1M) process to reread the newly modified /etc/inetd.conf
file by sending it a hangup signal, SIGHUP:
$ ps -ef | grep inetd
$ kill -HUP <PID of "inetd" from above "ps"
output>
By disabling "dtspcd", the system no longer executes remote CDE actions.
To execute remote CDE actions on the system, login to the remote system
and execute the commands. If you want to remotely execute X/Motif-based
applications, set the DISPLAY variable to the appropriate value.
2) Use tcp-wrappers to protect access to the "dtspcd" daemon if it is
not convenient to disable it. This is available in the tcpd-7.6 package
at:
http://www.sun.com/solaris/freeware.html
3) Block access to network port 6112/tcp (dtspc) at all appropriate
network perimeters.
5. Resolution
A final solution is pending completion.
The issue described in this Sun(sm) Alert document may or may not be
experienced by your particular system(s). The information in this
Sun(sm) Alert document may be based upon information received from
third-parties. It is being provided to you "AS IS", for informational
purposes only. Sun does not make any representations, warranties, or
guaranties as to the quality, suitability, truth, accuracy or
completeness of any of the information. Sun shall not be liable for any
losses or damages suffered as a result of Customer's use or non-use of
the information.
|
|
Go to the Top of This SecurityTracker Archive Page
|
