SecurityTracker: (Sun Issues Fix) Solaris sadmind Weak Authentication May Let Remote Users Execute Arbitrary Commands With Root Privileges

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: OS (UNIX) > sadmind

(Sun Issues Fix) Solaris sadmind Weak Authentication May Let Remote Users Execute Arbitrary Commands With Root Privileges

SecurityTracker Alert ID: 1009484

SecurityTracker URL: http://securitytracker.com/id/1009484

CVE Reference: CAN-2003-0722 (Links to External Site)

Updated: Mar 25 2004

Original Entry Date: Mar 18 2004

Impact: Execution of arbitrary code via network, Root access via network

Fix Available: Yes Vendor Confirmed: Yes

Version(s): Solaris 7, 8, and 9

Description: An authentication vulnerability was reported in the Sun Solaris sadmind daemon. A remote user may be able to execute arbitrary commands with root privileges in certain cases.

It is reported that if the sadmind(1M) daemon has been enabled in inetd.conf(4) and if the system is using the default security level of AUTH_SYS, a remote user may be able to forge AUTH_SYS credentials and execute arbitrary commands on the system. The commands will run with the privileges of sadmind, which is typically root level privileges, according to the report.

Sun reports that an exploit has been discovered in the wild.

CVE number CAN-2003-0722 has been assigned to this issue.

Sun credits iDefense with reporting this issue.

Impact: A remote user may be able to execute commands on the target system with the privileges of the sadmind daemon (typically root privileges).

Solution: The following patches are available:

SPARC Platform

Solaris 7 with patch 116456-01 or later
Solaris 8 with patch 116455-01 or later
Solaris 9 with patch 116453-01 or later

x86 Platform

Solaris 7 with patch 116457-02 or later
Solaris 8 with patch 116442-01 or later
Solaris 9 with patch 116454-01 or later

Sun reports that for the Trusted releases, users should following the workaround described in the Sun Alert [see the Vendor URL].

Vendor URL: sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F56740 (Links to External Site)

Cause: Authentication error

Underlying OS:

Message History: This archive entry is a follow-up to the message listed below.

Solaris sadmind Weak Authentication May Let Remote Users Execute Arbitrary Commands With Root Privileges

Source Message Contents

Date: Thu, 18 Mar 2004 04:56:55 -0500
Subject: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F56740


http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F56740

Sun updated their Alert 56740 to include patches.  In the previous version of the Alert, 
Sun had reported that they would not be providing patches and instead described a workaround.

The following patches are available:

SPARC Platform

Solaris 7 with patch 116456-01 or later
Solaris 8 with patch 116455-01 or later

x86 Platform

Solaris 7 with patch 116457-02 or later
Solaris 8 with patch 116442-01 or later

Sun reports that additional patches are pending.

-----

Sun Alert ID: 56740
Synopsis: Security Issue Involving the Solaris sadmind(1M) Daemon
Category: Security
Product: Solaris
BugIDs: 4079984
Avoidance: Workaround
State: Resolved
Date Released: 15-Sep-2003, 17-Mar-2004
Date Closed: 15-Sep-2003
Date Modified: 17-Mar-2004

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
Copyright 2012, SecurityGlobal.net LLC