Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Sun Microsystems Security

Local Root Vulnerability in passwd(1) on Solaris 8, 9 283

so-1997-and-1994 writes "There is a new vulnerability in the passwd command on solaris 8 and 9. Looks like a local user privilege escalation is possible. Patch your systems. This not the first nor the last time something like this has shown up."
This discussion has been archived. No new comments can be posted.

Local Root Vulnerability in passwd(1) on Solaris 8, 9

Comments Filter:
  • by Space cowboy ( 13680 ) * on Friday March 05, 2004 @05:41AM (#8473694) Journal
    So there's no workaround and no symptoms of it having been used. Ouch. Essentially if you want to be certain that a multi-user system has not been hacked, you need to reinstall the operating system from scratch, formatting all the disks...

    So, what are the chances of it happening on Linux ? Well, probably less (the many-eyes scenario), but certainly possible. This isn't a time to be smug about not running Solaris...

    Simon
    • by Avian visitor ( 257765 ) on Friday March 05, 2004 @05:54AM (#8473734) Homepage
      Essentially if you want to be certain that a multi-user system has not been hacked, you need to reinstall the operating system from scratch, formatting all the disks...

      Each time a new local/remote root vulnerability is found the only way to be certain you haven't been cracked is to reinstall from scratch.

      Even if this vulnerability would cause some log messages or other symptoms an attacker with root privileges could easily erase them.
      • by AKnightCowboy ( 608632 ) on Friday March 05, 2004 @06:57AM (#8473918)
        Each time a new local/remote root vulnerability is found the only way to be certain you haven't been cracked is to reinstall from scratch.

        Or just go back and run a filesystem scan against your known-good tripwire or AIDE database you keep on CD to see which files have been modified. Of course, you need to do it from single user mode after booting off a known-clean boot media like the install CD, but that's a helluva lot better than reinstalling everything. Sure, if you don't have a good tripwire database setup then you need to reinstall.

        • Of course, you need to do it from single user mode after booting off a known-clean boot media like the install CD, but that's a helluva lot better than reinstalling everything.

          Amen brother. Last time I installed Solaris 9 (4/03 SPARC), I moved my DVD-ROM drive from my Thunderbird to my Sun Ultra 10, just so that I could install from the Solaris 9 DVD (quicker transfer rate, much less disk juggling and thus less requirement to hang around waiting for prompting).

          It still took many hours to get Solaris inst
      • Bzzzt! Wrong! (Score:5, Insightful)

        by WIAKywbfatw ( 307557 ) on Friday March 05, 2004 @07:10AM (#8473954) Journal
        Each time a new local/remote root vulnerability is found the only way to be certain you haven't been cracked is to reinstall from scratch.

        No, the only time that a new vulnerability is found, the only way to be certain that you won't be cracked in the future is to reinstall, or patch. Reinstalling doesn't retroactively guarantee that you haven't already been the victim of an exploit, which is what your post suggests.
      • by Anonymous Coward

        Even if this vulnerability would cause some log messages or other symptoms an attacker with root privileges could easily erase them.

        That's why the security extensions put in place by the NSA's enhancements to Linux are so important. They make it so that even root has limited privileges - so, for example, root couldn't tamper with log files.

        Having said that, remote logging would be better anyway.

      • Each time a new local/remote root vulnerability is found the only way to be certain you haven't been cracked is to reinstall from scratch.

        hmmm I don't think it's real to expect reinstalling machines after every local (or remote) root vulnerability discovered... you will need bunch of admins just to keep on reinstalling systems, testing them, and, instead of going into production, reinstalling them again...
      • HowTo: remote logging in Linux [nodak.edu]

        Might be worth offering a web-application sometime, you could host lots of peoples' offsite logs, just like remote backup except without the bandwidth.

        Other than that, looks like you'll need a spare PC.
    • by kryps ( 321347 ) on Friday March 05, 2004 @06:04AM (#8473766)
      "So there's no workaround..."
      No, there are patches.

      "... and no symptoms of it having been used."
      As a previous poster pointed out, traces left by any root exploit can be removed once the attacker is root (unless you redirect syslog to a printer or another "secure" machine) and it is not really rare for a root exploit to leave not trace (I don't know if the recet Linux kernel mremap exploits left any).

      "So, what are the chances of it happening on Linux ? Well, probably less (the many-eyes scenario), but certainly possible. This isn't a time to be smug about not running Solaris..."
      What the f**k are you talking about? Most recently there was the mremap local root exploit which affected 2.4 and 2.6 Linux kernels. What is so different about that?

      -- kryps
      • by Anonymous Coward
        I didn't say there was no patch, I said there was no workaround. Sometimes when there is a vulnerability, the way in which you run *your* system means you were not affected.

        Also, I realise that when you *know* you've been infected, you always reinstall. This much is blindingly obvious. What I said was there were no symptoms! It's a local exploit with no symptoms. You don't *know*, and you can't *tell* whether it's been used. *EVERY* Solaris machine with multiple users ought to be reinstalled. I think this
        • You don't *know*, and you can't *tell* whether it's been used. *EVERY* Solaris machine with multiple users ought to be reinstalled. I think this is a bigger-than-average problem!

          And what he was saying is that this is no different than any root exploit in this respect, so it isn't a "bigger-than-average problem". Any time that there's a root exploit on any platform, Linux, Solaris, Windows, BSD, whatever, the cracker can always cover their tracks. So, by your logic, whenever an exploit is discovered in Li

    • by ziegast ( 168305 ) on Friday March 05, 2004 @08:19AM (#8474189) Homepage
      So there's no workaround ...

      How about "chmod ug-s /bin/passwd"? Someone running passwd wouldn't be able to escallate their uid/gid. To change passwords, run su(do) first. On systems wehre users arn't expected to change their passwords (web servers, etc.), this is usually a good preventative step for most setuid programs.

      And for the Love of Scott, if you're going to tell the world about a patch, please, oh please, make sure the hyperlinks work.

      Here's Sun's announcement [sun.com], and if I click on the links to get patches,....

      Sparc
      Solaris 8 with patch 108993-32 [sun.com] or later
      Solaris 9 with patch 113476-11 [sun.com] or later

      .... the links give me:

      Sorry! We couldn't find your document.

      The file that you requested could not be found on this server.


      G'dammit!

      -ez

      Karma: Whore (you look at your score after posting)
    • "So, what are the chances of it happening on Linux ? Well, probably less (the many-eyes scenario), but certainly possible.

      How quickly the mind of the Linux hacker forgets when the exploits happen. How about the mremap local root exploit which was in BOTH the 2.4 and 2.6 Linux kernels? In other words, despite the "many-eyes scenario", not a single person caught until it was used to attempt to fuck with the Debian CVS. How many MONTHS was it in there? How many more are out there, overlooked? Just 'caus
    • So there's no workaround and no symptoms of it having been used. Ouch. Essentially if you want to be certain that a multi-user system has not been hacked, you need to reinstall the operating system from scratch, formatting all the disks...

      My Ultra 10 with Solaris 8 is absolutely secure. I have every confidence it has not and will not be hacked. This is Sun we're talking about. They are the dot in dot com. The network is the computer. As a vote of confidence, I have placed my Ultra 10 in my closet, off.

    • It is still important for both Linux' and Solaris' sake that this is a local exploit. Multiuser systems are certainly at risk, but it is unlikely for this to spread around the globe causing billions of dollars of lost productivitiy like a Windows worm.

      Even though UNIX' model is thirty years old and actually very simple in concept, it provides enough containment (and maturity) that global disasters are not terribly likely among UNIX systems. Also, with at least a dozen kernels out there, heterogeneity wor
  • Not surprising (Score:5, Insightful)

    by NaCh0 ( 6124 ) on Friday March 05, 2004 @05:43AM (#8473701) Homepage
    These days with files, nis, nis+, ldap, and different encryption schemes, passwd is a complicated program.

    • Re:Not surprising (Score:5, Insightful)

      by larien ( 5608 ) * on Friday March 05, 2004 @06:00AM (#8473751) Homepage Journal
      Shouldn't need to be; most of that should be handed off to the PAM modules.
      • Re:Not surprising (Score:5, Informative)

        by mst76 ( 629405 ) on Friday March 05, 2004 @06:51AM (#8473907)
        > Shouldn't need to be; most of that should be handed off to the PAM modules.

        A quote from the changelogs of Slackware 9.1, just to offer a different perspective:
        openssh-3.7.1p2.

        This fixes security problems with PAM authentication. It also includes several code cleanups from Solar Designer. Slackware does not use PAM and is not vulnerable to any of the fixed problems. Please indulge me for this brief aside (as requests for PAM are on the rise):
        If you see a security problem reported which depends on PAM, you can be glad you run Slackware. I think a better name for PAM might be SCAM, for Swiss Cheese Authentication Modules, and have never felt that the small amount of convenience it provides is worth the great loss of system security. We miss out on half a dozen security problems a year by not using PAM, but you can always install it yourself if you feel that you're missing out on the fun. (No, don't do that)
        OK, I'm done ranting here. :-)
        • PAM (Score:5, Insightful)

          by dmiller ( 581 ) <djm.mindrot@org> on Friday March 05, 2004 @07:57AM (#8474088) Homepage
          Yes, PAM creates more problems through its complexity, poor specification and an absolutely shocking API than it solves. I wouldn't be at all surprised if this bug was in the PAM library or a module.

          Don't believe me? Try writing a program that doesn't block during authentication. Try writing something cross-platform (there are at least three subtly different PAM implementations). Still not convinced? Have a look at the hoops that OpenSSH has jump through to work around this and other issues. Don't get me started on the busted config file that doesn't separate mechanism from policy or the stupid idea of dynamically loading modules in a security context....

          I'm surprised that the major distributions haven't moved on to something more sane. It's good that that Slackware, at least, has demonstrated some critical thinking and has not just mindlessly followed the flock.

          (disclaimer: I am an OpenSSH developer, very jaded for working with PAM for too long. OTOH, I'm not the only one [stacken.kth.se])
          • Re:PAM (Score:5, Insightful)

            by R.Caley ( 126968 ) on Friday March 05, 2004 @08:07AM (#8474125)
            [...]the stupid idea of dynamically loading modules in a security context.

            Since I don't have any mod points today, ley me just add a hip-hooray to this.

            Being able to dynamically change the authentication behaviour with PAM was put forward as a reason why making /(s)bin/* dynamically linked in FreeBSD was a good thing. Seems to me that avoiding that is a great reason why such things should be statically linked.

            • Re:PAM (Score:5, Interesting)

              by dmiller ( 581 ) <djm.mindrot@org> on Friday March 05, 2004 @08:15AM (#8474171) Homepage
              It is possible to build a useful and generic authentication system without dynamic loading.

              OpenBSD and BSD/OS have one (bsd_auth) that exec()s small helper programs which implement the actual auth methods. These helpers speak a little protocol to the library via stdio.

              The use of dynamic linking here is just lazyness on the part of people who would rather throw hidden complexity at problems rather than solving them through careful design.
              • Re:PAM (Score:5, Interesting)

                by R.Caley ( 126968 ) on Friday March 05, 2004 @08:25AM (#8474229)
                It is possible to build a useful and generic authentication system without dynamic loading.[...]

                Actually, I'm not convinced that an easily changable/extensible authentication system is a plus. Changing how authentication happens should be hard, most of the people who want to change how your aithentication works are the bad guys:-).

                Compared to the amount of thought and planning that should go into a decision to allow an extra kind of authentication, the effort of, say, rebuilding the system is small.

                Maybe I'm just old and paranoid...

              • Re:PAM (Score:4, Informative)

                by Permission Denied ( 551645 ) on Friday March 05, 2004 @10:53AM (#8475593) Journal
                OpenBSD and BSD/OS have one (bsd_auth) that exec()s small helper programs which implement the actual auth methods.

                Indeed, I just wrote a module for this. I needed one OpenBSD system to be able to authenticate users via LDAP. I did not want it to authenticate arbitrary LDAP users but only those who had local accounts.

                I had never worked with login.conf modules before. In fact, I didn't know they existed until yesterday. However, it took me exactly one hour to write a login_-ldap module that did exactly what I needed. I already knew my way around the OpenLDAP APIs, so this one hour was exactly the amount of time needed to figure out how this works. I had written a similar PAM module in the past and it took significantly longer to do that.

                Someone noted that PAM has the advantage that you can change policy on the fly without restart. This is not exactly true: applications load PAM modules at startup so if you make a change, you have to restart the application.

                OpenBSD login.conf works better than this as the authenticators are separate programs: I did not need to restart sshd or anything else. Changes were picked up as I edited /etc/login.conf and copied my program into /usr/libexec/auth. When developing a PAM module, you usually write a separate small program to test it, but I didn't need to do this with login.conf.

                There are other advantages as well: since the authenticators are separate programs, they can't screw up actual daemons if the authenticator has a bug. I also encountered some problems with PAM: occasionally one of the pointers in the PAM structure ended up NULL. This would screw up a particular daemon that I wrote since it would run fine for days but then crash when passed this NULL pointer. I don't know if the problem was in PAM itself or in the modules I was using. Once I figured out that this can happen (not documented anywhere, likely a bug), I was able to consider that NULL pointer as a failed authentication. This wouldn't have happened with login.conf: NULL pointer problems are limited to the authenticator and will not screw with the daemon. Basically, daemons use a safer communicaion system with the authentication subsystem.

                So I can say that OpenBSD login.conf is more flexible, safer and easier to administer than PAM. There are, however a couple of disadvantages that would turn off some people:

                1. You have to edit a termcap-formatted file. This was not an issue for me, but if you don't, for instance, know what ":tc=" means, you will very easily get confused. Careful reading of man pages solves this. Termcap-formatted files are really the "BSD" way of doing things, so I don't mind this as it's rather consistent.
                2. The system is more flexible, but that's partly because it's easier to write custom authenticators. You can't "stack" modules like in PAM, so I needed to write code to enforce the policy mechanism I needed (users must have local accounts before authenticating via LDAP). With PAM, you would just edit a config file, not write a C program. I don't believe this is too big of a disadvantage as lots of very valid policies are difficult to express in PAM modules. For instance, what if instead of local accounts I required users on this machine to have a particular LDAP attribute? Is there a PAM module that checks for attributes rather than binding? I don't think so, so you'd end up writing one. With both systems, you end up writing a module when you have a policy that can't be expressed with current modules, but that's much easier with login.conf.
          • Re:PAM (Score:5, Informative)

            by six809 ( 1961 ) on Friday March 05, 2004 @08:34AM (#8474283) Homepage

            I wouldn't be at all surprised if this bug was in the PAM library or a module.

            Neither would I. From the patch details [sun.com]:

            Files included with this patch:

            /usr/lib/libpam.so.1
            /usr/lib/llib-lpas swdutil
            /usr/lib/llib-lpasswdutil.ln
            /usr/lib/pa sswdutil.so.1
            /usr/lib/security/pam_authtok_check .so.1
            /usr/lib/security/pam_authtok_get.so.1
            /us r/lib/security/pam_authtok_store.so.1
            /usr/lib/se curity/pam_dhkeys.so.1
            /usr/lib/security/pam_ldap .so.1
            /usr/lib/security/pam_passwd_auth.so.1
            /us r/lib/security/pam_unix_account.so.1
            /usr/lib/sec urity/pam_unix_auth.so.1
            /usr/lib/security/sparcv 9/pam_authtok_check.so.1
            /usr/lib/security/sparcv 9/pam_authtok_get.so.1
            /usr/lib/security/sparcv9/ pam_authtok_store.so.1
            /usr/lib/security/sparcv9/ pam_dhkeys.so.1
            /usr/lib/security/sparcv9/pam_lda p.so.1
            /usr/lib/security/sparcv9/pam_passwd_auth. so.1
            /usr/lib/security/sparcv9/pam_unix_account.s o.1
            /usr/lib/security/sparcv9/pam_unix_auth.so.1
            /usr/lib/sparcv9/libpam.so.1
            /usr/lib/sparcv9/ll ib-lpasswdutil.ln
            /usr/lib/sparcv9/passwdutil.so. 1
  • Risk assessment (Score:5, Interesting)

    by achurch ( 201270 ) on Friday March 05, 2004 @05:48AM (#8473710) Homepage

    The risk is MEDIUM. A local unprivileged user may be able to gain unauthorized root privileges. [...] There are no reliable symptoms that would show the described issue has been exploited to gain unauthorized elevated privileges to a host.

    . . . and this is "medium"?

    • Comment removed (Score:5, Insightful)

      by account_deleted ( 4530225 ) on Friday March 05, 2004 @05:52AM (#8473724)
      Comment removed based on user account deletion
      • the bad ones are the ones that have screwed all your backups before you realise.

        Please tell which vulnerability would screw all my properly made backups? By properly made backup I mean a backup that is made regulary to an external medium, like a tape or CDR, and is regulary verified to be readable.

        Backups that can be destroyed by a software flaw without an intervention of an operator aren't worth much.
        • Re:Risk assessment (Score:5, Insightful)

          by arr28 ( 739468 ) on Friday March 05, 2004 @07:19AM (#8473979)
          Please tell which vulnerability would screw all my properly made backups? By properly made backup I mean a backup that is made regulary to an external medium, like a tape or CDR, and is regulary verified to be readable.

          The issue here is that a virus may slowly corrupt your data over a long period of time. If, like a great many people, you recycle backup tapes - eventually all your backups will also contain the corrupt data.

          By the time you spot it, perhaps it's too late.
        • Re:Risk assessment (Score:5, Insightful)

          by LordKronos ( 470910 ) on Friday March 05, 2004 @07:23AM (#8473983)
          Please tell which vulnerability would screw all my properly made backups

          The type of vulnerability where, by the time you realize someone has exploited the vulnerability, all of your safe backups have been put back into rotation, and the only backups that exist anymore are the ones that were made after the system was compromised.
      • Re:Risk assessment (Score:3, Interesting)

        by anno1a ( 575426 )
        At my university we run large solaris servers where about 12000 users have access. I'd say the risk here is a little more than medium, if we aren't even able to determine who the culprit is. Of course if the Solaris box was used as a local install only for one user the risk would be medium, but aren't Solaris primarilly used for servers (lots of users, lots of risk)?
        • > but aren't Solaris primarilly used for servers (lots of users, lots of risk)?

          Yes, and no. Servers generally *don't* have lots of users with shell account logins; your university user systems are an exception. In our own university data center, we have many large database/web/other servers that provide access to administrative information. You can count the number of people who have access to a shell prompt on these systems on your fingers.

          Chris Mattern
        • Re:Risk assessment (Score:3, Informative)

          by forlornhope ( 688722 )
          At my university, we run a solaris box as our file server. We only allow logins from admins and only via dsa ssh_keys to the system. We do this with all our production servers(web, mail, zope, database, etc. all running debian), but we also run many desktop systems and two shell servers running debian as well. We assume that these machines will be comprimised, corrupted, and/or otherwise broken. As such we manage them all via a system call FAI that we can reinstall the system at any time via a floppy an
    • Re:Risk assessment (Score:5, Interesting)

      by gl4ss ( 559668 ) on Friday March 05, 2004 @05:52AM (#8473726) Homepage Journal
      yeah well..

      if you would consider a remote exploit to be HIGH, that leaves a local exploit at medium, no?

      hmm.. what would be a low risk then.. maybe some game giving access to the game users privilidges..
      • by achurch ( 201270 )

        if you would consider a remote exploit to be HIGH, that leaves a local exploit at medium, no?

        I dunno, personally I'd consider both of them high--many local exploits can be exploited remotely as well via buffer overflows and the like. I'd put non-root privilege elevation at medium, and things like denial of service that don't actually damage the system at low to medium, but it all depends on the particular circumstances.

      • No, just not stoned enough. /rimshot
    • . . . and this is "medium"?

      Yes, because prior authentication is required. Local security on *NIX is known to be rather weak, and only the clueless rely on it for critical applications.
      • Re:Risk assessment (Score:5, Interesting)

        by achurch ( 201270 ) on Friday March 05, 2004 @06:00AM (#8473752) Homepage

        Yes, because prior authentication is required.

        Where is this stated? All I see is that /usr/bin/passwd has a local root vulnerability; to me, that says that if I can exploit a buffer overflow in any arbitrary program, even an unprivileged one, I can get root on the box.

        • Re:Risk assessment (Score:5, Insightful)

          by Florian Weimer ( 88405 ) <fw@deneb.enyo.de> on Friday March 05, 2004 @06:13AM (#8473793) Homepage
          Where is this stated? All I see is that /usr/bin/passwd has a local root vulnerability; to me, that says that if I can exploit a buffer overflow in any arbitrary program, even an unprivileged one, I can get root on the box.

          You've conveniently removed what I wrote: This is true on any *NIX system, there are tons of vulnerabilities which allow attackers who can execute code under a non-root UID to obtain root access.

          It doesn't matter if you fix passwd(1). There are too many other issues, most of which still have to be discovered. You can't rely on local *NIX security, you have to use other means to stop attackers. For example, one widely-used approach is "one machine per service" or "one machine per trust domain".
          • You've conveniently removed what I wrote: This is true on any *NIX system, there are tons of vulnerabilities which allow attackers who can execute code under a non-root UID to obtain root access.

            I'm sorry, I misinterpreted your earlier post. I'll agree that the "root" concept has many problems, but nonetheless root privilege does allow an attacker to do anything (modulo securelevel--does Solaris have that?) to the system. Also keep in mind that for many people, it's not worth the expense to use a stron

        • Re:Risk assessment (Score:4, Insightful)

          by sql*kitten ( 1359 ) * on Friday March 05, 2004 @06:36AM (#8473860)
          Where is this stated?

          I can't think of a case in which one can run /bin/passwd without having already logged in. Perhaps you are thinking of /bin/login?
        • Yeah, and that point being, is you actually have to have a user account or access to one. You can't get in to the system using this exploit, just something to do while you're already in.
    • Re:Risk assessment (Score:4, Insightful)

      by Tony-A ( 29931 ) on Friday March 05, 2004 @05:57AM (#8473746)
      . . . and this is "medium"?
      Solaris isn't really the sort of system where you tend to have untrustworthy users.
      A lot also depends on the difficulty of doing the exploit.
      • Re:Risk assessment (Score:4, Interesting)

        by achurch ( 201270 ) on Friday March 05, 2004 @06:13AM (#8473792) Homepage

        Agreed; the advisory is feather-light on details so I can't tell how easy it is to exploit. My main concern (as I've mentioned in other replies) is that many "local" exploits can become remote exploits as well via otherwise-harmless buffer overflows in other programs. If the bug actually requires you to use a terminal to exploit it, it's not so bad as if it could be triggered by a simple execve(...), in which case any daemon not chroot'd becomes a potential avenue of attack.

      • Re:Risk assessment (Score:4, Insightful)

        by Loconut1389 ( 455297 ) on Friday March 05, 2004 @06:52AM (#8473909)
        True, and the desire to hack sun boxes decreases with the age of machines. Who wants to hack an ultra 10? Theyre not particularly fast. Unless you discover a nice Sun Fire V480 floating around on the network thats not tied down (ssh from specific hosts only, etc etc).. Most people just don't hack solaris. There's little gain. The types of script kiddies who do the hacking dont usually feel like porting whatever software they want to run over to solaris, or dont know how. Solaris is too much work for the unfamiliar. Theres much more advantage for a hacker to take over one of the abundant dual xeon machines running linux on the network.
        • Theres much more advantage for a hacker to take over one of the abundant dual xeon machines running linux on the network.

          True. You have to wonder why it's Microsoft Windows that seems to catch most all the malware. I would imagine that Linux would be a much more attractive target.
        • Re:Risk assessment (Score:5, Interesting)

          by Octorian ( 14086 ) on Friday March 05, 2004 @07:54AM (#8474073) Homepage
          Furthermore, the UltraSPARC has this nice feature you can enable where the stack space is non-executable memory. (a feature easily enabled in Solaris, and now OpenBSD as well) While it is still possible to exploit a buffer overflow with this feature, it us MUCH more difficult (google around, and you may find some writeups)
      • Solaris isn't really the sort of system where you tend to have untrustworthy users.

        Really? How about universities? Thousands of people with valid log-ins, generally poor information security, too many computers, not enough IT staff.

    • Seems fair enough: high would be "can the bad guys get in?" and medium would be: "once in, can the bad guys do any damage?" If someone unauthorised/untrusted has user privileges, a lot of damage could still be done, and is worrying in itself.
  • by utahjazz ( 177190 ) on Friday March 05, 2004 @05:49AM (#8473712)
    Sun acknowledges, with thanks, Tim Wort (Tim.Wort@InklingResearch.com) for contacting
    us regarding this issue.


    I'm glad Sun thanked him by publishing his email address on a page now linked directly from the front of Slashdot.
  • // This not the first nor the last time something like this has shown up.

    what? doesn't that mean that the next root vulnerability would have had to already have shown up? or is the author precognitive? the link given as "last" certainly isn't...
    can we please think about these little jabs before tossing them around?
  • Solution (Score:2, Funny)

    by acceptera ( 750990 )
    Solution: Stop using local user-accounts and distribute the rootpassword to the public. Simple!
    • Re:Solution (Score:3, Interesting)

      by prat393 ( 757559 )
      This is, in fact, pretty similar to Richard Stallman's philosophy, and is elaborated on in the su info page, about why su doesn't support the wheel group.
      • Re:Solution (Score:5, Funny)

        by ratsnapple tea ( 686697 ) on Friday March 05, 2004 @06:49AM (#8473897)

        I wasn't sure whether to believe you at first, so I looked it up and it turns out you weren't kidding! This is just too fucking funny. [gnu.org]

        Why GNU su does not support the `wheel' group
        (This section is by Richard Stallman.)

        Sometimes a few of the users try to hold total power over all the rest. For example, in 1984, a few users at the MIT AI lab decided to seize power by changing the operator password on the Twenex system and keeping it secret from everyone else. (I was able to thwart this coup and give power back to the users by patching the kernel, but I wouldn't know how to do that in Unix.)

        However, occasionally the rulers do tell someone. Under the usual su mechanism, once someone learns the root password who sympathizes with the ordinary users, he can tell the rest. The "wheel group" feature would make this impossible, and thus cement the power of the rulers.

        I'm on the side of the masses, not that of the rulers. If you are used to supporting the bosses and sysadmins in whatever they do, you might find this idea strange at first.

        Typical RMS.

        • by Stallmanite ( 752733 ) on Friday March 05, 2004 @07:52AM (#8474067) Homepage
          No passwords may seem strange to us, but try to try to keep in mind the context that created that attitude.

          The MIT AI lab was a tight knit community. It was very open, like a family for stallman. Passwords were just a way for the school to exercise control.

          http://www.oreilly.com/openbook/freedom/ch06.htm l
          http://catb.org/~esr/jargon/html/os-and-jedgar. htm l
          • Passwords were just a way for the school to exercise control.

            Is this "school" you speak of MIT? If so, it's worth pointing out that the root password for any public workstation at MIT is available to any user of the system. However, it's still not a carriage return, because that would be stupid. And users still have their own passwords, because in this day and age, having no password is dumb. Yet if they want root, all they have to is ask. (Well "ask" by means of typing a command - there's no approva

        • Re:Solution (Score:2, Interesting)

          by DashEvil ( 645963 )
          So let me get this straight....

          I buy a computer, I install Linux on it and give him local access to it.

          How does this, in his eyes, make me the equivilent of some horrible dictator, and why does he feel like he has the devine right to exercise complete control over the machine?
      • Re:Solution (Score:3, Informative)

        This is, in fact, pretty similar to Richard Stallman's philosophy, and is elaborated on in the su info page, about why su doesn't support the wheel group.

        Fortunately, with PAM support, you can implement a wheel group easily.

        (And yes, I'm guilty of discriminating against many users: "www-data", "nobody", "mail"...)
  • solaris bashing? (Score:4, Insightful)

    by Anonymous Coward on Friday March 05, 2004 @05:57AM (#8473745)
    So it's a local privilege escalation, already fixed, with no published exploit in the wild? I have a feeling if this were linux then it wouldn't make the front page. (Which is a moot point as everyone knows you don't get security holes in linux. Just Windows and now Solaris.)

    And those two links make it look like Sol is plagued by root exploits. One's from a 1994 release of SunOS 4, the other's from nearly seven years ago.
  • Finally... (Score:5, Funny)

    by EmagGeek ( 574360 ) on Friday March 05, 2004 @05:59AM (#8473748) Journal
    Some news for nerds that actually matters... :)
    • although i agree with you in one sense. give the relatively low number of *nix exploits found compared to windows exploits found if this was all slashdot reported it would be "news for nerds stuff that mattered" it would be "bug for windows stuff for hackers"
  • by Viol8 ( 599362 )
    "unprivileged user may be able to gain unauthorized root privileges "

    Great. So how do they go about doing it? A bit more info would be useful such as what type of activity to watch for etc....
  • by rixstep ( 611236 ) on Friday March 05, 2004 @06:07AM (#8473779) Homepage
    'This is but further proof of the superiority of Microsoft Windows. Microsoft Windows has never had a problem with its passwd commands or files. I personally recommend Microsoft Windows for serious enterprise computing precisely for this reason.'
    - J Allchin
  • by kd4evr ( 712384 ) on Friday March 05, 2004 @06:11AM (#8473788)
    Obviusly, security is the reason why the
    flaw isn't explanied in detail. Without
    more explanation, however, there is no
    way to tell how serious this really is.

    What's yellow and dangerous? A canary w/ root
    password.

    In my understanding of systems security,
    every security issue may be serious, but
    this one is definitely less than serious.

    A system that has no test:test accounts or
    guest logins, with all non-privileged users
    somehow known and/or affiliated with a systems
    administrator, chances of a major breach are
    slim.

    Incidental damage by a less skilled
    non-privileged user is another matter, though;
    likely and depending on the circumstances -
    reminds me of a poll once taken: would you trust
    your significant other with your root password?

    I hope this haiku style editing doesn't offend anyone.

  • Big deal? (Score:5, Insightful)

    by shin0r ( 208259 ) on Friday March 05, 2004 @06:16AM (#8473799) Homepage
    Let's not overreact here:

    a: vulnerability identified
    b: patches released to fix vulnerability

    all done *without* publishing a proof of concept / exploit for would-be skript0rs. There are no known exploits in the wild that abuse this vulnerability. Also bear in mind that user rights already need to be in place.

    • Re:Big deal? (Score:3, Interesting)

      by Mr_Silver ( 213637 )
      all done *without* publishing a proof of concept

      If the patch exposes the source code required to fix it, then you're three-quarters of the way towards an exploit.

    • Re:Big deal? (Score:2, Insightful)

      by Anonymous Coward
      Umm. "Patches released" does not mean "Vulnerability fixed". Sun has, on numerous occasions, published a patch to fix a specific published exploit tool without actually fixing the underlying vulnerability. Look at the old "8lgm" references on the Net for examples.

      The "8-legged-groove-machine" found that Sun only fixed vulnerabilities when exploits were published publicly, not when Sun was notified privately, and were repeatedly able to publish a new exploit tool within a week because Sun blocked the partic
  • by Anonymous Coward on Friday March 05, 2004 @06:21AM (#8473815)
    When I first ran into this post, an ad of Sun appeared at the top of Slashdot's page which mentioned:
    "SUN MICROSYSTEMS TECHNOLOGY HELPS TAKE YOU PLACES YOU'VE NEVER BEEN BEFORE."

    Places I've never been before... Rootland?
  • I've been using Solaris (and before that SunOS) for years on my company's servers and there's never once been a root exploit. As with any OS, you just have to keep it patched.

  • Concerned (Score:3, Funny)

    by Anonymous Coward on Friday March 05, 2004 @06:31AM (#8473844)
    While I'm glad its local only, I'm still worried. I have a Sun Blade 60 that I bought to learn Solaris on, and while I'm the only one using it, I don't know if I trust me cat. Should I be worried? I'll still patch as soon as possible...

    fingers crossed, suspiciously stares at kitten....
  • by TheLinuxWarrior ( 240496 ) <aaron,carr&aaroncarr,com> on Friday March 05, 2004 @06:34AM (#8473853)
    Ok, so we have a local root exploit.

    It's not as though Linux or the BSDs have never had one.

    At this point it becomes a matter of "how much do I trust the users on my systems?". Since none of my boxes are exposed to the public, and all my users are known/trusted employees, I can't say that this is really that big of a deal.

    Don't think I won't be patching it, all I'm saying is that the mere fact that the machine is powered on and connected to a network doesn't mean it's going to be 0wn3d.

    Save your energy/bashing for the next Windows worm that comes along that doesn't require having an account on the machine to break in.

  • by Anonymous Coward
    All your Solaris root password are belong to me.
  • phew (Score:2, Funny)

    by Anonymous Coward
    I'm glad I never updated from Solaris 7, I'll be perfectly secure now.

    I wuv you CDE.
  • The kernel may be great and uber-stable, but the user-space utilities shipped with the OS are ancient and full of bugs long ago resolved in *BSD or Linux offerings.

    I am talking about awk, grep, diff (still no unified diffs!) and the like. The default shells -- sh and csh -- do not even allow for command line editing. make is outdated. vi borks if you extend your xterm too wide.

    Sure, you change the login shell to bash or tcsh, you can install the GNU utilities. Or BSD, for that matter (I ported FreeBSD's make(1) myself to use the bsd.*.mk files). But then, hey. you can even customize Windows to be almost like Un*x...

    The "out of the box" installation should be -- and can be -- much better...

    To bring this back on topic, it seems to me, the major thrust of the Solaris development is on kernel. The user space side -- including the passwd(1) -- is neglected.

  • by Oestergaard ( 3005 ) on Friday March 05, 2004 @08:08AM (#8474129) Homepage
    Just curious.

    I used to download the patch clusters, but for single patches (or just few patches) that seems a little excessive.

    I'm trying out PatchPro now - you can get it from Sun for free. But it's some 100MB+ java monster process, requires WBEM, and god knows what. Not exactly light weight or minimal by any means.

    I was hoping for something roughly equivalent to "apt-get update; apt-get upgrade" - right now I'm at "smpatch update" which would be allright I guess if the WBEM services didn't take up half the memory in the box, all the CPU, and generally just took ages to run.

    Bigadmins (with enough time on your hands to read slashdot), what do you do?
  • by chrysalis ( 50680 ) on Friday March 05, 2004 @08:22AM (#8474207) Homepage
    It's nice to have Slashdot posts about important security flaws.
    But why is there nothing about the highly more critical and remotely exploitable tcp/ip denial of service discovered in all versions of FreeBSD ?

  • by lythander ( 21981 ) on Friday March 05, 2004 @08:47AM (#8474349)
    The patch for Solaris 8 is a giant PITA. Install in single user mode only, lots of patch incompatibilities, very sysadmin and uptime unfriendly. Many won't apply it because of the downtime it involves. At least not until there's an exploit. Then there will be hell to pay.
  • Patch links broken? (Score:4, Interesting)

    by doc_traig ( 453913 ) on Friday March 05, 2004 @09:08AM (#8474493) Homepage Journal

    The Sun links to 108993-32 and 113476-11 (SPARC Sol. 8 and 9) seem to be 404ing... anyone have valid links to grab the patches over HTTP?

One person's error is another person's data.

Working...