Copy Link
Add to Bookmark
Report

CERT Advisory 019

eZine's profile picture
Published in 
CERT Advisory
 · 4 years ago

  


-----BEGIN PGP SIGNED MESSAGE-----

CA-90:12 CERT Advisory
December 20, 1990
SunOS TIOCCONS Vulnerability

- -------------------------------------------------------------------------

The following information was sent to us from Sun Microsystems. It
contains availability information regarding a fix for a vulnerability
in SunOS 4.1 and SunOS 4.1.1. (A version for SunOS 4.0.3 is currently
in testing and should be available shortly.) For more information,
please contact Sun Microsystems at 1-800-USA-4SUN.

- -------------------------------------------------------------------------

SUN MICROSYSTEMS SECURITY BULLETIN:

This information is only to be used for the purpose of alerting
customers to problems. Any other use or re-broadcast of this
information without the express written consent of Sun Microsystems
shall be prohibited.

Sun expressly disclaims all liability for any misuse of this information
by any third party.
- -------------------------------------------------------------------------

These patches are available through your local Sun answer centers
worldwide. As well as through anonymous ftp to ftp.uu.net in the
~ftp/sun-dist directory.

Please refer to the BugID and PatchID when requesting patches from Sun
answer centers.

NO README information will be posted in the patch on UUNET. Please refer
the the information below for patch installation instructions.

- -------------------------------------------------------------------------

Sun Bug ID : 1008324
Synopsis : TIOCCONS redirection of console input/output is a security
violation.
Sun Patch ID : for SunOS 4.1, SunOS 4.1_PSR_A 100187-01
Sun Patch ID : for SunOS 4.1.1 100188-01
Available for: Sun3, Sun3x, Sun4 Sun4c
SunOS 4.1, SunOS 4.1_PSR_A, SunOS 4.1.1
Checksum of compressed tarfile on ftp.uu.net:~ftp/sun-dist

sum of SunOS 4.1 tarfile 100187-01.tar.Z : 14138 142
sum of SunOS 4.1.1 tarfile 100188-01.tar.Z: 24122 111

- --------------------------------------------------------------------------

README information follows:

Patch-ID# 100188-01
Keywords: TIOCCONS
Synopsis: SunOS 4.1.1: TIOCCONS redirection of console is a security violation.
Date: 17/Dec/90

SunOS release: 4.1.1

Unbundled Product:

Unbundled Release:

Topic:

BugId's fixed with this patch: 1008324

Architectures for which this patch is available: sun3 sun3x sun4 sun4c

Patches which may conflict with this patch:

Obsoleted by: Next major release of SunOS

Problem Description: TIOCCONS can be used to re-direct console output/input
away from "console"


Patch contains kernel object modules for:

/sys/sun?/OBJ/cons.o
/sys/sun?/OBJ/zs_async.o
/sys/sun?/OBJ/mcp_async.o
/sys/sun?/OBJ/mti.o

Where sun? is one of sun4, sun4c, sun3, sun3x, sun4/490-4.1_PSR_A

NOTE: The sun4c does not use mti.o nor mcp_async.o since this architecture
does not have VME slots and therefore cannot use the ALM-2 Asynchronous Line
Multiplexor or Systech MTI-800/1600. So those modules are not needed.

The fix consists of adding permission checking to setcons, the routine
that does the work of console redirection, and changing its callers to
supply additional information required for the check and to see whether
or not the check succeeded. Setcons now uses uid and gid information
supplied to it as new arguments to perform a VOP_ACCESS call for VREAD
permission on the console. If the caller doesn't have permission to
read from the console, setcons rejects the redirection attempt.


INSTALL:

AS ROOT:
save aside the object modules from the FCS tapes as a precaution:

# mv /sys/sun?/OBJ/cons.o /sys/sun?/OBJ/cons.o.orig
# mv /sys/sun?/OBJ/tty_pty.o /sys/sun?/OBJ/tty_pty.o.orig
# mv /sys/sun?/OBJ/zs_async.o /sys/sun?/OBJ/zs_async.o.orig
# mv /sys/sun?/OBJ/mcp_async.o /sys/sun?/OBJ/mcp_async.o.orig
# mv /sys/sun?/OBJ/mti.o /sys/sun?/OBJ/mti.o.orig

copy the new ".o" files to the OBJ directory:

# cp sun?/*.o /sys/sun?/OBJ/

build and install a new kernel:
rerun /etc/config <kernel-name> and do a "make" for the new kernel
Please refer to the System and Network Administration Manual for details
on how to configure and install a custom kernel.



- -------------------------------------------------------------------------
Patch-ID# 100187-01
Keywords: TIOCCONS
Synopsis: SunOS 4.1 4.1_PSR_A: TIOCCONS redirection of console is a security
violation.
Date: 17/Dec/90

SunOS release: 4.1 4.1_PSR_A

Unbundled Product:

Unbundled Release:

Topic:

BugId's fixed with this patch: 1008324

Architectures for which this patch is available: sun3 sun3x sun4 sun4c
sun4-490_4.1_PSR_A

Patches which may conflict with this patch:

Obsoleted by: Next major release of SunOS

Problem Description: TIOCCONS can be used to re-direct console output/input
away from "console"


Patch contains kernel object modules for:

/sys/sun?/OBJ/cons.o
/sys/sun?/OBJ/zs_async.o
/sys/sun?/OBJ/mcp_async.o
/sys/sun?/OBJ/mti.o

Where sun? is one of sun4, sun4c, sun3, sun3x, sun4/490-4.1_PSR_A

NOTE: The sun4c does not use mti.o nor mcp_async.o since this architecture
does not have VME slots and therefore cannot use the ALM-2 Asynchronous Line
Multiplexed or Systech MTI-800/1600. So those modules are not needed.


The fix consists of adding permission checking to setcons, the routine
that does the work of console redirection, and changing its callers to
supply additional information required for the check and to see whether
or not the check succeeded. Setcons now uses uid and gid information
supplied to it as new arguments to perform a VOP_ACCESS call for VREAD
permission on the console. If the caller doesn't have permission to
read from the console, setcons rejects the redirection attempt.


INSTALL:

AS ROOT:
save aside the object modules from the FCS tapes as a precaution:

# mv /sys/sun?/OBJ/cons.o /sys/sun?/OBJ/cons.o.orig
# mv /sys/sun?/OBJ/tty_pty.o /sys/sun?/OBJ/tty_pty.o.orig
# mv /sys/sun?/OBJ/zs_async.o /sys/sun?/OBJ/zs_async.o.orig
# mv /sys/sun?/OBJ/mcp_async.o /sys/sun?/OBJ/mcp_async.o.orig
# mv /sys/sun?/OBJ/mti.o /sys/sun?/OBJ/mti.o.orig

copy the new ".o" files to the OBJ directory:

# cp sun?/*.o /sys/sun?/OBJ/

build and install a new kernel:
rerun /etc/config <kernel-name> and do a "make" for the new kernel
Please refer to the System and Network Administration Manual for details
on how to configure and install a custom kernel.

- -------------------------------------------------------------------------
Computer Emergency Response Team/Coordination Center (CERT/CC)
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890

Internet E-mail: cert@cert.org
Telephone: 412-268-7090 24-hour hotline:
CERT personnel answer 7:30a.m.-6:00p.m. EST, on call for
emergencies during other hours.

Past advisories and other information are available for anonymous ftp
from cert.org (192.88.209.5).


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMaMwlnVP+x0t4w7BAQGHJAP/YwH65RfH9xpTMUFuozVZAaaaHRdZH12Q
kTNtwhoGvTmi0u7iR8Z2BYv1+JBNCCQZEwDAxtJRwhk/3guSa0RdF2T4QDznOInC
+A1jiPMLY25PAcE/FV1euVLRrGwjEGmPWa7ODpgZoqBGzlVNpAuqZAtOKrBOdHS3
Efm0EF9qsEg=
=DUGa
-----END PGP SIGNATURE-----

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT