SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   OS (UNIX)  >   wall (/usr/sbin/wall) Vendors:   Sun
(Sun Issues Fix) Re: 'wall' (/usr/sbin/wall) Bug Lets Local Users Spoof Broadcast Messages
SecurityTracker Alert ID:  1006682
SecurityTracker URL:  http://securitytracker.com/id/1006682
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 30 2003
Impact:   Modification of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Solaris 2.x, 7, 8, 9
Description:   A vulnerability was reported in the wall application on Sun Solaris and possibly other UNIX operating systems. A local user can send spoofed messages.

It is reported that a local user can broadcast spoofed messages to all users currently logged in on the system.

According to the report, the /usr/sbin/wall application determines if a message is sent by a local user or a remote user by checking to see if the file descriptor pointed to by stderr corresponds to a tty. If it does not, the application determines if the the first 5 bytes of the message are set to "From ", followed ultimately by a character string in the form of 'user@host'. So, a local user can spoof a 'rpc.walld' message by closing stderr before executing /usr/sbin/wall and then sending a bogus "From " header. A local user can exploit this to attempt to convey apparently official messages to users on the system.

A demonstration exploit transcript and code is provided in the Source Message.
Impact:   A local user can send a message to all logged in users on the system that appears to be a remotely generated broadcast message from an arbitrary source.
Solution:   Sun has issued the following patches:

SPARC Platform

Solaris 2.6 with patch 114889-01 or later
Solaris 7 with patch 114891-01 or later
Solaris 8 with patch 114673-01 or later
Solaris 9 with patch 114861-01 or later

x86 Platform

Solaris 2.6 with patch 114890-01 or later
Solaris 7 with patch 114892-01 or later
Solaris 8 with patch 114674-01 or later
Solaris 9 with patch 114862-01 or later
Vendor URL:  sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F51980 (Links to External Site)
Cause:   State error
Underlying OS:  

Message History:   This archive entry is a follow-up to the message listed below.
Jan 3 2003 'wall' (/usr/sbin/wall) Bug Lets Local Users Spoof Broadcast Messages


 Source Message Contents
Date:  Tue, 29 Apr 2003 10:24:07 -0400
Subject:  51980 The wall(1M) Command May be Used to Send Messages Containing


http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F51980

Sun updated Sun Alert 51980 regarding a vulnerability in the wall(1M) command.


Sun has issued the following patches:

SPARC Platform

Solaris 2.6 with patch 114889-01 or later
Solaris 7 with patch 114891-01 or later
Solaris 8 with patch 114673-01 or later
Solaris 9 with patch 114861-01 or later

x86 Platform

Solaris 2.6 with patch 114890-01 or later
Solaris 7 with patch 114892-01 or later
Solaris 8 with patch 114674-01 or later
Solaris 9 with patch 114862-01 or later


-----


Sun Alert ID: 51980
Synopsis: The wall(1M) Command May be Used to Send Messages Containing a Forged User ID
Category: Security
Product: Solaris
BugIDs: 4803267
Avoidance: Patch
State: Resolved
Date Released: 19-Mar-2003, 28-Apr-2003
Date Closed: 28-Apr-2003
Date Modified: 28-Apr-2003


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC