SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   OS (UNIX)  >   Pt_chmod Vendors:   Sun
(Vendor Issues Fix) Re: Sun Solaris pt_chmod Access Control Vulnerability Lets Local Users Obtain Write Access to Another User's TTY
SecurityTracker Alert ID:  1004035
SecurityTracker URL:  http://securitytracker.com/id/1004035
CVE Reference:   CVE-2001-1555   (Links to External Site)
Updated:  Jun 3 2008
Original Entry Date:  Apr 15 2002
Impact:   Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   The Dublin City University Networking Society (RedBrick) reported a vulnerability in pt_chmod. The utility does not recognize access control lists and allows local users to obtain write access on relinquished ttys as they are allocated to other users.

It is reported that a local user can obtain full write access on all tty's previously allocated to another user when they are reallocated. A local user can ammend the access control list (ACL) on a tty that they own such that when the tty is later allocated to another user, the original user retains write access. This allows a local user to send bogus output to another user's tty.

It is reported that read/execute permissions are not retained.

The author of the report notes that this issue has been previously discussed on the comp.unix.solaris and comp.unix.security newsgroups.

The vendor has reportedly been notified.

Impact:   A local user can obtain write access to another user's tty.
Solution:   The vendor has issued a fix in the following releases:

SPARC

Solaris 8 with patch 112459-01 or later

Intel

Solaris 8 with patch 112460-01 or later

Sun notes that Solaris 7 and earlier releases are not affected because ACL's cannot be set on a character device in Solaris 7 and earlier.

Vendor URL:  www.sun.com/ (Links to External Site)
Cause:   Access control error
Underlying OS:  UNIX (Solaris - SunOS)
Underlying OS Comments:  Solaris 8 (x86 and Sparc)

Message History:   This archive entry is a follow-up to the message listed below.
Nov 13 2001 Sun Solaris pt_chmod Access Control Vulnerability Lets Local Users Obtain Write Access to Another User's TTY



 Source Message Contents

Subject:  DOCUMENT ID: 43929


DOCUMENT ID: 43929 
SYNOPSIS: Security Issue When Setting ACLs on Character Terminals With
Solaris 
DETAIL DESCRIPTION: 

Sun(sm) Alert Notification 

     Sun Alert ID: 43929 

     Synopsis: Security Issue When Setting ACLs on Character Terminals
With Solaris 

     Category: Security 

     Product: Solaris 
     BugIDs: 4394991 
     Avoidance: Patch 

     State: Resolved 
     Date Released: 10-Apr-2002 
     Date Closed: 10-Apr-2002 
     Date Modified: 

1. Impact 

A local unprivileged user may be able to retain write permissions to
their allocated tty(1) via an Access Control List (ACL) after they have
logged out and the tty(1) has been allocated to another user. For more
information refer to the acl(2) manual page. 

This issue is discussed at: 

        http://online.securityfocus.com/bid/3522                  

2. Contributing Factors 

This issue can occur in the following releases: 

SPARC 

     Solaris 8 without patch 112459-01 

Intel 

     Solaris 8 without patch 112460-01 

Note: Solaris 7 and earlier releases are not affected by the described
issue because ACL's cannot be set on a character device in Solaris 7 and
earlier. 

3. Symptoms 

In order to determine if an ACL has been set on a tty(1) use the
getfacl(1) command against a tty(1). For example, for the current tty(1)
do the following: 

        $ getfacl `tty`                  

For all ttys on the system, the following command can be run: 

        $ getfacl /dev/pts/*                  

The default output of from the getfacl(1) command against a tty(1)
without an ACL set is similar to: 

        # file: /dev/pts/45
        # owner: root
        # group: sys
        user::rw-
        group::r--              #effective:r--
        mask:rwx
        other:r--                  

If an ACL is set, the above output would differ depending on the type of
ACL. 


SOLUTION SUMMARY: 

4. Relief/Workaround 

None. 

5. Resolution 

This issue is addressed in the following releases: 

SPARC 

     Solaris 8 with patch 112459-01 or later 

Intel 

     Solaris 8 with patch 112460-01 or later 

This Sun Alert notification is being provided to you on an "AS IS"
basis. Sun makes no representations, warranties, or guaranties as to the
quality, suitability, truth, accuracy or completeness of any of the
information contained herein. This Sun Alert notification may contain
information provided by third parties. ANY AND ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY
DISCLAIMED. The issues described in this Sun Alert notification may or
may not impact your system(s). 

BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL
DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION
CONTAINED HEREIN. 

This Sun Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your Confidential Disclosure Agreement or the confidentiality provisions
of your agreement to purchase services from Sun. In the event that you
do not have one of the above-referenced agreements with Sun, this
information is provided pursuant to the confidentiality provisions of
the Sun.com Terms of Use. This Sun Alert notification may only be used
for the purposes contemplated by these agreements. 

Copyright 2001, 2002 Sun Microsystems, Inc., 901 San Antonio Road, Palo
Alto, CA 94303 U.S.A. All rights reserved.


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC