※ 本文轉錄自 [Lan] 信箱 作者: [email protected] (TWCERT/CC Fellows) 標題: 【TWCERT/CC安全通報】TW-CA-2005-030-[Sun(sm) A 時間: Tue Mar 22 16:06:13 2005 -----BEGIN PGP SIGNED MESSAGE----- TW-CA-2005-030-[Sun(sm) Alert Notification #57710: Security Vulnerability in the newgrp(1) Command May Allow Unauthorized Root Privileges] ──────────────────────────────────────── TWCERT/CC發布日期：2005-03-22 原漏洞發布日期：2005-03-16 原漏洞最新更新日期：-- 通用安全漏洞編號： 分類：Gain Privilege 來源參考：Sun(sm) Alert Notification #57710 ──── 簡述 ───────────────────────────────── ──── 說明 ───────────────────────────────── newgrp(1)存在一個緩衝區溢位弱點，可能允許本地端未經授權的使用者取得root權限。 ──── 影響平台 ─────────────────────────────── 此議題可能影響下列發行版本： SPARC 平台 ‧未安裝 118737-01 或更新版本修正檔的 Solaris 7 ‧未安裝 116993-01 或更新版本修正檔的 Solaris 8 ‧未安裝 117445-01 或更新版本修正檔的 Solaris 9 x86 平台 ‧未安裝 118738-01 或更新版本修正檔的 Solaris 7 ‧未安裝 116994-01 或更新版本修正檔的 Solaris 8 ‧未安裝 117446-01 或更新版本修正檔的 Solaris 9 注意：Solaris 10 不受本議題影響。 ──── 修正方式 ─────────────────────────────── 暫時解決方法： 要暫時解決本議題的安全問題，在安裝修正檔之前，可先暫時移除newgrp(1)公用程式 的"setuid"權限，下列指令可完成上述工作： # chmod u-s /usr/bin/newgrp 注意：從newgrp(1)公用程式移除set-user-ID bit可預防利用來自newgrp(1)命令的未經 授權使用者。 解決方法： 此議題已於下列版本中解決： SPARC 平台 ‧安裝 118737-01 或更新版本修正檔的 Solaris 7 ‧安裝 116993-01 或更新版本修正檔的 Solaris 8 ‧安裝 117445-01 或更新版本修正檔的 Solaris 9 x86 平台 ‧安裝 118738-01 或更新版本修正檔的 Solaris 7 ‧安裝 116994-01 或更新版本修正檔的 Solaris 8 ‧安裝 117446-01 或更新版本修正檔的 Solaris 9 ──── 影響結果 ─────────────────────────────── 目前尚無可預期的徵兆顯示上述議題已遭受利用。 ──── 聯絡TWCERT/CC ───────────────────────────── Tel: 886-7-5250211 FAX: 886-7-5250212 886-2-23563303 886-2-23924082 Email: [email protected] URL: http://www.cert.org.tw/ PGP key: http://www.cert.org.tw/eng/pgp.htm ──────────────────────────────────────── 附件：[Security Vulnerability in the newgrp(1) Command May Allow Unauthorized Root Privileges] ──── 原文 ───────────────────────────────── Sun(sm) Alert Notification Sun Alert ID: 57710 Synopsis: Security Vulnerability in the newgrp(1) Command May Allow Unauthorized Root Privileges Category: Security Product: Solaris BugIDs: 4705393 Avoidance: Workaround, Patch State: Resolved Date Released: 16-Mar-2005 Date Closed: 16-Mar-2005 Date Modified: 1. Impact A buffer overflow in newgrp(1) may allow a local unprivileged user the ability to gain root privileges. 2. Contributing Factors This issue can occur in the following releases: SPARC Platform Solaris 7 without patch 118737-01 Solaris 8 without patch 116993-01 Solaris 9 without patch 117445-01 x86 Platform Solaris 7 without patch 118738-01 Solaris 8 without patch 116994-01 Solaris 9 without patch 117446-01 Note: Solaris 10 is not affected by this issue. 3. Symptoms There are no predictable symptoms that would indicate the described issue has been exploited. Solution Summary Top 4. Relief/Workaround To work around the described issue, sites may wish to remove the "setuid" permissions from the newgrp(1) utility until patches can be applied to the system. This can be done by issuing the following command: # chmod u-s /usr/bin/newgrp Note:Removing the set-user-ID bit from the newgrp(1) utility will prevent unprivileged users from using the newgrp(1) command. 5. Resolution This issue is addressed in the following releases: SPARC Platform Solaris 7 with patch 118737-01 or later Solaris 8 with patch 116993-01 or later Solaris 9 with patch 117445-01 or later x86 Platform Solaris 7 with patch 118738-01 or later Solaris 8 with patch 116994-01 or later Solaris 9 with patch 117446-01 or later This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements. Copyright 2000-2005 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved. ──────────────────────────────────────── -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQEVAwUBQj/QK6cyQYefg2/NAQGA5wgAtee9mwzb4nIsnIqrKzAjap47dcVsQJu2 myZOkLO/lRUFTwK8jGLOeJyvrb4UZ5B1+wQylB81czVf3Hz7IOVpfiTWdQYEMZkM NhZZUVTNuzGFoPc6y/PakQf05JzwNHogB1qyvAUg5NeQhC/jMkXM6UzCNzS5eQgT jGgkEhSYw52C7pcGmvsH/oN3GYhCb0YycqdyeuBMcdOgr7gts7/gE7ZsZPqlviuZ 2ANce5MthXrRLay3Z+XMl6fdJl9EQHOuiuJzYA73Yy25D7XeJu3/DIGR2tmDR3Ey diaxKpgScE31aGwMUVYh9fMOOD51HCM1b0Em+EzYvqsaTrNpYmPeAQ== =0u5d -----END PGP SIGNATURE----- -- Taiwan Computer Emergency Response Team Security Advisory mailing list. Mail to : [email protected] and include a line "subscribe advisory". Please visit http://www.cert.org.tw/. PGP key : http://www.cert.org.tw/eng/pgp.htm