[Sun] Schwachstelle in utempter - Sun Alert ID: 57658

win-sec-ssc at dfn-cert.de win-sec-ssc at dfn-cert.de
Thu Oct 28 16:50:18 CEST 2004


-----BEGIN PGP SIGNED MESSAGE-----

Liebe Kolleginnen und Kollegen,

soeben erreichte uns das nachfolgende Bulletin des SUN Customer Warning
System. Wir geben diese Informationen unveraendert an Sie weiter.

Das Programm utempter erlaubt die Manipulation der utmp- und wtmp-
Logfiles ohne Root-Berechtigung. Die Programme xterm und screen benutzen
utempter.

CAN-2004-0233 - Schwachstellen in utempter

  Pfadnamen mit bestimmten Kombinationen von "/" und "." machen utempter
  anfaellig fuer eine Symlink-Attacke, bei der Angreifer Root-Rechte
  erlangen koennen. Allerdings sind hierzu weitere Programme notwendig,
  die a) mit Root-Rechten laufen und b) keine Pruefung des Pfads des
  Terminals vornehmen.

  Zusaetzlich gibt es einige Fehler in strncpy Aufrufen, durch die
  utempter abstuerzen kann.


Betroffen sind die folgenden Software Pakete und Plattformen:

  Version utempter-0.5.2-342 und fruehere Versionen.

in

  Sun Java Desktop System (JDS) 2003 ohne patch-8934
  Sun Java Desktop System (JDS) Release 2 ohne patch-8934

Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.

Mit freundlichen Gruessen,


           Jan Kohlrausch, DFN-CERT

- --
Jan Kohlrausch (CSIRT), DFN-CERT Services GmbH
Web: https://www.dfn-cert.de/, Phone: +49-40-808077-555
PGP RSA/2048, A5DD03D1, A2 55 1C 51 0A 30 3E 78  5B 40 DA B7 14 F7 C9 E8


*Document ID:*	57658
*Title:*	Document ID 57658
*Synopsis:*	Security Vulnerabilities Involving the utempter(8) Utility
*Update Date:*	2004-10-26

- ------------------------------------------------------------------------
*Description*	*Top <#top>*

* Sun(sm) Alert Notification *

    * Sun Alert ID: 57658
    * Synopsis: Security Vulnerabilities Involving the utempter(8) Utility
    * Category: Security
    * Product: Sun Java Desktop System (JDS)
    * BugIDs: 6179483
    * Avoidance: Patch
    * State: Resolved
    * Date Released: 26-Oct-2004
    * Date Closed: 26-Oct-2004
    * Date Modified: 

* 1. Impact * Unprivileged local users may be able to overwrite
arbitrary files on a system due to a security vulnerability in the
utempter(8) utility.

*Note:* utempter(8) is a privileged helper program that writes utmp/wtmp
entries for unprivileged programs.

This issue is described in the following documents:

    * http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0233
    * http://xforce.iss.net/xforce/xfdb/15904
    * http://www.ciac.org/ciac/bulletins/o-133.shtml 

* 2. Contributing Factors * This issue can occur in the following releases:

*Linux*

    * Sun Java Desktop System (JDS) 2003 without the updated RPMs
      (patch-8934)
    * Sun Java Desktop System (JDS) Release 2 without the updated RPMs
      (patch-8934) 

*Note:* JDS for Solaris is not impacted by this issue.

This issue only occurs with utempter versions utempter-0.5.2-342 or
earlier.

To determine the release of JDS for Linux installed on a system, the
following command can be run:

    % *cat /etc/sun-release *   
    Sun Java Desktop System, Release 2 -build 10b (GA)
    Assembled 30 March 2004                                          

To determine the version of utempter, the following command can be run:

    % *rpm -qf /usr/sbin/utempter*
    utempter-0.5.2-342                                                   

* 3. Symptoms * There are no predictable symptoms that would show the
described issue has been exploited.

*Solution Summary*	*Top <#top>*

* 4. Relief/Workaround * There is no workaround. Please see the
"Resolution" section below.

* 5. Resolution * This issue is addressed in the following releases:

*Linux*

    * Sun Java Desktop System (JDS) 2003 with the updated RPMs (patch-8934)
    * Sun Java Desktop System (JDS) Release 2 with the updated RPMs
      (patch-8934) 

To download and install the updated RPMs from the update servers select
the following from the launch bar:

    Launch >> Applications >> System Tools >> Online Update                                                                                                      

For additional information on obtaining updates see:

    * http://wwws.sun.com/software/javadesktopsystem/faq.html#5q5
      <http://wwws.sun.com/software/javadesktopsystem/faq.html#5q5>
    * http://wwws.sun.com/software/javadesktopsystem/faq.html#5q7 

/This Sun Alert notification is being provided to you on an "AS IS"
basis. This Sun Alert notification may contain information provided by
third parties. The issues described in this Sun Alert notification may
or may not impact your system(s). Sun makes no representations,
warranties, or guarantees as to the information contained herein. ANY
AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU
ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT
OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun
Alert notification contains Sun proprietary and confidential
information. It is being provided to you pursuant to the provisions of
your agreement to purchase services from Sun, or, if you do not have
such an agreement, the Sun.com Terms of Use. This Sun Alert notification
may only be used for the purposes contemplated by these agreements./

/Copyright 2000-2004 Sun Microsystems, Inc., 4150 Network Circle, Santa
Clara, CA 95054 U.S.A. All rights reserved./

*Applies To*	

*Attachments*
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (SunOS)
Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>

iQEVAwUBQYEGgOI9ttyl3QPRAQHzYQf/QbgUNDppZmkvzxiB25MHrDnxkJHMoSjf
+uM93/Uqzq/DyqeqsypUvbESrb8q+sY/NoqQc3Ql35qY9nslrzSymTORJC3/jLzm
iZ8gS+CjwPbLQ+z2b8EyCvEDrWuq1A/5U1oWGAbGJ8R6IvpDHeb8f7OYHzMXkYV7
F6TmmOn087VQ/y4IEu+N/9SXI7XtawWWUa30ESsAfAOZycWMwgXzpv8xhs9tsQ+X
Jsx8gMLfuaAV+y8sexocO9dZp2Iuzm7FXZO8yaIrRECY2m55DrzZqdwm+y0BYroW
EyLgavWWMQ2QxvJ1Lw32JmwBFJTNshSr+ecO6xVygEaCyYXT9syLSg==
=VkIT
-----END PGP SIGNATURE-----




More information about the Security-Announce mailing list