Bugtraq mailing list archives

Sun Security Bulletin #00140

From: secure () SUNSC ENG SUN COM (Sun Security Coordination Team)
Date: Wed, 14 May 1997 13:58:05 -0700


______________________________________________________________________________

                   Sun Microsystems, Inc. Security Bulletin

Bulletin Number:        #00140
Date:                   14 May 1997
Cross-Ref:              AUSCERT AA-97.06
Title:                  Vulnerability in ffbconfig
______________________________________________________________________________

Permission is granted for the redistribution of this Bulletin, so long as
the Bulletin is not edited and is attributed to Sun Microsystems. Portions
may also be excerpted for re-use in other security advisories so long as
proper attribution is included.

Any other use of this information without the express written consent of
Sun Microsystems is prohibited. Sun Microsystems expressly disclaims all
liability for any misuse of this information by any third party.
______________________________________________________________________________

1.  Bulletins Topics

    Sun announces the release of patches for Solaris 2.5.1 (SunOS 5.5.1) and
    Solaris 2.5 (SunOS 5.5) that relate to vulnerabilities in the ffbconfig
    program, which can result in root access if exploited.

    Sun strongly recommends that you install these patches immediately on
    every affected system. Exploitation information for ffbconfig is publicly
    available.

2.  Who is Affected

       Vulnerable:  SunOS versions 5.5.1 and 5.5 SPARC running the Creator
                    FFB Graphics Accelerator.
                    See section 4. Understanding the Vulnerability, for a way
                    to test if a system is affected.


       Not vulnerable:  All other supported versions of SunOS

       This vulnerability does not exist in the upcoming release of Solaris 2.6.

3.  What to Do

    Install the patches listed in 5.

4.  Understanding the Vulnerability

    The ffbconfig program configures the Creator Fast Frame Buffer (FFB)
    Graphics Accelerator, which is part of the FFB Configuration Software
    Package, SUNWffbcf. This software is used when the FFB Graphics accelerator
    card is installed. Due to insufficient bounds checking on arguments, it is
    possible to overwrite the internal stack space of the ffbconfig program.
    If exploited, this vulnerability can be used to gain root access on
    attacked systems.

    To test if a system is vulnerable, run the following command to check for
    the presence of SUNWffbcf package which is installed when the FFB Graphics
    accelerator card is present:

                /usr/bin/pkginfo -l SUNWffbcf

    If it is not present, you will get an error message stating that SUNWffbcf
    was not found. If it is present, ffbconfig is installed in /usr/sbin.

5.  List of Patches

    The vulnerability relating to ffbconfig is fixed by the following patches:

        OS version              Patch ID
        ----------              --------
        SunOS 5.5.1             103796-09
        SunOS 5.5               103076-09

    The above-mentioned patches are listed in the Graphics section under
    Unbundled Products at

        ftp://sunsolve1.sun.com/pub/patches/patches.html.

6.  Checksum Table

    The checksum table below shows the BSD checksums (SunOS 5.x: /usr/ucb/sum),
    SVR4 checksums (SunOS 5.x: /usr/bin/sum), and the MD5 digital signatures
    for the above-mentioned patches that are available from:

        ftp://sunsolve1.sun.com/pub/patches/patches.html

    These checksums may not apply if you obtain patches from your answer
    centers.

File Name         BSD          SVR4         MD5
---------------   ---------    ---------    --------------------------------
103796-09.tar.Z   37854 2479   55959 4957   4994176B4C03215BD2707B87921C5096
103076-09.tar.Z   33438 2435   42064 4869   0A8AA3C106C4F09448220C1B0B714CD1

______________________________________________________________________________

Sun acknowledges with thanks CERT/CC and AUSCERT for their assistance in the
preparation of this bulletin.

Sun, CERT/CC, and AUSCERT are members of FIRST, the Forum of Incident Response
and Security Teams. For more information about FIRST, visit the FIRST web site
at "http://www.first.org/";.
______________________________________________________________________________

APPENDICES

A.  Patches listed in this security bulletin are available to all Sun customers
    via World Wide Web at:

        ftp://sunsolve1.sun.com/pub/patches/patches.html

    Customers with Sun support contracts can also obtain patches from local
    Sun answer centers and SunSITEs worldwide.

B.  To report or inquire about a security problem with Sun software, contact
    one or more of the following:

        - Your local Sun answer centers
        - Your representative computer security response team, such as CERT
        - Sun Security Coordination Team. Send email to:

                security-alert () sun com

C.  To receive information or subscribe to our CWS (Customer Warning System)
    mailing list, send email to:

                security-alert () sun com

    with a subject line (not body) containing one of the following commands:

        Command         Information Returned/Action Taken
        -------         ---------------------------------

        HELP            An explanation of how to get information

        LIST            A list of current security topics

        QUERY [topic]   The mail containing the question is relayed to
                        the Security Coordination Team for response.

        REPORT [topic]  The mail containing the text is treated as a
                        security report and forwarded to the Security
                        Coordination Team. We do not recommend that detailed
                        problem descriptions be sent in plain text.

        SEND topic      A short status summary or bulletin. For example, to
                        retrieve a Security Bulletin #00138, supply the
                        following in the subject line (not body):

                                SEND #138

        SUBSCRIBE       Sender is added to our mailing list.  To subscribe,
                        supply the following in the subject line (not body):

                                SUBSCRIBE cws your-email-address

                        Note that your-email-address should be substituted
                        by your email address.

        UNSUBSCRIBE     Sender is removed from our mailing list.
______________________________________________________________________________

Current thread:

Re: Linux UID/GID 'Feature', (continued)
- - Re: Linux UID/GID 'Feature' Andrew G. Morgan (May 11)
  - sendmail 8.8.6 Beta release available Jason R Mastaler (May 11)
  - New Win95 OOB fix allows Netbios to be used Aaron Weintraub (May 12)
    - UPDATE TO OOB FIX Aaron Weintraub (May 12)
    - Re: New Win95 OOB fix allows Netbios to be used Ian MacPhedran (May 13)
    - UPDATE TO OOB FIX Wojciech Swieboda (May 13)
    - Re: ELM overflow security () home bti pl (May 14)
    - Re: ELM overflow Michel GAUDET (May 16)
    - potential root exploit with help from sam (HP-UX 10.x) David Hyams (May 14)
    - Re: potential root exploit with help from sam (HP-UX 10.x) Trevor Schroeder (May 14)
    - Sun Security Bulletin #00140 Sun Security Coordination Team (May 14)
    - Non-executable stack -- final Linux kernel patch Solar Designer (May 14)
    - NT4.0 SP3 Still vulnerable Aaron Spangler (May 15)
    - MicroSolved finds hole in Ascom Timeplex Router Security Brent Huston (May 15)
  - WinNT 4.0 OOB Hoxfix Aleph One (May 12)
- Re: Linux UID/GID 'Feature' Philippe Regnauld (May 13)