Bugtraq mailing list archives
Sun Security Bulletin #00140
From: secure () SUNSC ENG SUN COM (Sun Security Coordination Team)
Date: Wed, 14 May 1997 13:58:05 -0700
______________________________________________________________________________ Sun Microsystems, Inc. Security Bulletin Bulletin Number: #00140 Date: 14 May 1997 Cross-Ref: AUSCERT AA-97.06 Title: Vulnerability in ffbconfig ______________________________________________________________________________ Permission is granted for the redistribution of this Bulletin, so long as the Bulletin is not edited and is attributed to Sun Microsystems. Portions may also be excerpted for re-use in other security advisories so long as proper attribution is included. Any other use of this information without the express written consent of Sun Microsystems is prohibited. Sun Microsystems expressly disclaims all liability for any misuse of this information by any third party. ______________________________________________________________________________ 1. Bulletins Topics Sun announces the release of patches for Solaris 2.5.1 (SunOS 5.5.1) and Solaris 2.5 (SunOS 5.5) that relate to vulnerabilities in the ffbconfig program, which can result in root access if exploited. Sun strongly recommends that you install these patches immediately on every affected system. Exploitation information for ffbconfig is publicly available. 2. Who is Affected Vulnerable: SunOS versions 5.5.1 and 5.5 SPARC running the Creator FFB Graphics Accelerator. See section 4. Understanding the Vulnerability, for a way to test if a system is affected. Not vulnerable: All other supported versions of SunOS This vulnerability does not exist in the upcoming release of Solaris 2.6. 3. What to Do Install the patches listed in 5. 4. Understanding the Vulnerability The ffbconfig program configures the Creator Fast Frame Buffer (FFB) Graphics Accelerator, which is part of the FFB Configuration Software Package, SUNWffbcf. This software is used when the FFB Graphics accelerator card is installed. Due to insufficient bounds checking on arguments, it is possible to overwrite the internal stack space of the ffbconfig program. If exploited, this vulnerability can be used to gain root access on attacked systems. To test if a system is vulnerable, run the following command to check for the presence of SUNWffbcf package which is installed when the FFB Graphics accelerator card is present: /usr/bin/pkginfo -l SUNWffbcf If it is not present, you will get an error message stating that SUNWffbcf was not found. If it is present, ffbconfig is installed in /usr/sbin. 5. List of Patches The vulnerability relating to ffbconfig is fixed by the following patches: OS version Patch ID ---------- -------- SunOS 5.5.1 103796-09 SunOS 5.5 103076-09 The above-mentioned patches are listed in the Graphics section under Unbundled Products at ftp://sunsolve1.sun.com/pub/patches/patches.html. 6. Checksum Table The checksum table below shows the BSD checksums (SunOS 5.x: /usr/ucb/sum), SVR4 checksums (SunOS 5.x: /usr/bin/sum), and the MD5 digital signatures for the above-mentioned patches that are available from: ftp://sunsolve1.sun.com/pub/patches/patches.html These checksums may not apply if you obtain patches from your answer centers. File Name BSD SVR4 MD5 --------------- --------- --------- -------------------------------- 103796-09.tar.Z 37854 2479 55959 4957 4994176B4C03215BD2707B87921C5096 103076-09.tar.Z 33438 2435 42064 4869 0A8AA3C106C4F09448220C1B0B714CD1 ______________________________________________________________________________ Sun acknowledges with thanks CERT/CC and AUSCERT for their assistance in the preparation of this bulletin. Sun, CERT/CC, and AUSCERT are members of FIRST, the Forum of Incident Response and Security Teams. For more information about FIRST, visit the FIRST web site at "http://www.first.org/". ______________________________________________________________________________ APPENDICES A. Patches listed in this security bulletin are available to all Sun customers via World Wide Web at: ftp://sunsolve1.sun.com/pub/patches/patches.html Customers with Sun support contracts can also obtain patches from local Sun answer centers and SunSITEs worldwide. B. To report or inquire about a security problem with Sun software, contact one or more of the following: - Your local Sun answer centers - Your representative computer security response team, such as CERT - Sun Security Coordination Team. Send email to: security-alert () sun com C. To receive information or subscribe to our CWS (Customer Warning System) mailing list, send email to: security-alert () sun com with a subject line (not body) containing one of the following commands: Command Information Returned/Action Taken ------- --------------------------------- HELP An explanation of how to get information LIST A list of current security topics QUERY [topic] The mail containing the question is relayed to the Security Coordination Team for response. REPORT [topic] The mail containing the text is treated as a security report and forwarded to the Security Coordination Team. We do not recommend that detailed problem descriptions be sent in plain text. SEND topic A short status summary or bulletin. For example, to retrieve a Security Bulletin #00138, supply the following in the subject line (not body): SEND #138 SUBSCRIBE Sender is added to our mailing list. To subscribe, supply the following in the subject line (not body): SUBSCRIBE cws your-email-address Note that your-email-address should be substituted by your email address. UNSUBSCRIBE Sender is removed from our mailing list. ______________________________________________________________________________
Current thread:
- Re: Linux UID/GID 'Feature', (continued)
- Re: Linux UID/GID 'Feature' Andrew G. Morgan (May 11)
- sendmail 8.8.6 Beta release available Jason R Mastaler (May 11)
- New Win95 OOB fix allows Netbios to be used Aaron Weintraub (May 12)
- UPDATE TO OOB FIX Aaron Weintraub (May 12)
- Re: New Win95 OOB fix allows Netbios to be used Ian MacPhedran (May 13)
- UPDATE TO OOB FIX Wojciech Swieboda (May 13)
- Re: ELM overflow security () home bti pl (May 14)
- Re: ELM overflow Michel GAUDET (May 16)
- potential root exploit with help from sam (HP-UX 10.x) David Hyams (May 14)
- Re: potential root exploit with help from sam (HP-UX 10.x) Trevor Schroeder (May 14)
- Sun Security Bulletin #00140 Sun Security Coordination Team (May 14)
- Non-executable stack -- final Linux kernel patch Solar Designer (May 14)
- NT4.0 SP3 Still vulnerable Aaron Spangler (May 15)
- MicroSolved finds hole in Ascom Timeplex Router Security Brent Huston (May 15)