-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
AL-96.04                        AUSCERT Alert
			Vulnerability in Solaris 2.x vold
                                2 August 1996

Last Revised:   1 May 1997
                Remove SUN Security bulletin (incorrect patch information)
		Changed Section 3 to include correct vendor patch 
		information.

		Updated acknowledgments

		A complete revision history is at the end of this file.

- -----------------------------------------------------------------------------

AUSCERT has received a report of a vulnerability in the Sun Microsystems
Solaris 2.x distribution involving the Volume Management daemon, vold(1M).
This program is used to help manage CDROM and floppy devices.

This vulnerability may allow a local user to gain root privileges.

Exploit details involving this vulnerability have been made publicly
available.

Vendor patches have been released addressing this vulnerability.

AUSCERT recommends that sites take the steps outlined in section 3 as soon
as possible.

This advisory will be updated as more information becomes available.

- ------------------------------------------------------------------------------

1.  Description

    The Volume Management daemon, vold(1M), manages the CDROM and floppy
    devices.  For example, it provides the ability to automatically detect,
    and then mount, removable media such as CDROMs and floppy devices.

    vold is part of the Solaris 2.x Volume Management package (SUNWvolu).
    It is executed as a background daemon on system startup and runs as
    root.

    When vold detects that a CDROM or floppy has been inserted into a
    drive, it is configured to automatically mount the media, making it
    available to users.  Part of this process includes the creation of
    temporary files, which are used to allow the Openwindows File Manager,
    filemgr(1), to determine that new media has been mounted.  These files
    are created by the action_filemgr.so shared object which is called
    indirectly by vold through rmmount(1M).  The handling of these files
    is not performed in a secure manner.  As vold is configured to access
    these temporary files with root privileges, it may be possible to
    manipulate vold into creating or over-writing arbitrary files on the
    system.

    This vulnerability requires that vold be running and media managed by
    vold, such as a CDROM or floppy, be physically loaded into a drive.
    Note that a local user need not have physical access to the media
    drive to exploit this vulnerability.  It is enough to wait until
    somebody else loads the drive, exploiting the vulnerability at that
    time.

    This vulnerability is known to be present in Solaris 2.4 and Solaris
    2.5.  Solaris distributions prior to Solaris 2.4 are also expected to
    be vulnerable.

2.  Impact

    Local users may be able to create or over-write arbitrary files on
    the system.  This can be leveraged to gain root privileges.

3.  Workaround

    Official vendor patches have been released by Sun Microsystems which
    address this vulnerability (Section 3.1).

    If the patches recommended by Sun Microsystems cannot be applied,
    AUSCERT recommends that sites prevent the exploitation of this
    vulnerability in vold by immediately applying the workaround given in
    Sections 3.2 or 3.3.

3.1 Install vendor patches

    Sun Microsystems has released patches which address the vulnerability
    described in this advisory.  AUSCERT recommends that sites apply theses
    patches as soon as possible.

    Operating System           Patch                MD5 Checksum
    ~~~~~~~~~~~~~~~~           ~~~~~                ~~~~~~~~~~~~
   Solaris 2.4 sparc:      101907-14.tar.Z  8156721f3667a0fd48a4ed845f3b007a
   Solaris 2.4 x86:        101908-14.tar.Z  33c766dab8adce77fe3eafa5ec4795df
   Solaris 2.5 sparc:      104015-01.tar.Z  e70fbafdc2a2defa8d0f12d91f5fda0d
   Solaris 2.5 x86:        104016-01.tar.Z  8baa449e0bf0de2ac5d12a2994ab44ef  
   Solaris 2.5.1 sparc:    104010-01.tar.Z  e24bf103c84b21ac6c8833317d63c9f1
   Solaris 2.5.1 x86:      104011-01.tar.Z  e1c39d7bba0ff2d10d00316b11a11ac4
   Solaris 2.5.1 ppc:      104012-01.tar.Z  86bca895fdcf628edc35be2b43f9e017

    All of the patches, except 104012-01.tar.Z (for Solaris 2.5.1 ppc),
    can be retrieved from:

        ftp://sunsolve1.sun.com.au/pub/patches/
        ftp://ftp.auscert.org.au/pub/mirrors/sunsolve1.sun.com/

    Sites with Sunsolve contracts will be able to obtain 104012-01.tar.Z
    from the contract area at their local Sunsolve site.   For more
    information on this, please contact your local Sunsolve Solution
    Centre.
    

3.2 Edit /etc/rmmount.conf

    The temporary files which are susceptible to attack are created by
    the /usr/lib/rmmount/action_filemgr.so.1 shared object which is called
    indirectly by vold through rmmount(1M).  rmmount(1M) can be configured
    so that it does not create the temporary files, thereby removing this
    vulnerability.

    To our knowledge, configuring rmmount(1M) in this fashion will not
    affect the functionality of vold.  It will, however, remove the ability
    of the Openwindows File Manager, filemgr(1), to automatically detect
    newly mounted media.

    To prevent rmmount(1M) creating temporary files, sites must edit the
    /etc/rmmount.conf file and comment out (or remove) any entry which
    references action_filemgr.so.

    The standard /etc/rmmount.conf contains the following entries which
    must be commented out (or deleted) to remove this vulnerability:

	action cdrom action_filemgr.so
	action floppy action_filemgr.so

    After applying this workaround, an example of /etc/rmmount.conf may
    look like:

    	# @(#)rmmount.conf 1.2     92/09/23 SMI
    	#
    	# Removable Media Mounter configuration file.
    	#
	
    	# File system identification
    	ident hsfs ident_hsfs.so cdrom
    	ident ufs ident_ufs.so cdrom floppy pcmem
    	ident pcfs ident_pcfs.so floppy pcmem
	
    	# Actions
    	#
    	# Following two lines commented out to remove vold vulnerability
    	#
    	# action cdrom action_filemgr.so
    	# action floppy action_filemgr.so


    Note that vold does not have to be restarted for these changes to
    take effect.


3.3 Remove the Volume Management system

    Sites who do not require the vold functionality should remove the
    complete set of Volume Management packages.  These are SUNWvolg,
    SUNWvolu and SUNWvolr.  These packages can be removed using pkgrm(1M).


- ------------------------------------------------------------------------------
AUSCERT wishes to thanks to Leif Hedstrom, Mark McPherson(QTAC), Marek
Krawus(UQ), DFN-CERT, CERT/CC, Marko Laakso (University of Oulu) and Sun
Microsystems for their assistance in this matter.
- ------------------------------------------------------------------------------

The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate.  However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual system
should be considered before application in conjunction with local policies
and procedures.  AUSCERT takes no responsibility for the consequences of
applying the contents of this document.

If you believe that your system has been compromised, contact AUSCERT or your
representative in FIRST (Forum of Incident Response and Security Teams).

AUSCERT is located at The University of Queensland within the Prentice Centre.
AUSCERT is a full member of the Forum of Incident Response and Security Teams
(FIRST).

AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT and AUSCERT
Advisories, and other computer security information.

AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 4477
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AUSCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

Postal:
Australian Computer Emergency Response Team
c/- Prentice Centre
The University of Queensland
Brisbane
Qld.  4072.
AUSTRALIA

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History

1 May 1997      Removed the Sun security bulletin as it referenced some
		incorrect patches for this vulnerability.  Included
		the correct patch information in Section 3.

		Updated acknowledgements to include Sun Microsystems and
		Marko Laakso.

21 Apr 1997	Sun Microsystems has released a security bulletin addressing
		this vulnerability in the vold program. This was appended
		in Appendix A. Section 3 was modified to include this
		information.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBM2mfSih9+71yA2DNAQFljwP/du2mPnUcWyzNFexzYnQC9xRDge4WRuw2
gANMOdMqUZJCXcGy7OhfanXuXzazc0Osj3Kzx82pxlzCRIBaVNNoNr2tK29rtFu4
19zKSmjJzwnMdaM8hO+tYElhj1tGhJmkmAg45eHS1iDAKnBWy7hDOMDD+qSwwCfQ
I3rmJFjDKCk=
=TJVB
-----END PGP SIGNATURE-----