Re: [ISN] Solaris Flaw Leaves Machines Open to Attacks

From: InfoSec News (isn@private)
Date: Sun Sep 21 2003 - 23:57:51 PDT

  • Next message: InfoSec News: "[ISN] Military wants way to attack satellites"

    Forwarded from: matthew patton <pattonme@private>
    --- InfoSec News <isn@private> wrote:
    > By Dennis Fisher 
    > September 16, 2003   
    > There is a serious security flaw in several versions of both Solaris 
    > and Trusted Solaris that make it possible for virtually any remote or
    > local user to gain root privileges on a vulnerable machine.
    so all that NSA code-review and all that jaz to get the "trusted"
    certification didn't come across this bug eh? So, what's the cert
    worth then? IMO zilch.
    > The problem lies in the Solstice AdminSuite, a set of tools Sun
    > Microsystems Inc. includes with the operating system that allows
    > administrators to perform remote administration tasks.
    And a tool I hate with a passion. Actually any obligatory GUI tool is
    something I despise when the commandline is perfectly capable.
    > The sadmind daemon is installed by default on most default
    > installations of Solaris.
    and unfortunately I'd wager that 98% of installed systems are default.
    Pity despite the YEARS of security people trying to hammer home the
    concept, few admins bother to strip their boxes of EVERYTHING that is
    not specifically, absolutely necessary. Will it ever end?
    Do you Yahoo!?
    Yahoo! SiteBuilder - Free, easy-to-use web site design software
    ISN is currently hosted by
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Mon Sep 22 2003 - 03:54:58 PDT