-----BEGIN PGP SIGNED MESSAGE----- [Note: To prevent unnecessary and unprofessional flames, I will not mention the names of the employees at Sun that I have dealt with in the course of this matter.] Today, a Sun engineer emailed me new test binaries of patched versions of ufsdump and ufsrestore for Solaris 2.6 SPARC that fix a buffer overflow vulnerability that can be exploited to obtain root access. Note that I received test binaries of the above-mentioned software last month. Upon testing those (the week of May 15 of this year), I found that both binaries still produced a SIGSEGV in the tape device arguement when it exceeds a certain fixed length, and were still exploitable. I reported this to Sun after my initial findings May 18. I had a very interesting time in dealing with Sun concerning this particular vulnerability. In early May, I was informed by one Sun programmer that this vulnerability will be fixed in the next release of Solaris (2.7 -- due out this fall) and that all engineers "...were working to get [Solaris] 2.7 out the door." He also informed me that part of the reason for the delay was because I had a valid workaround, which was what I posted to BUGTRAQ back on April 23: quackers# chmod ug-s /usr/lib/fs/ufs/ufsdump quackers# chmod u-s /usr/lib/fs/ufs/ufsrestore Needless to say, after my boss and I complained loudly to our Sun representative as well as security-alertat_private concerning the ufsdump & ufsrestore buffer overflow security vulnerability, things managed to start rolling again towards a *fully-working* patch. I'm already aware of the fact that Sun released a similiar ufsdump/ufsrestore patch for Solaris 2.5.1 (now at patch 104490-05 according to sunsolve.sun.com) that didn't fix the vulnerability. I'll be testing the patched binaries on a Sun workstation at work over the weekend. Let me know if you want me to look for anything in particular besides the obvious SIGSEGV error(s). The last thing I need is a repeat of the failed ufsdump/ufsrestore patch for Solaris 2.6. Attached is a note I got from a Sun engineer today that explains most everything. This will include two bug numbers, of which only one of them is valid in the Sun bug database at sunsolve.sun.com. Note that I've modified the headers in the attachment to prevent unnecessary and unprofessional flames. Last note: thanks to Sean McGann for discovering the original Solaris 2.6 ufsdump/ufsrestore vulnerability in on the x86 platform. -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: cp850 iQCVAgUBNYhlP+NY3xV+5qZBAQGhHAP/XKGaVX9wztacfwn7Ca5S6Jno3gGyGNg9 DQC/Vpyvs9z5QV5B7Lq9ECUxuiU2ITzJD7tsTdIKLwzpy2kViuFAwmZq9ujfrgv6 Jioo7VT0Gf3qxhul1MOla6v5OAwhowQoMB4K7zmXU1Uq/wYw5tmGbYKGXGYpcQg0 i0dSO0QvGao= =MePB -----END PGP SIGNATURE----- -- Eugene Bradley -- Just Another Random Solaris administrator eugene.bradleyat_private (Personal ONLY!) -- PGP key ID Ox7EE6A641 PGP key available by sending me mail with "GET KEY" in the Subject: line homepage is @ http://www.geocities.com/SiliconValley/Haven/9323/
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:58:32 PDT