Patch-ID# 100630-02 Keywords: security, login international, su, LD_ environment variables Synopsis: SunOS 4.1.1, 4.1.2, 4.1.3: SECURITY: methods to exploit login/su Date: Sep/17/93 Solaris Release: 1.0,1.0.1,1.1,1.1C SunOS Release: 4.1.1,4.1.2,4.1.3,4.1.3C Unbundled Product: Unbundled Release: Topic: SECURITY ISSUE: login and su exploitable via LD_ environment variables. SECURITY ISSUE: /usr/5bin/su sets a path that begins with ".". BugId's fixed with this patch: 1085851 1121935 Relevant Architecture: sparc NOTE: sun3(all), sun4(all) Patches accumulated and obsoleted by this patch: 101074-01 Patches which may conflict with this patch: Obsoleted by: NOTE: Obsoletes: This patch merges in the changes for and obsoletes patch 101074-01 Files included with this patch: login, su, su.5bin Problem Description: 1085851 a dynamically-linked program that is invoked by a setuid/setgid program has access to the caller's environmental variables if the setuid/setgid program sets the real and effective UIDs to be equal and the real and effective GIDs to be equal before the dynamically-linked program is executed. A vulnerability exists if the UIDs and GIDs are not equal to those of the user that invoked the setuid/setgid program. 1121935 /usr/5bin/su assigns a path of .:/bin:/usr/bin:/usr/ucb:/etc:/usr/etc which starts with ".". System is then vulnerable to trojan horse programs. Note that this patch contains the international version of /bin/login that users who are not using the US Encryption Kit need to install. Patch 100631-01 contains the domestic version of /bin/login. /usr/bin/su and /usr/5bin/su from this international patch are suitable for sites that use the US Encryption Kit. Note for users of C2 security package under 4.1 and 4.1.1 only, use the login program from patch 100201-05 (or later version). Install Instructions: Perform all commands as root. It is strongly recommended that the install be performed in single user mode if user logins are possible during the execution of these commands. Make a copy of the old files: mv /bin/login /bin/login.FCS mv /usr/bin/su /usr/bin/su.FCS mv /usr/5bin/su /usr/5bin/su.FCS Change permissions on old files so they can't be executed: chmod 0400 /bin/login.FCS /usr/bin/su.FCS /usr/5bin/su.FCS Install the patched files: cp `arch`/login /bin/login cp `arch`/su /usr/bin/su cp `arch`/su.5bin /usr/5bin/su Change the owner and file permissions of the new files: chown root.staff /bin/login /usr/bin/su /usr/5bin/su chmod 4755 /bin/login /usr/bin/su /usr/5bin/su