CERT
 
Publications Catalog Historical Documents Authorized Users of "CERT" US-CERT Vulnerability Notes Database Vulnerability Disclosure Policy Courses Link to US-CERT cylab
 

CERT® Advisory CA-1995-12 Sun 4.1.X Loadmodule Vulnerability

Original issue date: October 18, 1995
Last revised: September 23, 1997
Attached copyright statement

A complete revision history is at the end of this file.

The CERT Coordination Center has received reports of problems with the loadmodule(8) program. An exploitation script is available and has been used by local users to gain root privileges.

The problem is present in SunOS 4.1.X only, and there is a patch available for sun4 architectures.

The CERT staff recommends that you install the appropriate patch as soon as possible and take the steps in Section III.B. to further protect your system.

We will update this advisory as we receive additional information. Please check advisory files regularly for updates that relate to your site.

I. Description

The loadmodule(8) program is used by the xnews(1) window system server to load two dynamically loadable kernel drivers into the currently running system and to create special devices in the /dev directory to use those modules. These modules and special files are used to provide a SunView binary compatibility mode while running the X11/NeWS windowing system. Because of the way the loadmodule(8) program sanitizes its environment, unauthorized users can gain root access on the local machine. A script is publicly available and has been used to exploit this vulnerability.

This problem is present in SunOS 4.1.X only.

II. Impact

Local users can gain root privileges.

III. Solution

The CERT staff recommends that you take the steps described in both A and B below.

A. Obtain and install the appropriate patches according to the instructions included with the patches.

Patches are available through your local Sun Answer Center and by FTP from

ftp://sunsolve1.sun.com/pub/patches/100448-03.tar.Z 

      Module           Patch ID        Filename
      ----------       ---------       ---------------
      loadmodule       100448-03       100448-03.tar.Z

      Checksum:
      MD5 (100448-03.tar.Z) = 183a22f0a2f6020f1389b6aeea5ca6c6

B. Because, in general, a set-user-id program can lead to security exposures, you should also do at least step 1 below. We recommend doing steps 2 and 3 as well.

The intent of these directions is make the loadmodule(8) program work only for the super-user (currently it works for all users because it is set-user-id) and to execute it each time the system boots. By following these directions, users who require SunView binary compatibility will have it available to them.

  1. If you do not need SunView binary compatibility, then as root, turn off setuid root on the loadmodule(8) program with 
        # /bin/chmod u-s /usr/openwin/bin/loadmodule
  2. If your users need SunView binary compatibility, you can enable it immediately--that is without having to reboot your system--with the following script. 

    ------------------------cut here--8<------------------------
ARCH=`/bin/arch -k`
OBJ=/sys/${ARCH}/OBJ
LM=/usr/openwin/bin/loadmodule
/bin/chmod u-s $LM
if [ -f $OBJ/evqmod-${ARCH}.o ]; then
  if /usr/etc/modstat | /bin/egrep -s evqmod ; then
    echo evq: already loaded
  elif $LM evqmod-${ARCH}.o evqload; then
    echo evq: loaded
  else
    echo evq: unable to load module
  fi
fi
if [ -f $OBJ/winlock-${ARCH}.o ]; then
  if /usr/etc/modstat | /bin/egrep -s winlock ; then
    echo winlock: already loaded
  elif $LM winlock-${ARCH}.o winlockload; then
    echo winlock: loaded
  else
    echo winlock: unable to load module
  fi
fi
------------------------cut here--8<------------------------
    As a suggestion, store this script in /tmp/esbc and then execute it as root with: 
       # sh /tmp/esbc
  3. If you've done step 2 above, the module loadings will disappear the next time you reboot your system. To make them permanent-- that is to make these module loadings occur each time your system is rebooted--add the script to the end of your /etc/rc.local file.

The CERT Coordination Center staff thanks Wolfgang Ley and Sun Microsystems for their support in the development of this advisory.
This document is available from: http://www.cert.org/advisories/CA-1995-12.html

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.

Conditions for use, disclaimers, and sponsorship information

Copyright 1995, 1996 Carnegie Mellon University.

Revision History 
Sep. 23, 1997  Updated copyright statement
Aug. 30, 1996  References to README files were removed because updates are
               added to the advisories themselves.