SunView selection_svc vulnerability

Original issue date: August 14, 1990
Last revised: September 17, 1997
Attached copyright statement

A complete revision history is at the end of this file. Sun has recently released a patch for a security hole in SunView. This problem affects SunView running on all versions of SunOS (3.5 and before, 4.0, 4.0.1, 4.0.3, and 4.1) and all platforms (Sun3, Sun4, 386i).  This vulnerability allows any remote system to read selected files from the workstation running SunView.  As noted below in the IMPACT section, the files that can be read are limited.

This vulnerability is in the SunView (aka SunTools) selection_svc facility and can be exploited while SunView is in use; however, as noted below in the IMPACT section, this bug may be exploitable after the user quits using Sunview.  This problem cannot be exploited while X11 is in use (unless the user runs X11 after running Sunview; see the IMPACT section).  This problem is specific to Sun's SunView software; to our knowledge, this problem does NOT affect other vendor platforms or software.

Obtaining the Patch

To obtain the patch, please call your local Sun Answer Center (in the USA, it's 1-800-USA-4SUN), and ask for patch number 100085-01. You can also reference Sun Bug ID 1039576.

The patch is available for SunOS 4.0.1, 4.0.3 and SunOS 4.1, on Sun3, Sun4, and 386i architectures.  Contact Sun for further details.

Impact

On Sun3 and Sun4 systems, a remote system can read any file that is readable to the user running SunView.  On the 386i, a remote system can read any file on the workstation running SunView regardless of protections.  Note that if root runs Sunview, all files are
potentially accessible by a remote system.

If the password file with the encrypted passwords is world readable, an intruder can take the password file and attempt to guess passwords. In the CERT/CC's experience, most systems have at least one password that can be guessed.

Sunview does not kill the selection_svc process when the user quits from Sunview.  Thus, unless the process is killed, remote systems can still read files that were readable to the last user that ran Sunview. Under these circumstances, once a user has run Sunview, start using another window system (such as X11), or even logoff, but still have files accessible to remote systems.  However, even though
selection_svc is not killed when Sunview exits, the patch still solves the security problem and prevents remote access.

CONTACT INFORMATION

For further questions, please contact your Sun answer center or send mail to
security-features@sun.com .


Thanks to Peter Shipley for discovering, documenting, and helping resolve this problem.


This document is available from: http://www.preview.cert.org/advisories/CA-1990-05.html

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email.  Our public PGP key is available from

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.


NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.


Conditions for use, disclaimers, and sponsorship information

Copyright 1990 Carnegie Mellon University.


Revision History
September 17,1997  Attached copyright statement