CERT-SEI

SunOS Source Tape Installation Vulnerability

Original issue date: May 20, 1991
Last revised: September 18, 1997
Attached copyright statement

A complete revision history is at the end of this file.

The Computer Emergency Response Team/Coordination Center (CERT/CC) has received the following information from Sun Microsystems, Inc. (Sun).  Sun has given the CERT/CC permission to distribute their Security Bulletin. It contains information regarding a fix for a vulnerability in SunOS 4.0.3, SunOS 4.1 and SunOS 4.1.1.

The following Sun Microsystems Security Bulletin only applies to systems that have installed the Sun Source tapes.

For more information, please contact Sun Microsystems at 1-800-USA-4SUN.


SUN MICROSYSTEMS SECURITY BULLETIN: #00107

This information is only to be used for the purpose of alerting customers to problems. Any other use or re-broadcast of this information without the express written consent of Sun Microsystems shall be prohibited.

Sun expressly disclaims all liability for any misuse of this information by any third party.


Sun Bug ID  : 1059621
Synopsis    : security hole created by installing sunsrc
Sun Patch ID: Not applicable see fix below.

This applies to sites that have installed Sun Source tapes only.

The Sun distribution of sources (sunsrc) has an installation procedure which creates the directory /usr/release/bin and installs two setuid root files in it: makeinstall and winstall.  These are both binary files which exec other programs: "make -k install" (makeinstall) or "install" (winstall).

This makes it possible for users on that system to become root.

The solution:

 
      chmod ug-s /usr/release/bin/{makeinstall, winstall}
        (if the sources have already been installed)

and/or

edit the makefile in sunsrc/release and change the SETUID definition (if the sources have been extracted from tape but not installed yet)

Special thanks to CERT and Tel-Aviv University for reporting this problem.

    Brad Powell
    Sun Microsystems
Software Security Coordinator.


The CERT/CC would like to thank Sun Microsystems, Inc. for their response to this vulnerability.  We would also like to thank Ariel Cohen from Tel-Aviv University, School of Mathematical Sciences for reporting the problem.



This document is available from: http://www.preview.cert.org/advisories/CA-1991-07.html

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email.  Our public PGP key is available from

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.


NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.


Conditions for use, disclaimers, and sponsorship information

Copyright 1991 Carnegie Mellon University.


Revision History
September 18,1997  Attached Copyright Statement