-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
AA-97.08                        AUSCERT Advisory
                Solaris 2.x CDE sdtcm_convert vulnerability
                                24 February 1997

Last Revised: --

- ---------------------------------------------------------------------------
AUSCERT has received information that a vulnerability exists in the
Solaris 2.x Common Desktop Environment (CDE) sdtcm_convert utility.

This vulnerability may allow local users to gain root privileges.

Exploit information involving this vulnerability has been made publicly
available.

AUSCERT recommends that sites take the steps outlined in section 3 as soon
as possible.
- ---------------------------------------------------------------------------

1.  Description

    sdtcm_convert(1) is a calendar data conversion utility which converts
    between version 3 and version 4 calendar data formats.

    During the execution of sdtcm_convert, files are modified with root
    privileges in an insecure manner.  By manipulating the files that
    sdtcm_convert is accessing, local users may change the ownership of
    arbitrary files on the system.  This may be leveraged to gain
    root privileges.

    sdtcm_convert is part of the Solaris 2.x Common Desktop Environment
    (CDE) Applications package, SUNWdtdst.  Sites can determine whether
    the SUNWdtdst package is installed with the command:

	% pkginfo -l SUNWdtdst

    The long listing (-l) from pkginfo will also give the version of the
    CDE package installed.

    The default location for sdtcm_convert is /usr/dt/bin/sdtcm_convert.

2.  Impact

    Local users may be able to change the ownership of arbitrary files
    on the system.  This may be leveraged to gain root privileges.

3.  Workarounds/Solution

    Official vendor patches have been released by Sun Microsystems which
    address this vulnerability (Section 3.1).

    Until the patches recommended by Sun Microsystems can be applied,
    AUSCERT recommends that sites limit the possible exploitation of this
    vulnerability by immediately removing the setuid permissions as stated
    in Section 3.2.

3.1 Install vendor patches

    Sun Microsystems has released security patches which address the
    vulnerability described in this advisory.  AUSCERT recommends that
    sites apply these patches as soon as possible.

    Patches have been released for:

        CDE version       Patch             MD5
        ~~~~~~~~~~~       ~~~~~             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        1.0.1 sparc       103671-02.tar.Z   abb42a75b89c16e085d0f8811eeede10
        1.0.2 sparc       103670-02.tar.Z   e9f8f34deaaf215ff5f5b632bf0d45ea
        1.0.1 x86         103718-02.tar.Z   cebb82a95592392359f5206fe2a63ed1
        1.0.2 x86         103717-02.tar.Z   18fe28c03abdf118b647fd347261089e

    Sites with SunService Contracts may obtain these patches through
    their local SunSolve Online server.

    For sites without a SunService Contract, the above security patches
    may be retrieved from:

        ftp://sunsolve1.sun.com.au/pub/outgoing/

    Note that this site is currently the only public area where these patches
    are available.

3.2 Remove setuid permissions

    To prevent the exploitation of the vulnerability described in this
    advisory, AUSCERT recommends that the setuid permissions be removed
    from sdtcm_convert immediately.  As the sdtcm_convert program will no
    longer work for non-root users, it is recommended that the execute
    permissions also be removed.

    For example:

    # ls -l /usr/dt/bin/sdtcm_convert
    -r-sr-sr-x   1 root daemon 285700 Feb 24 12:20 /usr/dt/bin/sdtcm_convert

    # chmod 500 /usr/dt/bin/sdtcm_convert
    -r-x------   1 root daemon 285700 Feb 24 12:20 /usr/dt/bin/sdtcm_convert

4.  Additional measures

    Most Unix systems ship numerous programs which have setuid or setgid
    privileges.  Often the functionality supplied by these privileged
    programs is not required by many sites.  The large number of privileged
    programs that are shipped by default are to cater for all possible
    uses of the system.

    AUSCERT encourages sites to examine all the setuid/setgid programs
    and determine the necessity of each program.  If a program does not
    absolutely require the setuid/setgid privileges to operate (for
    example, it is only run by the root user),  the setuid/setgid
    privileges should be removed.  Furthermore, if a program is not
    required at your site, then all execute permissions should be removed.

    A sample command to find all setuid/setgid programs is (run as root):

       # find / \( -perm -4000 -o -perm -2000 \) -type f -exec ls -l {} \;

    It is AUSCERT's experience that many vulnerabilities are being
    discovered in setuid/setgid programs which are not necessary for the
    correct operation of most systems.  Sites can increase their security
    by removing unnecessary setuid/setgid programs.

    For example, the functionality provided by the sdtcm_convert program
    is not needed by many sites.  If sites had previously disabled
    sdtcm_convert, they would not have been vulnerable to this latest
    exploit.

- ---------------------------------------------------------------------------
AUSCERT thanks Marko Laakso (University of Oulu) for his initial report,
continued assistance, and technical expertise crucial in the production of
this advisory.  Thanks also to CERT/CC, DFN-CERT and Sun Microsystems for
their help in this matter.
- ---------------------------------------------------------------------------

The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate.  However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual
system should be considered before application in conjunction with local
policies and procedures.  AUSCERT takes no responsibility for the
consequences of applying the contents of this document.

If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

AUSCERT is located at The University of Queensland within the Prentice
Centre.  AUSCERT is a full member of the Forum of Incident Response and
Security Teams (FIRST).

AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT and AUSCERT
Advisories, and other computer security information.

AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 4477
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AUSCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

Postal:
Australian Computer Emergency Response Team
Prentice Centre
Brisbane
Qld.  4072.
AUSTRALIA


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBMxG+fyh9+71yA2DNAQEjSwP/WdzzIz1abitnf+DSwPTCjCBVQAVNlsiG
N9uim1D+beFSAOOnZ2fqaXxmMXOEDeXpqlVUAWZNbJL7LkfpJPAnMU/8sZdLzY+U
SGQt0tV1JFsn5tCeTz+mCD/dgejdSnOYa3L2/65Sg/XXVLPWFc1N4jMVd8iAvK9i
pM6V1v4fcoY=
=mbcK
-----END PGP SIGNATURE-----