NO RESTRICTIONS
       _____________________________________________________
	      The Computer Incident Advisory Capability
                          ___  __ __    _     ___
                         /       |     / \   /
                         \___  __|__  /___\  \___
         _____________________________________________________
                          Information Bulletin

	       Vulnerability in SunOS SPARC Integer Division


September 17, 1991, 1200 PDT  	                   	Number B-41

-------------------------------------------------------------------------------
PROBLEM: Integer division bug can be used to gain root 
PLATFORM: sun4, sun4c: SunOS release: 4.1, 4.1.1
DAMAGE: Unauthorized root access and potential system crash
SOLUTIONS: Apply Sun Patch-ID# 100376-01 for SunOS 4.1 and 4.1.1; rebuild 
	and install the operating system kernel with patched object file
-------------------------------------------------------------------------------
	    Critical Facts About Sun Integer Division Bug

CIAC has learned of a security problem with the integer division
exception handling on SPARC (Including Sun 4 and 4c architectures)
based computers running SunOS 4.1 and 4.1.1.  This vulnerability can
be used to gain unauthorized root access and can also result in system
crashes.

Sun is providing a patch (Sun Patch-ID# 100376-01) to correct this
problem.  This patch is available from Sun (call 1-800-USA-4SUN), or
through anonymous ftp at uunet.uu.net (ip address 137.39.1.2) in the
directory ~ftp/sun-dist (see bulletin B-33 for details on obtaining
files from uunet.uu.net).  The patch filename is 100376-01.tar.Z, and
has a checksum (using the command "sum 100376-01.tar.Z") of
"09989	11".  Please note that Sun Microsystems sometimes updates
patch files, resulting in a changed checksum result.  If you find that
the checksum is different from the one given above, please contact Sun
Microsystems or CIAC for verification.

The patch file must be uncompressed, and the tar files extracted.  To
apply the patch, replace the file /sys/sun{4,4c}/OBJ/crt.o with the
crt.o file appropriate to your system which is contained in the patch.
You must then rebuild the kernel, replace your copy of /vmunix, and
reboot the system.  Since the installation of this patch will vary
depending on your individual system configuration, please refer to the
System and Network Administration Manual on building and configuring a
custom kernel for details on this procedure.

For additional information or assistance, please contact CIAC:

	David Brown
	(510) 423-9878** or (FTS) 543-9878

	FAX:  (510) 423-8002** or (FTS) 543-8002

        **Note: On September 1, 1991, CIAC's area code changed
              from 415 to 510
 
or send e-mail to:

	ciac@llnl.gov
	
	Previous CIAC bulletins are available via anonymous FTP from
	irbis.llnl.gov (ip number 128.115.19.60)

CIAC gratefully acknowledges the timely response of Sun Microsystems
in responding to this problem.  Thanks also to the Computer Emergency
Response Team at Carnegie-Mellon for some of the material used in this
bulletin.  Neither the United States Government nor the University of
California nor any of their employees, makes any warranty, expressed
or implied, or assumes any legal liability or responsibility for the
accuracy, completeness, or usefulness of any information, product, or
process disclosed, or represents that its use would not infringe
privately owned rights.  Reference herein to any specific commercial
products, process, or service by trade name, trademark manufacturer,
or otherwise, does not necessarily constitute or imply its
endorsement, recommendation, or favoring by the United States
Government or the University of California.  The views and opinions of
authors expressed herein do not necessarily state or reflect those of
the United States Government nor the University of California, and
shall not be used for advertising or product endorsement purposes.