TUCoPS :: SunOS/Solaris :: ciace006.txt

Solaris Syst Startup Vulnerability 

               _____________________________________________________
                          The U.S. Department of Energy
                       Computer Incident Advisory Capability
                              ___  __ __    _     ___
                             /       |     / \   /   
                             \___  __|__  /___\  \___
               _____________________________________________________

                               INFORMATION BULLETIN

                        Solaris System Startup Vulnerability


December 17, 1993 1500 PST                                         Number E-06
______________________________________________________________________________
PROBLEM:   Solaris system startup vulnerability.
PLATFORM:  Solaris 2.x and Solaris x86 systems.
DAMAGE:    Anyone with physical access to a workstation with eeprom(1m)
           security enabled may gain root level privilege without supplying
           the eeprom or root password.
SOLUTION:  Change system scripts as described or restrict physical access.
______________________________________________________________________________

       Critical Information about the Solaris System Startup Vulnerability

CIAC has received information from Sun Microsystems regarding a security
vulnerability in the Solaris system 2.x and x86 startups.  This
vulnerability allows a person with physical access to a workstation with
eeprom(1m) security enabled to force a startup failure and subsequently
gain root privilege without supplying the eeprom or root password. 
Changing the system scripts as described below or restricting physical
access to the workstations will eliminate this vulnerability.  Note that
without eeprom security enabled, a workstation is vulnerable to any
unauthorized individual who has physical access.

Without the script changes, if fsck(8) fails during boot, the system will
run a privileged shell on the workstation.  Since an attacker can force the
failure, CIAC recommends application of the changes described below.  If
this is not possible, then restrict physical workstation access to only
those users allowed root privilege.

The changes will require the user to enter the root password before the
system runs the privileged shell.  To make the changes, edit both /sbin/rcS
and /sbin/mountall.  Change every occurrence of

          /sbin/sh < /dev/console
to
          /sbin/sulogin < /dev/console

The Sun distribution of /sbin/rcS contains an occurrence of the target
string at line 152; the distribution of /sbin/mountall contains one at line
66 and one at line 250.

An attacker with physical access to a workstation without eeprom security
enabled can easily compromise the system by booting it in single user mode.
CIAC thus recommends enabling eeprom security for all workstations without
strict physical access controls.
______________________________________________________________________________

CIAC wishes to thank Sun Microsystems for first bringing the vulnerability
to our attention, and both Sun Microsystems and the CERT Coordination
Center for portions of the information in this bulletin.
______________________________________________________________________________

For additional information or assistance, please contact CIAC:
    Voice:   (510) 422-8193
    FAX:     (510) 423-8002
    STU-III: (510) 423-2604
    E-mail:  ciac@llnl.gov

Previous CIAC Bulletins and other information are available via anonymous FTP
from irbis.llnl.gov (IP address 128.115.19.60).
______________________________________________________________________________

PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins.  If you are not part of these communities, please
contact your agency's response team to report incidents.  Your agency's team
will coordinate with CIAC.  The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization.  A list of FIRST member organizations
and their constituencies can be obtained by sending email to
docserver@first.org with an empty subject line and a message body containing
the line: send first-contacts.

This document was prepared as an account of work sponsored by an agency of the
United States Government.  Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for the
accuracy, completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately owned
rights.  Reference herein to any specific commercial products, process, or
service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring
by the United States Government or the University of California.  The views
and opinions of authors expressed herein do not necessarily state or reflect
those of the United States Government nor the University of California, and
shall not be used for advertising or product endorsement purposes.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH