TUCoPS :: SunOS/Solaris :: o-012.txt

Sun Vulnerability in Solaris AnswerBook2 Documentation server daemon (CIAC O-012)


             __________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

     Sun Vulnerability in Solaris "AnswerBook2 Documentation" Server Daemon
                             [Sun Alert ID: 23412]

October 20, 2003 18:00 GMT                                        Number O-012
______________________________________________________________________________
PROBLEM:       An attacker can run arbitrary commands on the remote host as 
               the user the server runs as. 
               Note--The AnswerBook2 Documentation Server gives customers the 
               ability to view Sun documentation using their favorite browser. 
SOFTWARE:      AnswerBook2 Documentation Server Version 1.4.1 or earlier 
               AnswerBook2 Documentation Server Version 1.4.2 without patch 
DAMAGE:        An unprivileged local or remote user may be able to execute 
               arbitrary commands with the privileges of the AnswerBook2 
               server daemon, which is normally uid "daemon", on an 
               AnswerBook2 (AB2) server system. 
SOLUTION:      Upgrade to appropriate patch. 
______________________________________________________________________________
VULNERABILITY  The risk is LOW. The attacker can run arbitrary commands on the 
ASSESSMENT:    remote host. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/o-012.shtml 
 ORIGINAL BULLETIN:  Sun Alert ID: 23412                       
                     http://www.sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert
                     %2F23412&zone_32=category%3Asecurity 

______________________________________________________________________________
[***** Start Sun Alert ID: 23412 *****]

Sun(sm) Alert Notification 
Sun Alert ID: 23412 
Synopsis: Vulnerability in Solaris "AnswerBook2 Documentation" Server Daemon 
Category: Security 
Product: AnswerBook2 Documentation Server 
BugIDs: 4353727 
Avoidance: Upgrade, Patch 
State: Resolved 
Date Released: 10-Aug-2000, 16-Oct-2003 
Date Closed: 10-Aug-2000 
Date Modified: 10-Aug-2000, 16-Oct-2003 

1. Impact 

An unprivileged local or remote user may be able to execute arbitrary commands 
with the privileges of the AnswerBook2 server daemon, which is normally uid 
"daemon", on an AnswerBook2 (AB2) server system. 

This issue is one of two vulnerabilities discussed in S21sec advisory s21sec-004 
at: http://www.s21sec.com/en/avisos/s21sec-004-en.txt 

The other vulnerability discussed in the S21sec advisory is described in Sun Alert 
57400. 

This issue is also described in Sun Security Bulletin #00196 at: http://sunsolve.
sun.com/pub-cgi/secBulletin.pl 

2. Contributing Factors 

This issue can occur in the following releases: 

SPARC 
* AnswerBook2 Documentation Server Version 1.4.1 or earlier 
* AnswerBook2 Documentation Server Version 1.4.2 without patch 110011-02 

x86 Platform 
* AnswerBook2 Documentation Server Version 1.4.1 or earlier 
* AnswerBook2 Documentation Server Version 1.4.2 without patch 110012-02 

Notes: 
1.  AnswerBook2 is no longer supported as of Solaris 9, and thus Solaris 9 is not 
    affected. 
2.  AnswerBook2 Documentation Server version 1.4.2 first shipped with Solaris 8. 
3.  AnswerBook2 Documentation Server versions 1.4.3 and later are not affected by 
    this issue. 

To determine the version of the currently installed AnswerBook2 Server, run the 
following command: 

    $ grep SUNW_PRODVERS /var/sadm/pkg/SUNWab2[rsu]/pkginfo
    /var/sadm/pkg/SUNWab2r/pkginfo:SUNW_PRODVERS=1.4.2
    /var/sadm/pkg/SUNWab2s/pkginfo:SUNW_PRODVERS=1.4.2
    /var/sadm/pkg/SUNWab2u/pkginfo:SUNW_PRODVERS=1.4.2                              

3. Symptoms 

There are no predictable symptoms that would show the described issue has been 
exploited to execute arbitrary commands with the privileges of the AnswerBook2 
daemon on a system. 

Solution Summary Top 

4. Relief/Workaround 

Sites which have configured AnswerBook2 Documentation Servers may wish to disable 
AB2 and instead refer to Sun documentation at the Sun Product Documentation web 
site at: http://docs.sun.com or view the documentation on the Solaris Documentation 
CD. 

To disable the AnswerBook2 Documentation Server, the following commands can be run 
as the root user: 

    # /usr/lib/ab2/bin/ab2admin -o stop
    # /usr/lib/ab2/bin/ab2admin -o autostart_no      

5. Resolution 

This issue is addressed in the following releases: 

SPARC Platform 

* Upgrade to AnswerBook2 Documentation Server version 1.4.2 with patch 110011-02 

x86 Platform 

* Upgrade to AnswerBook2 Documentation Server version 1.4.2 with patch 110012-02 

Notes: 
1.  Sites with AnswerBook2 Documentation Server version 1.4.1 or earlier need to 
    first upgrade AnswerBook2 to version 1.4.2 before applying the above patches. 
2.  AnswerBook2 Documentation Server version 1.4.2 is available for download at: 
    http://www.sun.com/software/ab2 

Change History: 

15-Oct-2003: 

* Updated: Contributing Factors, Symptoms, Relief/Workaround, and Resolution sections 


[***** End Sun Alert ID: 23412 *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Sun Microsystems for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

O-002: Microsoft Internet Explorer Cumulative Patch
O-003: HP Potential Security Vulnerability in dtprintinfo
O-004: Microsoft Buffer Overrun in Messenger Service Could Allow Code Execution
O-005: Microsoft Exchange Server Vulnerabilities
O-006: Microsoft Authenticode Verification Vulnerability
O-007: Microsoft Windows Help and Support Center Buffer Overrun Vulnerability
O-008: Microsoft Troubleshooter ActiveX Control Buffer Overflow Vulnerability
O-009: Microsoft Listbox and ComboBox Control Buffer Overrun Vulnerabilities
O-010: Microsoft Exchange Server 5.5 Outlook Web Access Vulnerability
O-011: Sun Vulnerability in Solaris "AnswerBOok2 Documentation" Admin Script


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH