Solaris /usr/bin/solstice bug

Summary
Description:/usr/bin/solstice is setgid bin and gives this privilege away freely.
Author:Unknown (it was known before the attached post)
Compromise:group bin, which leads quickly to root (local)
Vulnerable Systems:Systems with vulnerable /usr/bin/solstice (Solaris 2.5, 2.5.1)
Date:18 October 1996 (known prior to this)
Notes:See addendum.
Details

Exploit:

From: Grant Kaufmann (gkaufman@cs.uct.ac.za)
Date: Fri, 18 Oct 1996 09:36:56 +0200 

/usr/bin/solstice is a program launcher under solaris 2.5
Unfortunately, for some reason, it is distributed set-gid bin,
and politely launches any programs without revoking this.
The exploit:

---
(ignore any warnings/errors along the way)
/usr/bin/solstice
click Launcher
click Add Applications
fill in any arbitary things for the fields, stick the program
        you want to run as setgid bin (or create a sgid shell)
click on the icon which appears with your app name.
---


As an aside, is there any reason why Solaris distributes
with so many important (like /etc and /bin) as writable by
group? This really converts a lot of not-so-dangerous
set-gid vulnerabilities to root vulnerabilities.


--
Grant
--
http://www.cs.uct.ac.za/~gkaufman/pgp.html

Addendum:
Here is patch information:

From: Casper Dik (casper@HOLLAND.SUN.COM)
Date: Sat, 19 Oct 1996 11:28:11 +0200 

>/usr/bin/solstice is a program launcher under solaris 2.5
>Unfortunately, for some reason, it is distributed set-gid bin,
>and politely launches any programs without revoking this.
>The exploit:


This is a well known bug which has already been discussed here at length.
/usr/bin/solstice was first shipped with SOlaris 2.5/SunOS 5.5 so older
versions are not at risk.

These patches fix the bug, alternatively you can just remove the set-gid bit.

103245-07: Solaris 2.5_x86: admintool patch
103247-07: SunOS 5.5: admintool patch
103558-05: SunOS 5.5.1: admintool fixes for security and missing swmtool options
103559-05: SunOS 5.5.1_x86: admintool fixes for security/missing swmtool options
103560-05: SunOS 5.5.1_ppc: admintool fixes for security/missing swmtool options

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]