CIAC Advisory Notice
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
THE COMPUTER INCIDENT ADVISORY CAPABILITY
Announcement of Vulnerability in the SunOS Restore Utility
The Computer Incident Advisory Capability (CIAC) has learned of a vulnerability
in SunOS. This vulnerability is in the restore utility. Because restore is
setuid to root, it allows an ordinary user to obtain unauthorized privileges.
This vulnerability is found in all SunOS 4.x systems (4.0, 4.0.1, and 4.0.3).
This vulnerability can, however, be exploited by only users who have an account
on a SunOS 4.x system.
Sun Microsystems is aware of this vulnerability (Sun Bug 1019265) and is
developing a permanent solution in a future SunOS release. However, until
this fix is available, you should install one of two temporary fixes:
Temporary Solution 1: Make restore non-setuid, using the following
chmod 750 /usr/etc/restore
This solution is appropriate for systems that do restore locally and uses
the root account to do restores. It eliminates the vulnerability in restore.
However, in addition to making store non-setuid, this solution makes restore
unreadable and non-executable by ordinary (non-root) users, and restricts the
use of remote restore by these users. For example, with SunOS, a user who is
not root cannot get a privileged port. If temporary solution 1 has been
implemented, an ordinary user who requests a remote tape drive to do restore
would discover that restore would be unable to obtain a privileged port.
Therefore, the remote tape drive would not work.
Temporary Solution 2: Using the following workaround:
chgrp operator restore
chmod 4550 restore
You should use this solution if you do remote restore outside of the root
account. You may substitute "operator" with any other group that contains
the users you want to use restore. The group "operator" is a default group
on SunOS 4.x. With this method, restore still is still setuid and vulnerable,
but you will have an accountable group of users who can use restore. The
4550 makes restore readable and executable by root and the group you specified,
and unreadable by everyone else. Thus, this solution does not totally disable
the remote restore capability, but allows designated user groups to have
In addition, as a security prevention measurement, we suggest that you restrict
the accessability of dump. The "dump" utility, the partner of restore, is
frequently used to do backups on a system. Restore is used to extract the
files that dump has stored on tape. CIAC's recommendation is to make dump
unreadable, non-executable and unwriteable to everyone by using the following
chmod 6750 /usr/etc/dump
This will restrict access of dump by allowing its use only by root and the
group to which dump belongs (eg. operator, staff, or wheel).
For further information, contact:
Ana Maria de Alvare'
Computer Incident Advisory Capability
Lawrence Livermore National Laboratory
P.O. Box 808, L-303
Livermore, CA 94550
(415) 422-7007 or (FTS) 532-7007