[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Sun 4.1.X Loadmodule Vulnerability

Title: Sun 4.1.X Loadmodule Vulnerability
Released by: CERT
Date: 18th October 1995
Printable version: Click here

Hash: SHA1


CERT(*) Advisory CA-95:12

Original issue date: October 18, 1995

Last revised:September 23, 1997

                Attached copyright statement

              A complete revision history is at the end of this file.

Topic: Sun 4.1.X Loadmodule Vulnerability

- -----------------------------------------------------------------------------

The CERT Coordination Center has received reports of problems with the

loadmodule(8) program. An exploitation script is available and has been used

by local users to gain root privileges.

The problem is present in SunOS 4.1.X only, and there is a patch available for

sun4 architectures.

The CERT staff recommends that you install the appropriate patch as soon as

possible and take the steps in Section III.B. to further protect your system.

We will update this advisory as we receive additional information.

Please check advisory files regularly for updates that relate to your site.

- -----------------------------------------------------------------------------

I.   Description

     The loadmodule(8) program is used by the xnews(1) window system server to

     load two dynamically loadable kernel drivers into the currently running

     system and to create special devices in the /dev directory to use those

     modules. These modules and special files are used to provide a SunView

     binary compatibility mode while running the X11/NeWS windowing system.

     Because of the way the loadmodule(8) program sanitizes its environment,

     unauthorized users can gain root access on the local machine. A script is

     publicly available and has been used to exploit this vulnerability.

     This problem is present in SunOS 4.1.X only.

II.  Impact

     Local users can gain root privileges.

III. Solution

     The CERT staff recommends that you take the steps described in both A and

     B below.

     A. Obtain and install the appropriate patches according to the

        instructions included with the patches. Patches are available through

        your local Sun Answer Center and by FTP from


        Module           Patch ID        Filename

        ----------       ---------       ---------------

        loadmodule       100448-03       100448-03.tar.Z


            MD5 (100448-03.tar.Z) = 183a22f0a2f6020f1389b6aeea5ca6c6

     B. Because, in general, a set-user-id program can lead to security

        exposures, you should also do at least step 1 below. We recommend

        doing steps 2 and 3 as well.

        The intent of these directions is make the loadmodule(8) program

        work only for the super-user (currently it works for all users because

        it is set-user-id) and to execute it each time the system boots. By

        following these directions, users who require SunView binary

        compatibility will have it available to them.

        1. If you do not need SunView binary compatibility, then as root,

           turn off setuid root on the loadmodule(8) program with

                # /bin/chmod u-s /usr/openwin/bin/loadmodule

        2. If your users need SunView binary compatibility, you can

           enable it immediately--that is without having to reboot

           your system--with the following script.

        ------------------------cut here--8<------------------------

        ARCH=`/bin/arch -k`



        /bin/chmod u-s $LM

        if [ -f $OBJ/evqmod-${ARCH}.o ]; then

          if /usr/etc/modstat | /bin/egrep -s evqmod ; then

            echo evq: already loaded

          elif $LM evqmod-${ARCH}.o evqload; then

            echo evq: loaded


            echo evq: unable to load module



        if [ -f $OBJ/winlock-${ARCH}.o ]; then

          if /usr/etc/modstat | /bin/egrep -s winlock ; then

            echo winlock: already loaded

          elif $LM winlock-${ARCH}.o winlockload; then

            echo winlock: loaded


            echo winlock: unable to load module



        ------------------------cut here--8<------------------------

        As a suggestion, store this script in /tmp/esbc and then

        execute it as root with:

                # sh /tmp/esbc

     3. If you've done step 2 above, the module loadings will disappear

        the next time you reboot your system. To make them permanent--

        that is to make these module loadings occur each time your system

        is rebooted--add the script to the end of your /etc/rc.local file.

- ---------------------------------------------------------------------------

The CERT Coordination Center staff thanks Wolfgang Ley and Sun Microsystems

for their support in the development of this advisory.

- ---------------------------------------------------------------------------

If you believe that your system has been compromised, contact the CERT

Coordination Center or your representative in the Forum of Incident

Response and Security Teams (FIRST).

If you wish to send sensitive incident or vulnerability information to

CERT staff by electronic mail, we strongly advise that the email be

encrypted.  The CERT Coordination Center can support a shared DES key, PGP

(public key available via anonymous FTP on info.cert.org), or PEM (contact

CERT staff for details).

Internet email: cert@cert.org

Telephone: +1 412-268-7090 (24-hour hotline)

           CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),

           and are on call for emergencies during other hours.

Fax: +1 412-268-6989

Postal address:  CERT Coordination Center

                 Software Engineering Institute

                 Carnegie Mellon University

                 Pittsburgh, PA 15213-3890


CERT advisories and bulletins are posted on the USENET newsgroup

comp.security.announce. If you would like to have future advisories and

bulletins mailed to you or to a mail exploder at your site, please send mail

to cert-advisory-request@cert.org.

Past CERT publications, information about FIRST representatives, and

other information related to computer security are available for anonymous

FTP from info.cert.org.

- -----------------------------------------------------------------------------

Copyright 1995, 1996 Carnegie Mellon University. Conditions for use,

disclaimers, and sponsorship information can be found in

http://www.cert.org/legal_stuff.html and http://ftp.cert.org/pub/legal_stuff .

If you do not have FTP or web access, send mail to cert@cert.org with

"copyright" in the subject line.

CERT is registered in the U.S. Patent and Trademark Office.


Revision history

Sep. 23, 1997  Updated copyright statement

Aug. 30, 1996  References to README files were removed because updates are

               added to the advisories themselves.


Version: PGP for Personal Privacy 5.0

Charset: noconv





(C) 1999-2000 All rights reserved.