[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Vulnerability in Solaris admintool

Title: Vulnerability in Solaris admintool
Released by: CERT
Date: 5th August 1996
Printable version: Click here

Hash: SHA1


CERT(*) Advisory CA-96.16

Original issue date: August 5, 1996

Last Revised: October 20, 1997

              Vendor information for Sun has been added to the UPDATES


              A complete revision history is at the end of this file.

Topic: Vulnerability in Solaris admintool

- -----------------------------------------------------------------------------

   The text of this advisory was originally released on July 30, 1996, as

   AUSCERT Advisory AL-96.03, developed by the Australian Computer Emergency

   Response Team. Because of the seriousness of the problem, we are reprinting

   the AUSCERT advisory here with their permission. Only the contact

   information at the end has changed: AUSCERT contact information has been

   replaced with CERT/CC contact information.

   We will update this advisory as we receive additional information.

   Please check advisory files regularly for updates that relate to your site.


AUSCERT has received a report of a vulnerability in the Sun Microsystems

Solaris 2.x distribution involving the program admintool.  This program is

used to provide a graphical user interface to numerous system administration


This vulnerability may allow a local user to gain root privileges.

Exploit details involving this vulnerability have been made publicly


At this stage, AUSCERT is not aware of any official patches.  AUSCERT

recommends that sites take the actions suggested in Section 3 until official

patches are available.

- -----------------------------------------------------------------------------

1.  Description

    admintool is a graphical user interface that enables an administrator to

    perform several system administration tasks on a system.  These tasks

    include the ability to manage users, groups, hosts and other services.

    To help prevent different users updating system files simultaneously,

    admintool uses temporary files as a locking mechanism.  The handling of

    these temporary files is not performed in a secure manner, and hence it

    may be possible to manipulate admintool into creating or writing to

    arbitrary files on the system.  These files are accessed with the

    effective uid of the process executing admintool.

    In Solaris 2.5, admintool is set-user-id root by default.  That is, all

    file accesses are performed with the effective uid of root.  An effect

    of this is that the vulnerability will allow access to any file on the

    system.  If the vulnerability is exploited to try and create a file that

    already exists, the contents of that file will be deleted.  If the file

    does not exist, it will be created with root ownership and be world


    In earlier versions of Solaris 2.x, admintool is not set-user-id root

    by default.  In this case, admintool runs only with the privileges of

    the user executing it.  However, local users may wait for a specific user

    to execute admintool, exploiting the vulnerability to create or write

    files with that specific users' privileges.  Again, files created in this

    manner will be world writable.

2.  Impact

    A local user may be able to create or write to arbitrary files on the

    system.  This can be leveraged to gain root privileges.

3.  Workarounds/Solution

    Currently, AUSCERT is not aware of any official patches which address

    this vulnerability.  When official patches are made available, AUSCERT

    suggests that they be installed.

    Until official patches are available sites are encouraged to

    completely prevent execution of admintool by any user (including root).

        # chmod 400 /usr/bin/admintool

        # ls -l /usr/bin/admintool

        -r--------   1 root  sys  303516 Oct 27  1995 /usr/bin/admintool

    Note that if only the setuid permissions are removed, it is still possible

    for users to gain privileges when admintool is executed as root.

    AUSCERT recommends that, where possible, admintool should not be used at

    all until official patches are available.  In the interim, system

    administrators should perform administration tasks by using the command

    line equivalents.  More details on performing these tasks may be found

    in the Sun documentation set.

- -----------------------------------------------------------------------------

AUSCERT wishes to thank Brian Meilak (QUT), Marek Krawus (UQ), Leif

Hedstrom, Kim Holburn and Michael James for their assistance in this matter.

- -----------------------------------------------------------------------------

If you believe that your system has been compromised, contact the CERT

Coordination Center or your representative in the Forum of Incident

Response and Security Teams (FIRST).

We strongly urge you to encrypt any sensitive information you send by email.

The CERT Coordination Center can support a shared DES key and PGP. Contact

the CERT staff for more information.

Location of CERT PGP key


CERT Contact Information

- ------------------------

Email    cert@cert.org

Phone    +1 412-268-7090 (24-hour hotline)

                CERT personnel answer 8:30-5:00 p.m. EST

                (GMT-5)/EDT(GMT-4), and are on call for

                emergencies during other hours.

Fax      +1 412-268-6989

Postal address

        CERT Coordination Center

        Software Engineering Institute

        Carnegie Mellon University

        Pittsburgh PA 15213-3890


CERT publications, information about FIRST representatives, and other

security-related information are available for anonymous FTP from



CERT advisories and bulletins are also posted on the USENET newsgroup


To be added to our mailing list for CERT advisories and bulletins, send your

email address to


- ------------------------------------------------------------------------------

Copyright 1996 Carnegie Mellon University. Conditions for use, disclaimers,

and sponsorship information can be found in

http://www.cert.org/legal_stuff.html and http://ftp.cert.org/pub/legal_stuff .

If you do not have FTP or web access, send mail to cert@cert.org with

"copyright" in the subject line.

CERT is registered in the U.S. Patent and Trademark Office.

This file:



               click on "CERT Advisories"





Vendor Information


Below is information we have received from vendors. If you do not see your

vendor's name below, contact the vendor directly for information.


Sun Microsystems, Inc.

- ----------------------


Sun Microsystems has provided the following list of patches in response

to this advisory: 

        103558-10 5.5.1 

        103559-07 5.5.1_x86 

        103247-07 5.5    

        103245-08 5.5_x86


Revision history


Oct. 20, 1997  Vendor information for Sun has been added to the UPDATES


Sep. 24, 1997  Updated copyright statement

Aug. 30, 1996  Removed references to CA-96.16.README.

               Beginning of the advisory - removed AUSCERT advisory header

                 to avoid confusion.


Version: PGP for Personal Privacy 5.0

Charset: noconv





(C) 1999-2000 All rights reserved.