[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Vulnerabilities in libc and libnsl libraries

Title: Vulnerabilities in libc and libnsl libraries
Released by: SUN
Date: 21st November 1996
Printable version: Click here

         SUN MICROSYSTEMS SECURITY BULLETIN: #00137, 20 Nov 1996



In this bulletin Sun announces the release of security-related patches

for Solaris 2.5 (SunOS 5.5) and Solaris 2.5.1 (SunOS 5.5.1). The

patches relate to a single problem involving vulnerabilities in both

the libc and libnsl libraries.

Sun strongly recommends that you install these patches immediately on

every affected system. An exploitation script was publicly released

earlier this week for this vulnerability and the script is now widely

distributed. Many 2.5 and 2.5.1 systems are therefore currently

vulnerable to attack. Earlier versions of SunOS, including 4.1.x, do

not have the bug and are not vulnerable.

Since the current version (v1.0) of SISS, the Solaris Internet Server

Supplement, is based largely on 2.5.1 code, it too is vulnerable. The

vulnerability will be fixed in the next version of SISS.

As of this writing Sun is aware of no successful attacks based on this


I.   Who is Affected, and What to Do

II.  Understanding the Vulnerability

III. List of Patches

IV.  Checksum Table


A.   How to obtain Sun security patches

B.   How to report or inquire about Sun security problems

C.   How to obtain Sun security bulletins or short status updates

         Send Replies or Inquiries To:

         Mark Graff

         Sun Security Coordinator

         MS MPK17-103

         2550 Garcia Avenue Mountain

         View, CA 94043-1100

         Phone: 415-786-5274

         Fax:   415-786-7994

         E-mail: security-alert@Sun.COM

Sun acknowledges with thanks the CERT Coordination Center (Carnegie

Mellon University), AUSCERT, and Marko Laakso (University of Oulu) for

their assistance in the preparation of this bulletin.

Sun, CERT, and AUSCERT are all members of FIRST, the Forum of Incident

Response and Security Teams. For more information about FIRST, visit

the FIRST web site at "http://www.first.org/".

Keywords:       gethostbyname, root, libc, libnsl

Patchlist:      103187-09, 103188-09, 103612-06, 103613-06, 103614-06



Permission is granted for the redistribution of this Bulletin, so long

as the Bulletin is not edited and is attributed to Sun Microsystems.

Portions may also be excerpted for re-use in other security advisories

so long as proper attribution is included.

Any other use of this information without the express written consent

of Sun Microsystems is prohibited. Sun Microsystems expressly disclaims

all liability for any misuse of this information by any third party.


         SUN MICROSYSTEMS SECURITY BULLETIN: #00137, 20 Nov 1996


I.   Who is Affected, and What to Do

Sun has verified that this vulnerability affects all supported Solaris

2.5 (SunOS 5.5) and Solaris 2.5.1 (SunOS 5.5.1) systems. Earlier

versions of SunOS, including 4.1.x, do not have the bug and are not


Installing and running the software provided in these patches completely

closes the vulnerability. For information about how to obtain these and

other Sun patches, see Appendix A.

To see which version of SunOS your system is running, use a command such as:

        % uname -a

If your system is running SunOS 5.5 or 5.5.1, it is vulnerable.

II.  Understanding the Vulnerability

If exploited, this vulnerability can be used to gain root access on

attacked systems. The attack could be initiated from a remote system.

Even penetration through a firewall may be possible, depending upon

which services and applications (such as rlogin) are allowed to pass

through the firewall.

Because this vulnerability is located in two key system libraries, many

setuid/setgid system utilities are affected and possibly exploitable.

There has been a buffer over-run vulnerability discovered in both the

libc and the libnsl libraries under Solaris 2.5/2.5.1.  Many setuid and

setgid programs, as well as network programs running with root

privileges, are dynamically linked against these libraries.  This

vulnerability has the potential for any program using these libraries,

running with root privileges, to be exploited, giving root privileges.

III. List of Patches

The patches required to close this vulnerability are listed below.

    A. Solaris 2.x (SunOS 5.x) patches

    Patches which replace the affected libraries and executables are available

    for every supported version of SunOS 5.x.

        OS version      Patch ID

        ----------      ---------

        SunOS 5.5       103187-09

        SunOS 5.5_X86   103188-09

        SunOS 5.5.1     103612-06

        SunOS 5.5.1_x86 103613-06

        SunOS 5.5.1_ppc 103614-06

    B.  Solaris 1.x (SunOS 4.1.x) patches

    No patches are needed for SunOS 4.1.x, which is not vulnerable.

IV.  Checksum Table

In the checksum table we show the BSD and SVR4 checksums and MD5 digital

signatures for the compressed tar archives.

File            BSD             SVR4            MD5

Name            Checksum        Checksum        Digital Signature

- --------------- -----------    ---------       --------------------------------

103187-09.tar.Z 55543 2779     1318 5557       2AF86E9126BB8B0505743D0283C175A6

103188-09.tar.Z 21952 2523     13621 5046      E0455AAC6DF587E9F9EC88082B9613B2

103612-06.tar.Z 29415 2752     38423 5503      56DF3214D8C5CC58C9AC223C9C7ACEBC

103613-06.tar.Z 30698 2501     29921 5002      7E27DF259B595231188D2725E2B6AE59

103614-06.tar.Z 05172 2766     46856 5532      193E63B9C5E2B829D59B1FCBE2E2981F

The checksums shown above are from the BSD-based checksum (on 4.1.x,

/bin/sum; on SunOS 5.x, /usr/ucb/sum) and from the SVR4 version on

on SunOS 5.x (/usr/bin/sum).


A.   How to obtain Sun security patches

    1. If you have a support contract

    Customers with Sun support contracts can obtain any patches listed

    in this bulletin (and any other patches--and a list of patches) from:

       - SunSolve Online

       - Local Sun answer centers, worldwide

       - SunSITEs worldwide

    The patches are available via World Wide Web at http://sunsolve1.sun.com.

    You should also contact your answer center if you have a support

    contract and:

       - You need assistance in installing a patch

       - You need additional patches

       - You want an existing patch ported to another platform

       - You believe you have encountered a bug in a Sun patch

       - You want to know if a patch exists, or when one will be ready

    2. If you do not have a support contract

    Customers without support contracts may now obtain security patches,

    "recommended" patches, and patch lists via SunSolve Online.

    Sun does not furnish patches to any external distribution sites

    other than the ones mentioned here. The ftp.uu.net and ftp.eu.net

    sites are no longer supported.

    3. About the checksums

    So that you can quickly verify the integrity of the patch files

    themselves, we supply in each bulletin checksums for the tar archives.

    Occasionally, you may find that the listed checksums do not match

    the patches on the SunSolve or SunSite database. This does not

    necessarily mean that the patch has been tampered with. More likely,

    a non-substantive change (such as a revision to the README file)

    has altered the checksum of the tar file. The SunSolve patch database

    is refreshed nightly, and will sometimes contain versions of a patch

    newer than the one on which the checksums were based.

    In the future we may provide checksum information for the

    individual components of a patch as well as the compressed archive

    file. This would allow customers to determine, if need be, which

    file(s) have been changed since we issued the bulletin containing

    the checksums.

    In the meantime, if you would like assistance in verifying the

    integrity of a patch file please contact this office or your local

    answer center.

B.   How to report or inquire about Sun security problems

If you discover a security problem with Sun software or wish to

inquire about a possible problem, contact one or more of the


   - Your local Sun answer centers

   - Your representative computer security response team, such as CERT

   - This office. Address postal mail to:

         Sun Security Coordinator

         MS MPK17-103

         2550 Garcia Avenue 

         Mountain View, CA 94043-1100

         Phone: 415-786-5274

         Fax:   415-786-7994

         E-mail: security-alert@Sun.COM

We strongly recommend that you report problems to your local Answer

Center. In some cases they will accept a report of a security bug

even if you do not have a support contract. An additional notification

to the security-alert alias is suggested but should not be used as your

primary vehicle for reporting a bug.

C.   How to obtain Sun security bulletins or short status updates

    1. Subscription information

    Sun Security Bulletins are available free of charge as part of

    our Customer Warning System. It is not necessary to have a Sun

    support contract in order to receive them.

    To receive information or to subscribe or unsubscribe from our

    mailing list, send mail to security-alert@sun.com with a subject

    line containing one of the following commands.

        Subject         Information Returned/Action Taken

        -------         ---------------------------------

        HELP            An explanation of how to get information

        LIST            A list of current security topics

        QUERY [topic]   The mail containing the question is relayed to

                        a Security Coordinator for a response.

        REPORT [topic]  The mail containing the text is treated as a

                        security bug report and forwarded to a Security

                        Coordinator for handling. Please note that this

                        channel of communications does not supersede

                        the use of Sun Solution Centers for this

                        purpose.  Note also that we do not recommend

                        that detailed problem descriptions be sent in

                        plain text.

        SEND topic      Summary of the status of selected topic. (To

                        retrieve a Sun Security Bulletin, supply the

                        number of the bulletin, as in "SEND #103".)

        SUBSCRIBE       Sender is added to the CWS (Customer

                        Warning System) list.  The subscribe feature

                        requires that the sender include on the subject

                        line the word "cws" and the reply email

                        address.  So the subject line might look like

                        the following:

                                SUBSCRIBE cws graff@sun.com

        UNSUBSCRIBE     Sender is removed from the CWS list.

    Should your email not fit into one of the above subjects, a help

    message will be returned to you.

    Due to the volume of subscription requests we receive, we cannot

    guarantee to acknowledge requests. Please contact this office if

    you wish to verify that your subscription request was received, or

    if you would like your bulletin delivered via postal mail or fax.

    2. Obtaining old bulletins

    Sun Security Bulletins are available via the security-alert alias

    and on SunSolve. Please try these sources first before contacting

    this office for old bulletins.

(C) 1999-2000 All rights reserved.