PASS TO SITE/FACILITY/COMMAND INFORMATION SYSTEM SECURITY OFFICER
{ISSO}, SPECIAL SECURITY OFFICER {SSO}, INFORMATION RESOURCE MANAGER
{IRM} AND AUTOMATED DATA PROCESSOR {ADP} COORDINATORS
U-1,229/DS-SIM {DCPO}
SUBJ:  SUNOS ENVIRONMENT VARIABLES AND SETUID/SETGID VULNERABILITY
{AUTOMATED SYSTEMS SECURITY INCIDENT SUPPORT TEAM {ASSIST} 92-36}
1.  DISCUSSION: THIS IS A PRIORITY ALERT THAT INTERRUPTS THE
SEQUENCE OF THE BASELINE PACKAGE OF MESSAGES CURRENTLY BEING ISSUED
BY ASSIST.  ASSIST HAS RECEIVED INFORMATION CONCERNING A
VULNERABILITY INVOLVING ENVIRONMENT VARIABLES AND SETUID/SETGID
PROGRAMS UNDER SUN MICROSYSTEMS COMPUTER CORPORATION SUNOS.  THIS
VULNERABILITY EXISTS ON ALL SUN ARCHITECTURES RUNNING SUNOS 4.0 AND
HIGHER.  IN-HOUSE AND THIRD-PARTY SOFTWARE CAN ALSO BE IMPACTED BY
THIS VULNERABILITY.  FOR EXAMPLE, THE CURRENT VERSIONS OF RNEWS,
SUDO, SMOUNT, AND NPASSWD ARE KNOWN TO BE VULNERABLE UNDER SUNOS. 
SEE THE DESCRIPTION SECTION OF THIS ADVISORY FOR DETAILS OF HOW TO
IDENTIFY SOFTWARE WHICH MAY BE VULNERABLE.  ALSO 
IN THIS ADVISORY IS INFORMATION FOR OBTAINING A WORKAROUND THAT CAN
BE USED TO PROTECT VULNERABLE SOFTWARE ON SUNOS OPERATING SYSTEM
VERSIONS FOR WHICH PATCHES ARE UNAVAILABLE, OR FOR LOCAL OR THIRD
PARTY SOFTWARE WHICH MAY BE VULNERABLE.
2.  SUN HAS PROVIDED PATCHES FOR SUNOS 4.1, 4.1.1, AND 4.1.2
PROGRAMS WHICH ARE KNOWN TO BE IMPACTED BY THIS VULNERABILITY.  THEY
ARE AVAILABLE THROUGH YOUR LOCAL SUN ANSWER CENTER AS WELL AS
THROUGH ANONYMOUS FTP FROM THE FTP.UU.NET {137.39.1.9} SYSTEM IN
THE /SYSTEMS/SUN/SUN-DIST DIRECTORY.
FIX               PATCHID        FILENAME            CHECKSUM
LOGIN AND SU      100630-01      100630-01.TAR.Z     36269    39
SENDMAIL          100377-04      100377-04.TAR.Z     14692   311
NOTE: PATCHID 100630-01 CONTAINS THE INTERNATIONAL VERSION OF
/USR/BIN/LOGIN.  PATCHID 100631-01 CONTAINS THE DOMESTIC VERSION OF
/USR/BIN/LOGIN AND IS ONLY AVAILABLE FROM SUN ANSWER CENTERS FOR
SITES THAT USE THE US ENCRYPTION KIT.
PLEASE NOTE THAT SUN WILL OCCASIONALLY UPDATE PATCH FILES.  IF YOU
FIND THAT THE CHECKSUM IS DIFFERENT PLEASE CONTACT SUN FOR
VERIFICATION.
3.  DESCRIPTION: A SECURITY VULNERABILITY EXISTS IF A SET-USER-ID 
PROGRAM CHANGES ITS REAL AND EFFECTIVE USER IDS TO BE THE SAME {BUT
NOT TO THE INVOKER'S ID}, AND SUBSEQUENTLY CAUSES A
DYNAMICALLY-LINKED PROGRAM TO BE EXEC'D.  A SIMILAR VULNERABILITY
EXISTS FOR SET-GROUP-ID PROGRAMS.  IN PARTICULAR, SUNOS
/USR/LIB/SENDMAIL, /USR/BIN/LOGIN, /USR/BIN/SU, AND /USR/5BIN/SU
ARE VULNERABLE TO THIS PROBLEM.  IMPACT: LOCAL USERS CAN GAIN
UNAUTHORIZED PRIVILEGED ACCESS TO THE SYSTEM.  SOLUTION: OBTAIN AND
INSTALL THE PATCHES FROM SUN OR FROM FTP.UU.NET AND FOLLOW THE
PROVIDED INSTRUCTIONS.
4.  A WORKAROUND IS AVAILABLE THAT CAN BE USED TO PROTECT VULNERABLE
BINARIES FOR WHICH PATCHES ARE UNAVAILABLE FOR YOUR SUNOS VERSION,
OR FOR LOCAL OR THIRD PARTY SOFTWARE WHICH MAY BE VULNERABLE.  THE
WORKAROUND IS A WRAPPER PROGRAM WRITTEN IN THE C PROGRAMMING
LANGUAGE.  THE SOURCE CODE FOR THE WRAPPER PROGRAM CONTAINS NUMEROUS
SPECIAL CHARACTERS AND SYMBOLS THAT CANNOT BE TRANSMITTED VIA THIS
MEDIUM.  CONTACT SUN MICROSYSTEMS OR ASSIST TO OBTAIN THE C SOURCE
CODE FOR THE WRAPPER PROGRAM.
5.  POINT OF CONTACT:  ASSIST POINT OF CONTACT FOR THIS MATTER IS
MIKE HIGGINS, COMM {202} 373-8852/55 OR DSN 243-8852/55.  ASSIST
CAN BE REACHED 24 HOURS PER DAY, COMMERCIAL PAGER {800} SKY-PAGE, 
PIN NUMBER 2133937 {FROM A TOUCH TONE PHONE ENTER THE CALL BACK
NUMBER AFTER THE PROMPT} OR AUTOVON DIAL 243-8000 AND ASK TO HAVE
THE ASSIST DUTY OFFICER PAGED.  ASSIST CAN BE REACHED VIA E-MAIL AT
"DOD-CERT{AT-SIGN}DDN-CONUS.DDN.MIL."