__________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                      Solaris Runtime Linker Vulnerability
                             [Sun Alert ID: 101794]

July 13, 2005 19:00 GMT                                           Number P-253
[REVISED 21 Jul 2005]
[REVISED 25 Jul 2005]
[REVISED 01 Nov 2005]
[REVISED 12 Jan 2006]
______________________________________________________________________________
PROBLEM:       A vulnerability was discovered in Solaris runtime linker 
               (Id.so.1(1)). The runtime linker ld.so.1(1) processes dynamic 
               executables and shared objects at runtime, binding them to 
               create a runnable process. 
PLATFORM:      SPARC Platform: 
                 Solaris 8 with patches 109147-31 through 109147-36 and without
                  patch 109147-37
                 Solaris 9 with patches 112963-16 through 112963-21 and without
                  patch 112963-22
                 Solaris 10 without patch 117461-04
               x86 Platform 
                 Solaris 8 with patches 109148-31 through 109148-36 and without
                  patch 109148-37
                 Solaris 9 with patches 113986-12 through 113986-17 and without
                  patch 113986-18
                 Solaris 10 without patch 118345-05
DAMAGE:        The vulnerability is caused due to a design error in the 
               runtime linker (ld.so.1) when executing setuid and setgid 
               programs. This can be exploited to execute arbitrary code from 
               a malicious library with escalated privileges. 
SOLUTION:      Apply the security updates. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. Exploiting this vulnerability may allow a 
ASSESSMENT:    local user to gain root privileges. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/p-253.shtml 
 ORIGINAL BULLETIN:  http://sunsolve.sun.com/search/printfriendly.do?assetkey=
                     1-26-101794-1
 ADDITIONAL LINKS:    Secunia Advisory SA15841
                     http://secunia.com/advisories/15841/ 
                     Sun Alert ID: 101995
                     http://sunsolve.sun.com/search/document.do?assetkey=1-26-
                     101995-1&searchclause=security
______________________________________________________________________________
REVISION HISTORY:
07/21/2005 - revised to reflect the modifications Sun has made in Sun Alert 
             Document ID: 101794 where they have updated the Contributing
             Factors, the Relief/Workaround, and the Resolution sections.
07/25/2005 - revised to reflect the modifications Sun has made in Sun Alert 
             Document ID: 101794 where they have updated the Contributing
             Factors and the Resolution sections.
11/01/2005 - revised to reflect the modifications Sun has made in Sun Alert 
             Document ID: 101794 where they have updated the Contributing
             Factors and the Resolution sections.
01/12/2006 - added a link to Sun Alert Document ID: 101995 where they have 
             Updated Contributing Factors and Resolution sections, re-release 
             as Resolved
			 
			 
[***** Start Sun Alert ID: 101794 *****]

Document Audience: PUBLIC 
Document ID: 101794 
Title: Security Vulnerability in the Solaris Runtime Linker (ld.so.1(1)) 
Update Date: Mon Oct 31 00:00:00 MST 2005 

-------------------------------------------------------------------------------
Status Issued 


Description Top 

Sun(sm) Alert Notification
Sun Alert ID: 101794
Synopsis: Security Vulnerability in the Solaris Runtime Linker (ld.so.1(1))
Category: Security
Product: Solaris 9 Operating System, Solaris 10 Operating System, Solaris 8 
Operating System
BugIDs: 6291547
Avoidance: Patch, Workaround
State: Resolved
Date Released: 28-Jun-2005, 31-Oct-2005
Date Closed: 31-Oct-2005
Date Modified: 29-Jun-2005, 30-Jun-2005, 12-Jul-2005, 13-Jul-2005, 15-Jul-2005, 
20-Jul-2005, 25-Jul-2005, 31-Oct-2005

1. Impact
Local unprivileged users may be able to gain unauthorized root access due to a 
security vulnerability in the Solaris runtime linker (ld.so.1(1)).

2. Contributing Factors

This issue can occur in the following releases:

SPARC Platform:

Solaris 8 with patches 109147-31 through 109147-36 and without patch 109147-37
Solaris 9 with patches 112963-16 through 112963-21 and without patch 112963-22
Solaris 10 without patch 117461-04
x86 Platform

Solaris 8 with patches 109148-31 through 109148-36 and without patch 109148-37
Solaris 9 with patches 113986-12 through 113986-17 and without patch 113986-18
Solaris 10 without patch 118345-05
Note: Solaris 7 is not affected by this issue.

3. Symptoms

There are no reliable symptoms that would indicate the described issue has been 
exploited to gain elevated privileges.



Solution Summary Top 

4. Relief/Workaround

To work around the described issue, sites running Solaris 8 or Solaris 9 can 
back out the relevant linker patch to a revision which is not affected using 
the patchrm(1M) command. If the patch cannot be backed out, the ld.so.1(1M) 
file from an earlier patch can be replaced on the system using the following 
steps as the root user:

1. Copy the ld.so.1 file from the patch onto the system as shown in the 
following example:

    # cp ./SUNWcsu/reloc/usr/lib/ld.so.1 /usr/lib/ld.so.1-patch
2. Create a directory entry (link) for the existing runtime linker to a new 
file using ln(1):

    # cd /usr/lib ; ln ld.so.1 ld.so.1.original
3. Create a directory entry (link) for the patched runtime linker copied 
earlier to the current runtime linker, again using ln(1):

    # cd /usr/lib ; ln ld.so.1-patch ld.so.1
4. For SPARC systems running in 64-bit mode, the runtime linker located in the 
patch at:

    ./SUNWcsxu/reloc/usr/lib/sparcv9/ld.so.1
will need to be copied to "/usr/lib/sparcv9". The above steps can then be 
repeated using the "/usr/lib/sparcv9" path instead of "/usr/lib".



5. Resolution
This issue is addressed in the following releases:

SPARC Platform

Solaris 8 with patch 109147-37 or later
Solaris 9 with patch 112963-22 or later
Solaris 10 with patch 117461-04 or later
x86 Platform

Solaris 8 with patch 109148-37 or later
Solaris 9 with patch 113986-18 or later
Solaris 10 with patch 118345-05 or later


Change History
29-Jun-2005: 
Updated Relief/Workaround section
30-Jun-2005: 
Updated Relief/Workaround section
12-Jul-2005: 
Updated Relief/Workaround
13-Jul-2005: 
Updated Relief/Workaround section
15-Jul-2005: 
Updated Contributing Factors and Resolution sections
20-Jul-2005: 
Updated Contributing Factors, Relief/Workaround and Resolution sections
25-Jul-2005: 
Updated Contributing Factors and Resolution sections
31-Oct-2005: 
State: Resolved
Updated Contributing Factors and Resolution sections

This Sun Alert notification is being provided to you on an "AS IS" basis. This 
Sun Alert notification may contain information provided by third parties. The 
issues described in this Sun Alert notification may or may not impact your 
system(s). Sun makes no representations, warranties, or guarantees as to the 
information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, 
INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A 
PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING 
THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY 
DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT 
OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert 
notification contains Sun proprietary and confidential information. It is being 
provided to you pursuant to the provisions of your agreement to purchase 
services from Sun, or, if you do not have such an agreement, the Sun.com Terms 
of Use. This Sun Alert notification may only be used for the purposes 
contemplated by these agreements.


Copyright 2000-2005 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, 
CA 95054 U.S.A. All rights reserved.



[***** End Sun Alert ID: 101794 *****]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Sun Microsystems for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

P-243: 'ruby 1.8' Vulnerability
P-244: 'arshell' Vulnerability in 'arrayd'
P-245: Cisco CallManager Vulnerabilities
P-246: Microsoft Word Font Parsing Vulnerability
P-247: Microsoft Vulnerability in JView Profiler
P-248: Microsoft Color Management Module Vulnerability
P-249: krb5 Security Update
P-250: Critical Patch Update - July 2005
P-251: Mozilla Security Updates
P-252: Firefox Security Updates