NASIRC BULLETIN #93-04                              October 21, 1993
               SUNOS AND SOLARIS SECURITY VULNERABILITIES
              (/usr/lib/sendmail, /bin/tar, and /dev/audio)
===========================================================================
               __    __      __      ___   ___  ____     ____  
              /_/\  /_/|    /_/     / _/\ /_/| / __/ \  / __/\ 
              | |\ \| ||   /  \ \   | /\/ | || | /\ \/  | | \/ 
              | ||\ \ ||  / /\ \ \   \ \  | || |_\/ /\  | |    
              | || \ \|| / /--\ \ \ /\_\\ | || | |\ \ \ | \_/\ 
              |_|/  \_|//_/    \_\/ \/__/ |_|/ |_| \_\/ \___\/ 
             NASA Automated Systems Incident Response Capability
===========================================================================
NASIRC has learned about three security vulnerabilities associated with
SunOS versions 4.1.x and 5.x.  These three vulnerabilities are in sendmail
and microphone under SunOS 4.1.x and 5.x, and tar under SunOS 5.x. 

1.  SunOS 4.1.x and 5.x Sendmail.  This security vulnerability may allow
remote users to access system files using sendmail on SunOS 4.1.x and
SunOS 5.x (Solaris 2.x).  Successful exploitation of this vulnerability
could result in unauthorized access to system files. 

The /usr/lib/sendmail utility under SunOS 4.1.x and SunOS 5.x permits
unauthorized access to some system files by remote users.  This access may
allow compromise of the system.  Note that this vulnerability is being
actively exploited.  NASIRC strongly recommends that sites take immediate
corrective action. 

Sun Microsystems has released patched versions of the sendmail program for
all affected versions of SunOS: 

                                              BSD         SVR4
   System       Patch ID   Filename         Checksum    Checksum
   -----------  ---------  ---------------  ---------   ----------
   SunOS 4.1.x  100377-07  100377-07.tar.Z  36122 586   11735 1171
   SunOS 5.1    100840-03  100840-03.tar.Z  01153 194   39753  388 
   SunOS 5.2    101077-03  101077-03.tar.Z  49343 177   63311  353

The checksums shown above are from the BSD-based checksum (on SunOS 4.1.x,
/bin/sum; on SunOS 5.x, /usr/ucb/sum) and from the SVR4 version that Sun
has released on SunOS 5.x (/usr/bin/sum). 

Individuals with support contracts may obtain these patches from their
local Sun Answer Center or from SunSolve Online.  Security patches are
also available without a support contract via anonymous FTP from
ftp.uu.net (IP 192.48.96.9) in the directory /systems/sun/sun-dist. 

                         ------------------

2.  The security vulnerability in tar under SunOS 5.x pertains to archives
created with the tar utility containing extraneous user information.  This
could result in user and system information unintentionally disclosed. 

Archive files created with the /bin/tar utility under SunOS 5.x contain
extraneous user information from the /etc/passwd and /etc/group files.
Note that the extraneous data does not include user passwords; however,
system configuration and user information may be unintentionally disclosed
should the archive files be distributed. 

Sun Microsystems has released patched versions of the tar utility for all
affected versions of SunOS.  The patched tar utility produces archive
files in the same format as all other versions; but any extraneous data is
set to zero.  Restoring an existing archive file to disk, and then
creating a new file with the patched tar, will result in a clean archive
file with no extraneous data. 

                                            BSD        SVR4
   System     Patch ID   Filename         Checksum   Checksum
   ---------  ---------  ---------------  ---------  ---------
   SunOS 5.1  100975-02  100975-02.tar.Z  37034 374  13460 747
   SunOS 5.2  101301-01  101301-01.tar.Z  22089 390   4703 779

The checksums shown above are from the BSD-based checksum (on SunOS 4.1.x,
/bin/sum; on SunOS 5.x, /usr/ucb/sum) and from the SVR4 version that Sun
has released on SunOS 5.x (/usr/bin/sum).

Individuals with support contracts may obtain these patches from their
local Sun Answer Center or from SunSolve Online.  Security patches are
also available without a support contract via anonymous FTP from
ftp.uu.net (IP 192.48.96.9) in the directory /systems/sun/sun-dist.

                         ------------------

3.  The security vulnerability with Sun microphones pertains to the
potential use of these microphones for eavesdropping. 

Sun Microsystems has released information regarding the potential for
microphones attached to Sun workstations to be used to eavesdrop on
conversations near the computer.  Software solutions to reduce the risk
are described below.  Note, however, that NASIRC strongly recommends
microphones on systems in sensitive areas be either physically switched
off or disconnected from the system. 

The initial permissions for the audio data device, /dev/audio, allow any
user with an account on the system to listen with the microphone when it
is turned on.  Also, the permissions for the audio control device,
/dev/audioctl, allow anyone to vary playback and record settings such as
volume. 

Unauthorized use of the system's audio devices may be prevented by
changing the permissions and ownership of /dev/audio and /dev/audioctl. 

On SunOS 4.x systems, the /etc/fbtab file may be used to automatically
control access to the audio devices.  As root, add the following lines to
the end of the file: 

   /dev/console 0600 /dev/audio
   /dev/console 0600 /dev/audioctl

On SunOS 5.x (Solaris 2.x) systems, the file permissions must be manually
changed.  As root, execute the following commands, specifying the username
of the individual that should have access to the microphone:

   # chmod 600 /dev/audio*
   # chown <desired username> /dev/audio*

                         ------------------

NASIRC ACKNOWLEDGES: Sun Microsystems, CIAC, and CERT for their reporting,
   handling and coordination of the solution to this problem. 

   Security checklists, toolkits and guidance are available from the
   NASIRC online archives. Contact the NASIRC Helpdesk for more
   information and assistance with toolkits or security measures.

   ==================================================================
       For further assistance, please contact the NASIRC Helpdesk:
       Phone: 1-800-7-NASIRC                Fax: 1-301-306-1010
       Internet Email: nasirc@nasa.gov
       24 Hour/Emergency Pager: 1-800-759-7243/Pin:5460866
   ==================================================================
      This bulletin may be forwarded without restrictions to sites 
      and system administrators within the NASA community

                            -----------------

 PLEASE NOTE: Users outside of the NASA community may receive NASIRC
    bulletins.  If you are not part of the NASA community, please contact
    your agency's response team to report incidents.  Your agency's team
    will coordinate with NASIRC, who will ensure the proper internal 
    NASA team(s) are notified. NASIRC is a member of the Forum of Incident
    Response and Security Teams (FIRST), a world-wide organization which 
    provides for coordination between incident response teams in handling 
    computer-security-related issues. 

    A list of FIRST member organizations and their constituencies can be
    obtained by sending email to docserver@first.org with an empty subject
    line and a message body containing the line: send first-contacts.