===================================================================== CERT-Renater Note d'Information No. 2006/VULN114 _____________________________________________________________________ DATE : 29/03/2006 HARDWARE PLATFORM(S) : / OPERATING SYSTEM(S) : Solaris 8, Solaris 9. ====================================================================== Sun(sm) Alert Notification * Sun Alert ID: 102215 * Synopsis: Security Vulnerability With The "/usr/ucb/ps" Command * Category: Security * Product: Solaris 9 Operating System, Solaris 8 Operating System * BugIDs: 4798073 * Avoidance: Patch, Workaround * State: Resolved * Date Released: 27-Mar-2006 * Date Closed: 27-Mar-2006 * Date Modified: 1. Impact A security vulnerability in the "/usr/ucb/ps" (see ps(1B)) command may allow unprivileged local users the ability to see environment variables and their values for processes which belong to other users. 2. Contributing Factors This issue can occur in the following releases: SPARC Platform * Solaris 8 without patch 109023-05 * Solaris 9 without patch 120240-01 x86 Platform * Solaris 8 without patch 109024-05 * Solaris 9 without patch 120239-01 Note 1: Solaris 10 is not affected by this issue. Note 2: The ps(1m) command is used for reporting process status. The full path for this command is "/usr/bin/ps". In addition, there is "/usr/ucb/ps" which is documented in the ps(1b) manual page. Only the "/usr/ucb/ps" command is affected by the vulnerability described in this Sun Alert. In general users will use the "/usr/bin/ps" version as most will not have the directory "/usr/ucb" in their command search path (see the appropriate PATH section of relevant shell manual pages). 3. Symptoms As an unprivileged user, running the "/usr/ucb/ps axe" command shows all processes, and with the "e" flags, it also includes their environment. $ /usr/ucb/ps axe PID TT S TIME COMMAND ... 53 ? S 0:00 /usr/lib/devfsadm/devfseventd LD_LIBRARY_PATH= PATH=/sb in: /usr/sbin:/usr/bin TZ=GB-Eire _INIT_PREV_LEVEL=0 ... In the example above we can see a root owned daemon, along with its environment variables and their values. 4. Relief/Workaround To work around the described issue, remove the set-id bit from "/usr/ucb/ps". 5. Resolution This issue is addressed in the following releases: SPARC Platform * Solaris 8 with patch 109023-05 or later * Solaris 9 with patch 120240-01 or later x86 Platform * Solaris 8 with patch 109024-05 or later * Solaris 9 with patch 120239-01 or later This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements. Copyright 2000-2006 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved ====================================================================== ========================================================= Les serveurs de référence du CERT-Renater http://www.urec.fr/securite http://www.cru.fr/securite http://www.renater.fr ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 151 bd de l'Hopital | fax : 01-53-94-20-41 + + 75013 Paris | email: certsvp@renater.fr + =========================================================