a serious SunOS security problem (one more for the road)

[Jyrki Kuoppala]

I reported this problem to hotline at sun.com on May 21, but as they haven't
responded I'm reporting this to Sun-Spots.  If somebody knows a better
address at Sun to report security bugs, please let me know.

There's a security problem associated with the 'rwall' command (actually
the /usr/etc/rpc.rwalld program) in SunOS (at least up till 4.0.1, later
ones I haven't seen).

By the combination of the following facts anyone in the same tcp/ip
network (meaning the whole Internet on most University computer
installations) can easily get root access on a Sun which is configured
like the distribution version:

- rpc.rwalld is run as root
- rwalld doesn't check if the terminal user is on actually is a terminal
- /etc/utmp is world-writable
- tftp is enabled by default

If tftp is disabled or configured to do chroot, it isn't as easy to get to
the machine from outside.  This doesn't cure the real problem, though.
All of the above four things should be fixed to make the system
acceptable.

Repeat-by: [i took this section out - vrd]

On some systems (at least 386i Sunos 4.0.1) the method doesn't seem to
work if the file /.rhosts doesn't exist.  However, you can still write to
any existing file, so the existense of /.rhosts is not relevant; it's
possible to figure out some other while to write to.

Fix:

- run rwalld as the user nobody (edit /etc/inetd.conf) or disable it
if you don't think you need it.
- write protect /etc/utmp

At least one of these need to be done.

//Jyrki

Jyrki Kuoppala    Helsinki University of Technology, Finland.
Internet :        jkp at cs.hut.fi           [128.214.3.119]
BITNET :          jkp at fingate.bitnet      Gravity is a myth, the Earth sucks!