SunView selection_svc vulnerablity

Paul Holbrook ph at cert.sei.cmu.edu
Wed Aug 15 07:04:34 AEST 1990 

CA-90:05                       CERT Advisory
                              August 14, 1990
                    SunView selection_svc vulnerability 
-----------------------------------------------------------------------------

Sun has recently released a patch for a security hole in SunView.  This
problem affects SunView running on all versions of SunOS (3.5 and before,
4.0, 4.0.1, 4.0.3, and 4.1) and all platforms (Sun3, Sun4, 386i).  This
vulnerability allows any remote system to read selected files from the
workstation running SunView.  As noted below in the IMPACT section, the
files that can be read are limited.

This vulnerability is in the SunView (aka SunTools) selection_svc facility
and can be exploited while SunView is in use; however, as noted below in
the IMPACT section, this bug may be exploitable after the user quits using
Sunview.  This problem cannot be exploited while X11 is in use (unless the
user runs X11 after running Sunview; see the IMPACT section).  This
problem is specific to Sun's SunView software; to our knowledge, this
problem does NOT affect other vendor platforms or software.

OBTAINING THE PATCH

To obtain the patch, please call your local Sun Answer Center (in the USA,
it's 1-800-USA-4SUN), and ask for patch number 100085-01.  You can also
reference Sun Bug ID 1039576.

The patch is available for SunOS 4.0.1, 4.0.3 and SunOS 4.1, on Sun3,
Sun4, and 386i architectures.  Contact Sun for further details.

IMPACT

On Sun3 and Sun4 systems, a remote system can read any file that is
readable to the user running SunView.  On the 386i, a remote system can
read any file on the workstation running SunView regardless of
protections.  Note that if root runs Sunview, all files are potentially
accessible by a remote system.

If the password file with the encrypted passwords is world readable, an
intruder can take the password file and attempt to guess passwords.  In
the CERT/CC's experience, most systems have at least one password that can
be guessed.

Sunview does not kill the selection_svc process when the user quits from
Sunview.  Thus, unless the process is killed, remote systems can still
read files that were readable to the last user that ran Sunview.  Under
these circumstances, once a user has run Sunview, start using another
window system (such as X11), or even logoff, but still have files
accessible to remote systems.  However, even though selection_svc is not
killed when Sunview exits, the patch still solves the security problem and
prevents remote access.

CONTACT INFORMATION

For further questions, please contact your Sun answer center or send mail
to security-features at sun.com.

Thanks to Peter Shipley for discovering, documenting, and helping resolve
this problem.
-----------------------------------------------------------------------------

J. Paul Holbrook
Computer Emergency Response Team/Coordination Center (CERT/CC)
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890

Internet: cert at cert.sei.cmu.edu
Telephone: 412-268-7090 24-hour hotline: CERT personnel answer
           7:30a.m.-6:00p.m. EST, on call for
           emergencies other hours.

Past advisories and other information are available for anonymous ftp
from cert.sei.cmu.edu (128.237.253.5).

More information about the Comp.sys.sun mailing list