SUN MICROSYSTEMS SECURITY BULLETIN: #00116, 26 May 92

This information is only to be used for the purpose of alerting
customers to problems.  Any other use or re-broadcast of this 
information without the express written consent of Sun Microsystems
shall be prohibited.

Sun expressly disclaims all liability for any misuse of this information
by any third party.
---------------------------------------------------------------------------

   All patches listed are available through your local Sun answer centers
   worldwide as well as through anonymous ftp:  in the US, ftp to ftp.uu.net 
   and obtain the patch from the /systems/sun/sun-dist directory; in Europe,
   ftp to mcsun.eu.net and obtain the patch from the ~ftp/sun/fixes directory.
   Note that Sun does not have direct access to mcsun.eu.net and must request
   that patches be copied from ftp.uu.net to mcsun.eu.net.  Therefore, there
   may be a time lag before patches appear on mcsun.eu.net.

Please refer to the BugId and PatchId when requesting patches from Sun
answer centers.

----------------------------------------------------------------------------

BULLETIN TOPICS
I.   New Patches
     A.  100482-02, SunOS 4.1.x: ypserv and ypxfrd will send maps to anyone
     B.  100630-01, SunOS 4.1.x: "LD_" environment variables can be used to 
         exploit login/su, International version
II.  Upgraded Patches
     A.  100377-04, SunOS 4.1.x: "LD_" environment variables can be used to
         exploit sendmail
III. Program wrapper suggested if patches 100630-01, 100631-01, 100377-04
     are not immediately available.

==============================================================================
NEW PATCH INFORMATION

Sun Patch ID:  100482-02
Sun Bug IDs:   1036869, 1039839, 1082319, 1082320, 1080353
SunOS release: 4.1, 4.1.1, 4.1.2
Synopsis:      This patch fixes several problems with NIS:
   1. Bug 1036869 - ypserv will send maps to anyone who can guess the
      domainame
   2. Bug 1039839 - DNS used in conjunction with NIS may generate 
      inaccurate syslog messages to the console.
   3. Bug 1082319 - ypserv will send maps to anyone via the portmapper
   4. Bug 1082320 - ypxfrd will send maps to anyone.  Ypxfrd does not 
      check whether the person transferring the map is root on his/her
      machine, when the map is ``secure''. As a consequence, any user 
      can get the password map if the NIS master is running ypxfrd.
   5. Bug 1080353 - whenever a primary name server downloads an 'A'
      record to a secondary system and this 'A' record contains more
      than 36 IP addresses, ypserv on the secondary system will core dump.

Please note that the /var/yp/securenets configuration file that is provided
in this patch does not support blank lines.
      
Checksum of compressed tarfile 100482-02.tar.Z on ftp.uu.net =  53416   284

Sun Microsystems would like to acknowledge the following people for the 
permission to use their source modifications in the above patch:
   Alain Brossard, Ecole Polytechnique Federale de Lausanne, Suisse
   Richard Watterson and Daniel Trinkle, Purdue University, IN
   Peter Lamb, Swiss Federal Institute of Technology
In addition, the following people provided valuable assistance:
   Casper H.S. Dik, University of Amsterdam, The Netherlands
   Dan Kegel, Jet Propulsion Laboratory, NASA



Sun Patch ID:  100630-01
Sun Bug IDs:   1085851
SunOS release: 4.1, 4.1.1, 4.1.2
Synopsis:      "LD_" environment variables can be used to exploit login/su
Problem Description: a dynamically-linked program that is invoked by
   a setuid/setgid program has access to the caller's environmental 
   variables if the setuid/setgid program sets the real and effective
   UIDs to be equal and the real and effective GIDs to be equal before the 
   dynamically-linked program is executed.  A vulnerability exists if the 
   UIDs and GIDs are not equal to those of the user that invoked the
   setuid/setgid program.

   Note that this patch contains the international version of /bin/login
   that users who are not using the US Encryption Kit need to install.
   Patch 100631-01 contains the domestic version of /bin/login. /usr/bin/su
   and /usr/5bin/su from this international patch are suitable for
   sites that use the US Encryption Kit.  Export regulations prohibit
   putting 100631-01 on anonymous ftp sites.  Please contact your Answer
   Center for 100631-01.  

   Please refer to the section below entitled "PROGRAM WRAPPER" for
   additional information.


Checksum of compressed tarfile 100630-01.tar.Z on ftp.uu.net =  36269    39

==============================================================================
UPGRADED PATCH INFORMATION
 
Sun Patch ID:  100377-04
Sun Bug IDs:   1030087, 1036159, 1041284, 1056203, 1068637, 1085853, 
SunOS release: 4.1, 4.1.1, 4.1.2
Synopsis:      This patch combines 6 fixes and obsoletes Patch 100099-01:
   1. Bug 1030087 - sendmail yp aliasing does not work with non-Sun YP masters
   2. Bug 1036159 - a user can exploit sendmail to run programs with root's 
      group privileges
   3. Bug 1041284 - sendmail -t fails when /var/spool/mail is nfs mounted 
      from mailhost
   4. Bug 1056203 - a system that runs sendmail.mx will connect back to
      itself when it connects to a site that has MX records
   5. Bug 1068637 - sendmail ignores the .forward file of users with uid 
      values greater than 32767
   6. Bug 1085853 - security can be subverted by the use of "LD_" environment 
      variables.  
Problem Description: Bug 1085853 for sendmail is the same problem discussed
   above for bug 1085851, Patch 100630-01 for login/su.  Please refer to
   the description for Patch 100630-01 for more information.

Checksum of compressed tarfile 100377-04.tar.Z on ftp.uu.net =  14692   311
 
==============================================================================
PROGRAM WRAPPER

Sun has been informed by several computer emergency response teams that 
the vulnerabilities stated in BugIds 1085851 and 1085853 are known and
currently being exploited by computer crackers.  If your site is 
concerned about the security of your SunOS systems, it is important that 
you install the applicable patches for BugIds 1085851 and 1085853 as 
soon as possible.

The only applications that are known to have this problem in SunOS 4.1.x
are login, su, and sendmail.  However, custom or third party setuid/setgid 
applications may also be vulnerable.  Please check with your software 
supplier, a response team, or with me if you have doubts.

If you do not have ready access to the patches for these bugs, Sun 
recommends that you wrap your login, su, and sendmail executables with 
the following C program, provided by Wietse Venema, Eindhoven University 
of Technology, The Netherlands:

/*----------------------------------------------------------------*/

/* 
 *  Remove "LD_" variables from user environment before calling an executable
 *
 *  This code is specific to /bin/login, but can be easily modified
 *  to wrap other programs by modifying "COMMAND".
 */

#define COMMAND "/bin/login+"

main(argc,argv)
        int argc;
        char **argv;
{
        fixenv();
        execv(COMMAND,argv);
        perror(COMMAND);
        exit(1);
}

fixenv()
{
    extern char **environ;
    char  **cpp;
    char  **xpp;
    char   *cp;

    for (cpp = environ; cp = *cpp; cpp++) {
        while (*cp++ == 'L' && *cp++ == 'D' && *cp == '_') {
            for (xpp = cpp; xpp[0] = xpp[1]; xpp++)
                 /* void */ ;
            if ((cp = *cpp) == 0)
                return;
        }
    }
}

/*----------------------------------------------------------------*/

The example code above is specific to /bin/login.

Install as root:  

Move the old /bin/login to /bin/login+ and modify permissions:
mv /bin/login /bin/login+
chmod 0750 /bin/login+

Put the code above in a C program file and compile.  For this example
assume the file is /tmp/login.c:
cd /tmp
make login

Move the wrapper program into /bin/login and modify permissions and ownership:
mv /tmp/login /bin/login 
chown root.staff /bin/login
chmod 4711 /bin/login


The C code above can be easily modified for use with /usr/lib/sendmail,
/usr/bin/su, and /usr/5bin/su.  Change the value of "COMMAND" to the 
new, full path name of the command that you want to wrap after you have
moved it.  For example, if you moved /usr/lib/sendmail to /usr/lib/sendmail+
(using the command "mv /usr/lib/sendmail /usr/lib/sendmail+"), change
the macro definition of "COMMAND" in the C program to:

#define COMMAND "/usr/lib/sendmail+" 

Then perform the analogous steps above to compile and install your sendmail
wrapper.  Note that "COMMAND" should always be an absolute pathname for
security purposes.  The code should not be modified to accept "COMMAND"
as an argument using argv[].

Sun patches for these bugs are being tested for Sun SHIELD ARM.  Please 
contact your Answer Center or me for availability.  It is highly recommended
that the wrapper program be installed around your applicable ARM versions 
of the affected programs.

Sun Microsystems would like to acknowledge Wietse Venema and the CERT, 
CIAC, and PCERT computer security emergency response teams for their
valuable assistance in dealing with this vulnerability.

===========================================================================

Sun Microsystems recommends that all customers concerned with the security
of their SunOS systems obtain and load the patches that are applicable to 
their system(s).

Kenneth L. Pon
Software Security Coordinator
Sun Microsystems, Inc.