______________________________________________________________________________ Sun Microsystems, Inc. Security Bulletin Bulletin Number: #00140 Date: 14 May 1997 Cross-Ref: AUSCERT AA-97.06 Title: Vulnerability in ffbconfig ______________________________________________________________________________ Permission is granted for the redistribution of this Bulletin, so long as the Bulletin is not edited and is attributed to Sun Microsystems. Portions may also be excerpted for re-use in other security advisories so long as proper attribution is included. Any other use of this information without the express written consent of Sun Microsystems is prohibited. Sun Microsystems expressly disclaims all liability for any misuse of this information by any third party. ______________________________________________________________________________ 1. Bulletins Topics Sun announces the release of patches for Solaris 2.5.1 (SunOS 5.5.1) and Solaris 2.5 (SunOS 5.5) that relate to vulnerabilities in the ffbconfig program, which can result in root access if exploited. Sun strongly recommends that you install these patches immediately on every affected system. Exploitation information for ffbconfig is publicly available. 2. Who is Affected Vulnerable: SunOS versions 5.5.1 and 5.5 SPARC running the Creator FFB Graphics Accelerator. See section 4. Understanding the Vulnerability, for a way to test if a system is affected. Not vulnerable: All other supported versions of SunOS This vulnerability does not exist in the upcoming release of Solaris 2.6. 3. What to Do Install the patches listed in 5. 4. Understanding the Vulnerability The ffbconfig program configures the Creator Fast Frame Buffer (FFB) Graphics Accelerator, which is part of the FFB Configuration Software Package, SUNWffbcf. This software is used when the FFB Graphics accelerator card is installed. Due to insufficient bounds checking on arguments, it is possible to overwrite the internal stack space of the ffbconfig program. If exploited, this vulnerability can be used to gain root access on attacked systems. To test if a system is vulnerable, run the following command to check for the presence of SUNWffbcf package which is installed when the FFB Graphics accelerator card is present: /usr/bin/pkginfo -l SUNWffbcf If it is not present, you will get an error message stating that SUNWffbcf was not found. If it is present, ffbconfig is installed in /usr/sbin. 5. List of Patches The vulnerability relating to ffbconfig is fixed by the following patches: OS version Patch ID ---------- -------- SunOS 5.5.1 103796-09 SunOS 5.5 103076-09 The above-mentioned patches are listed in the Graphics section under Unbundled Products at ftp://sunsolve1.sun.com/pub/patches/patches.html. 6. Checksum Table The checksum table below shows the BSD checksums (SunOS 5.x: /usr/ucb/sum), SVR4 checksums (SunOS 5.x: /usr/bin/sum), and the MD5 digital signatures for the above-mentioned patches that are available from: ftp://sunsolve1.sun.com/pub/patches/patches.html These checksums may not apply if you obtain patches from your answer centers. File Name BSD SVR4 MD5 --------------- --------- --------- -------------------------------- 103796-09.tar.Z 37854 2479 55959 4957 4994176B4C03215BD2707B87921C5096 103076-09.tar.Z 33438 2435 42064 4869 0A8AA3C106C4F09448220C1B0B714CD1 ______________________________________________________________________________ Sun acknowledges with thanks CERT/CC and AUSCERT for their assistance in the preparation of this bulletin. Sun, CERT/CC, and AUSCERT are members of FIRST, the Forum of Incident Response and Security Teams. For more information about FIRST, visit the FIRST web site at "http://www.first.org/". ______________________________________________________________________________ APPENDICES A. Patches listed in this security bulletin are available to all Sun customers via World Wide Web at: ftp://sunsolve1.sun.com/pub/patches/patches.html Customers with Sun support contracts can also obtain patches from local Sun answer centers and SunSITEs worldwide. B. To report or inquire about a security problem with Sun software, contact one or more of the following: - Your local Sun answer centers - Your representative computer security response team, such as CERT - Sun Security Coordination Team. Send email to: security-alert@sun.com C. To receive information or subscribe to our CWS (Customer Warning System) mailing list, send email to: security-alert@sun.com with a subject line (not body) containing one of the following commands: Command Information Returned/Action Taken ------- --------------------------------- HELP An explanation of how to get information LIST A list of current security topics QUERY [topic] The mail containing the question is relayed to the Security Coordination Team for response. REPORT [topic] The mail containing the text is treated as a security report and forwarded to the Security Coordination Team. We do not recommend that detailed problem descriptions be sent in plain text. SEND topic A short status summary or bulletin. For example, to retrieve a Security Bulletin #00138, supply the following in the subject line (not body): SEND #138 SUBSCRIBE Sender is added to our mailing list. To subscribe, supply the following in the subject line (not body): SUBSCRIBE cws your-email-address Note that your-email-address should be substituted by your email address. UNSUBSCRIBE Sender is removed from our mailing list. ______________________________________________________________________________ ------------- End Forwarded Message -------------