COMMAND

    loadmodule

SYSTEMS AFFECTED

    SunOs 4.1.x and  OpenWindows on all  sun4 and Solbourne  Computer,
    Inc. architectures. The  problem does not  exists in Solaris  2.x,
    Solaris  x86,  and  sun3  architectures.   (Openwindows  was   not
    released for the sun3 architecture).

PROBLEM

    There   exists   a    vulnerability   in   /usr/etc/modload    and
    $OPENWIN/bin/loadmodule.  This  programs   can  be  exploited   to
    execute  a  user's  program  using  the  effective UID of root. In
    SunOS, the LD_*  variables are ignored  if the program  is setuid.
    The  problem  occurs  when  a  setuid  program  calls a non-setuid
    program,  and  passes  the  LD_*  variable  down.  The  non-setuid
    program the  interprets the  LD_* variables,  and faithfully loads
    your trojan shared  library or module.  This is the  case with the
    'login', 'su' and 'sendmail' LD_* bugs.

SOLUTION

    Apply  the  apropriate  Sun patch.  For  loadmodule  the  patch is
    100448-02, and for modload  it is 101200-02. Solbourne  systems do
    not  support  the  "loadmodule"  functionality. This vulnerability
    can be fixed on Solbourne systems by removing the setuid bit.  The
    modload program does not need to be replaced or changed.