COMMAND

    admintool

SYSTEMS AFFECTED

    Solaris 2.x

PROBLEM

    admintool  is  a   graphical  user  interface   that  enables   an
    administrator to perform several system administration tasks on  a
    system.  These tasks include the ability to manage users,  groups,
    hosts and other services.

    To   help   prevent   different   users   updating   system  files
    simultaneously,  admintool  uses  temporary  files  as  a  locking
    mechanism.   The  handling  of   these  temporary  files  is   not
    performed in  a secure  manner, and  hence it  may be  possible to
    manipulate admintool into creating  or writing to arbitrary  files
    on the system.   These files are  accessed with the  effective uid
    of the process executing admintool.

    In Solaris 2.5,  admintool is set-user-id  root by default.   That
    is, all  file accesses  are performed  with the  effective uid  of
    root.   An effect  of this  is that  the vulnerability  will allow
    access  to  any  file  on  the  system.   If  the vulnerability is
    exploited  to  try  and  create  a  file  that already exists, the
    contents of  that file  will be  deleted.   If the  file does  not
    exist,  it  will  be  created  with  root  ownership  and be world
    writable.

    In earlier versions of  Solaris 2.x, admintool is  not set-user-id
    root  by  default.   In  this  case,  admintool runs only with the
    privileges of  the user  executing it.   However, local  users may
    wait  for  a  specific  user  to execute admintool, exploiting the
    vulnerability to create or  write files with that  specific users'
    privileges.   Again, files  created in  this manner  will be world
    writable.

    A local user  may be able  to create or  write to arbitrary  files
    on the system.  This can be leveraged to gain root privileges.

    On Solaris  2.6 on  the other  hand according  to Paul  B. Henson,
    after installing Solaris  2.6 HW3/98, /usr/bin/admintool  has been
    installed mode 0777, world  writable.  Under the  original release
    of 2.6, the mode was 04555.

SOLUTION

    Until  official  patches  are  available  sites  are encouraged to
    completely prevent execution of  admintool by any user  (including
    root).

        # chmod 400 /usr/bin/admintool
        # ls -l /usr/bin/admintool
        -r--------   1 root  sys  303516 Oct 27  1995 /usr/bin/admintool

    Note  that  if  only  the  setuid  permissions  are removed, it is
    still  possible  for  users  to  gain privileges when admintool is
    executed as root.   If you're running  2.6 HW3/98, you  might want
    to verify  your admintool  hasn't been  tampered with  and fix the
    perms.