COMMAND

    mkcookie

SYSTEMS AFFECTED

    Solaris 2.5 x86, 2.5.1 x86, 2.6 x86, 2.7 x86 (2.3, 2.4???)

PROBLEM

    Following is based on RSI advisory.  Bug was found by Nick  Dubee.
    The mkcookie program is a  Solaris utility used to generate  fresh
    'Magic Cookies' each time  the X server is  run.  This program  is
    installed SUID root  as /usr/openwin/lib/mkcookie.   A programming
    fault has been discovered in the way mkcookie copies the  contents
    of  the  $HOME  evironment  variable  into  a  buffer  that  has a
    predefined limit  with no  bounds checking.   Local users  on  the
    system can set  their $HOME environment  variable to machine  code
    that will  execute commands  as root  when mkcookie  is run.  This
    particular problem  is not  exploitable on  the Sparc architecture
    due to the way the register values are saved.

SOLUTION

    Solaris versions  2.3 x86,  and 2.4  x86 were  NOT tested  however
    they could be subject to  the same vulnerability.  Sun  is working
    on patches which  relate to this  mkcookie vulnerability.   In the
    meantime, take the SUID bit off mkcookie until a patch is released
    for the version of Solaris you are using:

        chmod 711 /usr/openwin/lib/mkcookie