[unisog] missed a Solaris T-patch and got burned by priocntl bug...
foster at dim.ucsd.edu
Mon Apr 7 20:45:27 GMT 2003
Managers at UCSD that I've spoken with have all complained that
Sun's alert email list and the "notify me when this page is updated"
function on SunSolve's Alert Bulletin page are both not working.
I can't remember when I last received a security bulletin from Sun, I've
been checking SunSolve's site regularly to try to stay current.
I've been told that management of SunSolve was given to a group
in India, that might explain the new "features"... :(
> I had 3 Solaris 7 systems up to date as far as "Security and Recommended"
> patches were concerned, but I missed a T-Patch, and seemingly
> missed a security advisory about it, and I got burned...
> "Solaris priocntl() System Call Lets Local Users Grab Root"
> identified Nov 2002, T-Patch released Mar 14
> requires local access, which was gained through use of a
> userid/password grabbed from a local unpatched Solaris machine,
> which was hacked a few weeks back.
> This rootkit was installed:
> /var/adm/messages extract:
> Mar 29 06:54:41 xxxx unix: NOTICE: Get Su: search pid=163
> Mar 29 06:54:41 xxxx unix: NOTICE: Get Su: search pid=13224
> Mar 29 06:54:41 xxxx unix: NOTICE: Get Su: search pid=13234
> Mar 29 06:54:41 xxxx unix: NOTICE: Get Su: search pid=14619
> Mar 29 06:54:41 xxxx unix: NOTICE: Get Su: 14619
> Mar 29 06:54:41 xxxx unix: NOTICE: Get Su: 0
> Mar 29 06:54:41 xxxx unix: NOTICE: Get Su: not found
> Attack came from
> and after each breakin, a short e-mail was sent to:
> betatester1 at virgilio.it
> I've reported the incident to CERT.
> Bruce Campbell
> Engineering Computing
> University of Waterloo
> (519)888-4567 ext 5889
> This mail sent through www.mywaterloo.ca
David Foster National Center for Microscopy and Imaging Research
Programmer/Analyst University of California, San Diego
dfoster[at]ucsd[dot]edu Department of Neuroscience, Mail 0608
(858) 534-7968 http://ncmir.ucsd.edu/
More information about the unisog