An unprivileged (either authenticated or unauthenticated) remote user may be able to execute arbitrary code with elevated privileges on Kerberos systems due to a double-free error in the krb5_recvauth() library routine. The privileges attained would depend on the affected program that utilizes the krb5_recvauth() routine; some affected applications such as kpropd() run with root privileges on slave Key Distribution Center (KDC) hosts, which means its potentially possible to compromise an entire Kerberos realm.

This issue is described in MIT krb5 Security Advisory 2005-003 available at

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-003-recvauth.txt

This issue is also referenced in the following documents:

CAN-2005-1689 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1689

CERT VU#623332 at http://www.kb.cert.org/vuls/id/623332.

A security vulnerability in the "/lib/svc/method/net-svc" script may allow a remote privileged user the ability to execute arbitrary code with "root" privileges on a "DHCP" client system if the remote user has access to a system within the network or subnet which is used by the host for "DHCP" requests.

A local or remote unprivileged user may be able to execute arbitrary code with the privileges of the Apache HTTP process on Solaris 8 and Solaris 9 systems when running the bundled version of Apache. This is due to a buffer overflow in the Apache modules "mod_alias" and "mod_rewrite".

This issue is described at the following sites:

The Apache 1.3.29 and the 2.0.48 release announcements:

• http://www.apache.org/dist/httpd/Announcement.html
• http://www.apache.org/dist/httpd/Announcement2.html

CAN-2003-0542:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0542

A local or remote unprivileged user may be able execute arbitrary code on Solaris 8 or Solaris 9 systems running Apache with privileges of the Apache HTTP process, due to several security vulnerabilities in the Apache Web Server and Apache Web Server modules.

The Apache HTTP process normally runs as the unprivileged uid "nobody" (uid 60001). The ability to execute arbitrary code as the unprivileged uid "nobody" may lead to modified web content, denial of service, or further compromise.

These issues are described at the following sites:

The Change Log for Apache 1.3, at http://www.apache.org/dist/httpd/CHANGES_1.3

CAN-2003-0987: "mod_digest issue" at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0987

CAN-2003-0020: "filtering of data sent to errorlog" at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020

CAN-2004-0174: "possible denial of service" at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0174

CAN-2003-0993: "mod_access on 64-bit platforms" at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0993

CAN-2004-0492: "buffer overflow in mod_proxy" at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0492

Note that Apache 1.3.31 addresses the first four of these five security vulnerabilities. Additional changes were made to address CAN-2004-0492 in Sun's version of Apache 1.3.31.

Multiple security vulnerabilities in the "MySQL" package, an open source database package bundled with Solaris 10 (see mysqld(1)), may result in one or more of the following issues:

1. An unprivileged "MySQL" user may be able to access and potentially modify sensitive information in database tables.

This issue is referenced in the following document:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0835

2. An unprivileged "MySQL" user may be able to disable a "MySQL" server causing a Denial of Service(DoS).

This issue is referenced in the following document:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0837

3. A local unprivileged UNIX user may be able to overwrite or create arbitrary files on the system with the privileges of a user who invokes the mysqlaccess(1) script.

This issue is referenced in the following document:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0004

4. A "MySQL" user with "INSERT" and "DELETE" privileges may be able to execute arbitrary commands with the privileges of the "MySQL" server due to a security vulnerability in the "CREATE FUNCTION" command.

This issue is referenced in the following document:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0709

5. A "MySQL" user with "INSERT" and "DELETE" privileges may be able to execute arbitrary commands with the privileges of the "MySQL" server due to a security vulnerability in the "udf_init" function.

This issue is referenced in the following document:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0710

6. A "MySQL" user with the "CREATE TEMPORARY TABLES" privilege may be able to overwrite or create files on the system with the privileges of the "MySQL" server.

This issue is referenced in the following document:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0711

Note: The "MySQL" server, mysqld(1), runs as an unprivileged user by default.

Sun Alerts 57628 and 57496 describe several security vulnerabilities in the Apache web server and modules. The Solaris 8 patches listed in these Sun Alerts did not include some of the Apache module files. Thus several of the vulnerabilities affecting the Apache modules were not completely addressed. The impact of this is that a local or remote unprivileged user may be able to execute arbitrary code on systems running Apache with the privileges of the Apache HTTP process. The Apache HTTP process normally runs as the unprivileged uid "nobody" (uid 60001). The ability to execute arbitrary code as the unprivileged uid "nobody" may lead to modified web content, denial of service, or further compromise.

The Apache module vulnerabilities affected are as follows:

CAN-2003-0987: "mod_digest issue" at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0987

CAN-2003-0993: "mod_access on 64-bit platforms" at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0993

CAN-2004-0492: "buffer overflow in mod_proxy" at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0492

CAN-2003-0542: "buffer overflows in mod_alias and mod_rewrite" at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0542

Solaris 8 sites running Apache should install the patches below to obtain the complete resolution for the Apache module security issues described in Sun Alerts 57628 and 57496. The Solaris 9 paches listed in Sun Alerts 57628 and 57496 are the complete resolution for these issues.

Certain releases of the Sun Java Desktop System (JDS) for Linux include versions of the Java Runtime Environment (JRE) which contain a vulnerability in the Java Plug-in which may allow an untrusted applet to escalate privileges, through JavaScript calling into Java code, including reading and writing files with the privileges of the user running the applet.

This issue is also described in Sun Alert 101749 at: http://sunsolve.sun.com/search/document.do?assetkey=1-26-101749-1.

An unprivileged, local user might setup a scenario so that under certain circumstances an XView application on exit corrupts a system or user file.

Only files for which the exiting XView application has modify permission (based only on the applications current user/group ID and file permissions) are at risk. Therefore, XView applications running with root access rights under certain circumstances pose a risk to system files if no counter measures are taken (please see the "Workaround" section below).

A local or remote unprivileged user may be able to remove any file on the system due to a security vulnerability in the "printd" daemon.

Sun acknowledges, with thanks, H.D. Moore of Metaspoilt.com, for bringing this issue to our attention.