Patch-ID# 101679-01 Keywords: security modload ld, 101200-01 ported to 4.1.3_U1 Synopsis: SunOS 4.1.3_U1: Breach of security using modload Date: May/13/94 Solaris Release: 1.1.1A SunOS Release: 4.1.3_U1A Topic: kernel security can be breached by setuid programs using modload BugId's fixed with this patch: 1137491 Relevant Architecture: sparc NOTE: sun4(all) Patches which may conflict with this patch: Obsoleted by: Problem Description: There is a bug in the program /usr/etc/modload in sunos 4.1.3 and 4.1.3_U1. This is brought to light by using the program /usr/openwin/bin/loadmodule. loadmodule is a suid root program - it calls modload as part of its operation. modload calls ld - but it doesn't call it using a full pathname so that if you have a program called ld earlier in your path when you call loadmodule you can have your ld program run with the effective UID of 0. INSTALL: As root: Make a backup copy of the files to be installed: mv /usr/kvm/modload /usr/kvm/modload.orig Now install the patched file: cp sun4/modload /usr/kvm/modload chmod 755 /usr/kvm/modload