AUSCERT External Security Bulletin Redistribution

                  ESB-97.066 -- Sun Security Bulletin #00140
                          Vulnerability in ffbconfig

                                 21 May 1997


Sun Microsystems has released the following security bulletin providing
patch information for a vulnerabiltiy in the ffbconfig program under
Solaris 2.5/2.5.1.  This vulnerability may allow local users to gain root

This bulletin addresses the problems previously described in AUSCERT
Advisory AA-97.06 -- Solaris ffbconfig Buffer Overrun Vulnerability.

AUSCERT advises that all sites apply the appropriate patches described in
this bulletin as soon as possible.

The following security bulletin is provided as a service to AUSCERT's
members.  As AUSCERT did not write this document, AUSCERT has had no
control over its content.  As such, the decision to use any or all of this
information is the responsibility of each user or organisation, and should
be done so in accordance with site policies and procedures.

Contact information for Sun Microsystems is included in the Security
Bulletin below.  If you have any questions or need further information,
please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your system has been compromised, contact AUSCERT or your
representative in FIRST (Forum of Incident Response and Security Teams).

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 4477
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
	AUSCERT personnel answer during Queensland business hours
	which are GMT+10:00 (AEST).
	On call after hours for emergencies.

- --------------------------BEGIN INCLUDED TEXT--------------------


 		   Sun Microsystems, Inc. Security Bulletin
Bulletin Number:	#00140
Date: 			14 May 1997
Cross-Ref:		AUSCERT AA-97.06
Title:			Vulnerability in ffbconfig

Permission is granted for the redistribution of this Bulletin, so long as 
the Bulletin is not edited and is attributed to Sun Microsystems. Portions 
may also be excerpted for re-use in other security advisories so long as 
proper attribution is included.

Any other use of this information without the express written consent of 
Sun Microsystems is prohibited. Sun Microsystems expressly disclaims all 
liability for any misuse of this information by any third party.

1.  Bulletins Topics

    Sun announces the release of patches for Solaris 2.5.1 (SunOS 5.5.1) and 
    Solaris 2.5 (SunOS 5.5) that relate to vulnerabilities in the ffbconfig 
    program, which can result in root access if exploited. 

    Sun strongly recommends that you install these patches immediately on
    every affected system. Exploitation information for ffbconfig is publicly

2.  Who is Affected
       Vulnerable:  SunOS versions 5.5.1 and 5.5 SPARC running the Creator 
                    FFB Graphics Accelerator.
                    See section 4. Understanding the Vulnerability, for a way 
                    to test if a system is affected.

       Not vulnerable:	All other supported versions of SunOS
       This vulnerability does not exist in the upcoming release of Solaris 2.6.
3.  What to Do

    Install the patches listed in 5.
4.  Understanding the Vulnerability

    The ffbconfig program configures the Creator Fast Frame Buffer (FFB) 
    Graphics Accelerator, which is part of the FFB Configuration Software 
    Package, SUNWffbcf. This software is used when the FFB Graphics accelerator 
    card is installed. Due to insufficient bounds checking on arguments, it is 
    possible to overwrite the internal stack space of the ffbconfig program. 
    If exploited, this vulnerability can be used to gain root access on 
    attacked systems.
    To test if a system is vulnerable, run the following command to check for 
    the presence of SUNWffbcf package which is installed when the FFB Graphics 
    accelerator card is present:

		/usr/bin/pkginfo -l SUNWffbcf

    If it is not present, you will get an error message stating that SUNWffbcf 
    was not found. If it is present, ffbconfig is installed in /usr/sbin.
5.  List of Patches

    The vulnerability relating to ffbconfig is fixed by the following patches:

	OS version		Patch ID
	----------		--------
	SunOS 5.5.1		103796-09
     	SunOS 5.5		103076-09
    The above-mentioned patches are listed in the Graphics section under 
    Unbundled Products at 
6.  Checksum Table

    The checksum table below shows the BSD checksums (SunOS 5.x: /usr/ucb/sum), 
    SVR4 checksums (SunOS 5.x: /usr/bin/sum), and the MD5 digital signatures 
    for the above-mentioned patches that are available from:
    These checksums may not apply if you obtain patches from your answer

File Name	  BSD	       SVR4	    MD5
- ---------------   ---------    ---------    --------------------------------
103796-09.tar.Z   37854 2479   55959 4957   4994176B4C03215BD2707B87921C5096
103076-09.tar.Z   33438 2435   42064 4869   0A8AA3C106C4F09448220C1B0B714CD1


Sun acknowledges with thanks CERT/CC and AUSCERT for their assistance in the 
preparation of this bulletin.

Sun, CERT/CC, and AUSCERT are members of FIRST, the Forum of Incident Response 
and Security Teams. For more information about FIRST, visit the FIRST web site 
at "http://www.first.org/".


A.  Patches listed in this security bulletin are available to all Sun customers 
    via World Wide Web at:
    Customers with Sun support contracts can also obtain patches from local 
    Sun answer centers and SunSITEs worldwide.
B.  To report or inquire about a security problem with Sun software, contact 
    one or more of the following:
        - Your local Sun answer centers
        - Your representative computer security response team, such as CERT 
        - Sun Security Coordination Team. Send email to:

C.  To receive information or subscribe to our CWS (Customer Warning System) 
    mailing list, send email to:
    with a subject line (not body) containing one of the following commands:

        Command         Information Returned/Action Taken
        -------         ---------------------------------

        HELP            An explanation of how to get information

        LIST            A list of current security topics

        QUERY [topic]   The mail containing the question is relayed to
                        the Security Coordination Team for response.

        REPORT [topic]  The mail containing the text is treated as a
                        security report and forwarded to the Security
                        Coordination Team. We do not recommend that detailed 
                        problem descriptions be sent in plain text.

        SEND topic      A short status summary or bulletin. For example, to 
        		retrieve a Security Bulletin #00138, supply the 
        		following in the subject line (not body):
        			SEND #138

        SUBSCRIBE       Sender is added to our mailing list.  To subscribe, 
                        supply the following in the subject line (not body):

                            	SUBSCRIBE cws your-email-address
			Note that your-email-address should be substituted
			by your email address.
        UNSUBSCRIBE     Sender is removed from our mailing list.

- --------------------------END INCLUDED TEXT--------------------

Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key