A security vulnerability in the "/usr/ucb/ps" (see ps(1B)) command may allow unprivileged local users the ability to see environment variables and their values for processes which belong to other users.

This issue can occur in the following releases:

SPARC Platform

• Solaris 8 without patch 109023-05
• Solaris 9 without patch 120240-01

x86 Platform

• Solaris 8 without patch 109024-05
• Solaris 9 without patch 120239-01

Note 1: Solaris 10 is not affected by this issue.

Note 2: The ps(1m) command is used for reporting process status. The full path for this command is "/usr/bin/ps". In addition, there is "/usr/ucb/ps" which is documented in the ps(1b) manual page. Only the "/usr/ucb/ps" command is affected by the vulnerability described in this Sun Alert.

In general users will use the "/usr/bin/ps" version as most will not have the directory "/usr/ucb" in their command search path (see the appropriate PATH section of relevant shell manual pages).

As an unprivileged user, running the "/usr/ucb/ps axe" command shows all processes, and with the "e" flags, it also includes their environment.

    $ /usr/ucb/ps axe
    PID TT       S  TIME COMMAND
    ...
    53 ?        S  0:00 /usr/lib/devfsadm/devfseventd LD_LIBRARY_PATH= PATH=/sbin:
    /usr/sbin:/usr/bin TZ=GB-Eire _INIT_PREV_LEVEL=0
    ...

In the example above we can see a root owned daemon, along with its environment variables and their values.

To work around the described issue, remove the set-id bit from "/usr/ucb/ps".

This issue is addressed in the following releases:

SPARC Platform

• Solaris 8 with patch 109023-05 or later
• Solaris 9 with patch 120240-01 or later

x86 Platform

• Solaris 8 with patch 109024-05 or later
• Solaris 9 with patch 120239-01 or later

This solution has no attachment