<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> /* *\ / * * \ / * * \ / * * \ / * System Vulnerabilities * \ | * * | | * * | | * * | | * Another Modernz Presentation * | | * * | \ * by * / \ * Multiphage * / \ * * / \ * written 11-05-92 * / */ ******************************************************************************* <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> ******************************************************************************* The Modernz can be contacted at: MATRIX BBS WOK-NOW! World of Kaos NOW! World of Knowledge NOW! St. Dismis Institute - Sysops: Wintermute Digital-demon (908) 905-6691 (908) WOK-NOW! (908) 458-xxxx 1200/2400/4800/9600 14400/19200/38400 Home of Modernz Text Philez <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< <*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*> <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> TANSTAAFL Pheonix Modernz The Church of Rodney - Sysop: Tal Meta (908) 830-TANJ (908) 830-8265 Home of TANJ Text Philez <*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*> CyberChat Sysop: Hegz (908)506-6651 (908)506-7637 300/1200/2400/4800/9600 14400/19200/38400 Modernz Site TLS HQ <><><><><><><><><><><><><><<><<><><><><><><><><><><><><><><><><><><><><><><><>< The Lost Realm Western PA UASI site! Western PA. SANfranchise (412) 588-5056 300/1200/2400 SysOp: Orion Buster <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< The Last Outpost PowerBBS Support Board UASI ALPHA Division NorthWestern PA UASI site! (412) 662-0769 300/1200/2400 24 hours! SysOp: The Almighty Kilroy <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< BlitzKreig BBS Home of TAP (502)499-8933 <*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*> =========================================================================== AIX crontab Vulnerability --------------------------------------------------------------------------- Information concerning a vulnerability in crontab(1) in version 3.2 of IBM's AIX operating system. IBM is aware of this problem and a fix is available as apar number "ix26997" for AIX version 3.2. The version information for the patched /usr/bin/crontab is shown in the following what(1) output: % what /usr/bin/crontab 04 1.23 com/cmd/cntl/cron/crontab.c, cmdcntl, bos320, 9218320f 4/8/92 11:50:42 07 1.8 com/cmd/cntl/cron/permit.c, bos, bos320 4/25/91 17:16:59 11 1.15 com/cmd/cntl/cron/cronsub.c, bos, bos320 8/18/91 20:42:32 06 1.9 com/cmd/cntl/cron/funcs.c, bos, bos320 6/8/91 21:22:40 If your crontab contains older modules than the above output indicates, we suggest that you install the fix. --------------------------------------------------------------------------- I. Description The distributed version of /usr/bin/crontab contains a security vulnerability. II. Impact Local users can gain unauthorized root access to the system. III. Solution The CERT/CC suggests that sites install the fix that IBM has made available. As an interim step, we suggests that sites prevent all non-root users from running /usr/bin/crontab by removing (or renaming) the /var/adm/cron/cron.allow and /var/adm/cron/cron.deny files. - Obtain the fix from IBM Support. 1. To order from IBM call 1-800-237-5511 and ask that the fix be shipped. Patches may be obtained outside the U.S. by contacting your local IBM representative. 2. If you are on the Internet, use anonymous ftp to obtain the fix from software.watson.ibm.com (129.34.139.5). Patch Filename Checksum AIX 3.2 pub/aix3/cronta.tar.Z 02324 154 The patch must be retrieved using binary mode. - Install the fix following the instructions in the README file. =========================================================================== SunOS Environment Variables and setuid/setgid Vulnerability --------------------------------------------------------------------------- Information concerning a vulnerability involving environment variables and setuid/setgid programs under Sun Microsystems Computer Corporation SunOS. This vulnerability exists on all Sun architectures running SunOS 4.0 and higher. In-house and third-party software can also be impacted by this vulnerability. For example, the current versions of rnews, sudo, smount, and npasswd are known to be vulnerable under SunOS. See the Description section of this advisory for details of how to identify software which may be vulnerable. The workaround detailed in this advisory can be used to protect vulnerable software on SunOS operating system versions for which patches are unavailable, or for local or third party software which may be vulnerable. Sun has provided patches for SunOS 4.1, 4.1.1, and 4.1.2 programs which are known to be impacted by this vulnerability. They are available through your local Sun Answer Center as well as through anonymous ftp from the ftp.uu.net (137.39.1.9) system in the /systems/sun/sun-dist directory. Fix PatchID Filename Checksum login and su 100630-01 100630-01.tar.Z 36269 39 sendmail 100377-04 100377-04.tar.Z 14692 311 Note: PatchID 100630-01 contains the international version of /usr/bin/login. PatchID 100631-01 contains the domestic version of /usr/bin/login and is only available from Sun Answer Centers for sites that use the US Encryption Kit. Please note that Sun will occasionally update patch files. If you find that the checksum is different please contact Sun or the CERT/CC for verification. --------------------------------------------------------------------------- I. Description A security vulnerability exists if a set-user-id program changes its real and effective user ids to be the same (but not to the invoker's id), and subsequently causes a dynamically-linked program to be exec'd. A similar vulnerability exists for set-group-id programs. In particular, SunOS /usr/lib/sendmail, /usr/bin/login, /usr/bin/su, and /usr/5bin/su are vulnerable to this problem. II. Impact Local users can gain unauthorized privileged access to the system. III. Solution A. Obtain and install the patches from Sun or from ftp.uu.net following the provided instructions. B. The following workaround can be used to protect vulnerable binaries for which patches are unavailable for your SunOS version, or for local or third party software which may be vulnerable. The example given is a workaround for /usr/lib/sendmail. 1. As root, rename the existing version of /usr/lib/sendmail and modify the permissions to prevent misuse. # mv /usr/lib/sendmail /usr/lib/sendmail.dist # chmod 755 /usr/lib/sendmail.dist 2. In an empty temporary directory, create a file wrapper.c containing the following C program source (remember to strip any leading white-space characters from the #define lines). /* Start of C program source */ /* Change the next line to reflect the full pathname of the file to be protected by the wrapper code */ #define COMMAND "/usr/lib/sendmail.dist" #define VAR_NAME "LD_" main(argc,argv,envp) int argc; char **argv; char **envp; { register char **cpp; register char **xpp; register char *cp; for (cpp = envp; cp = *cpp;) { if (strncmp(cp, VAR_NAME, strlen(VAR_NAME))==0) { for (xpp = cpp; xpp[0] = xpp[1]; xpp++); /* void */ ; } else { cpp++; } } execv(COMMAND, argv); perror(COMMAND); exit(1); } /* End of C program source */ 3. As root, compile the C program source for the wrapper and install the resulting binary. # make wrapper # mv ./wrapper /usr/lib/sendmail # chown root /usr/lib/sendmail # chmod 4711 /usr/lib/sendmail 4. Steps 1 through 3 should be repeated for other vulnerable programs with the appropriate substitution of pathnames and file names. The "COMMAND" C preprocessor variable within the C program source should also be changed to reflect the appropriate renamed system binary. ---------------------------------------------------------------------------