<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> /* *\ / * * \ / * * \ / * * \ / * System Vulnerabilities * \ | * * | | * * | | * * | | * Another Modernz Presentation * | | * * | \ * by * / \ * Multiphage * / \ * * / \ * written 12-29-92 * / \ * */ ******************************************************************************* <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> ******************************************************************************* The Modernz can be contacted at: MATRIX BBS WOK-NOW! World of Kaos NOW! World of Knowledge NOW! St. Dismis Institute - Sysops: Wintermute Digital-demon (908) 905-6691 (908) WOK-NOW! (908) 458-xxxx 1200/2400/4800/9600 14400/19200/38400 Home of Modernz Text Philez <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< <*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*> <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> TANSTAAFL Pheonix Modernz The Church of Rodney - Sysop: Tal Meta (908) 830-TANJ (908) 830-8265 Home of TANJ Text Philez <*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*> CyberChat Sysop: Hegz (908)506-6651 (908)506-7637 300/1200/2400/4800/9600 14400/19200/38400 Modernz Site TLS HQ <><><><><><><><><><><><><><<><<><><><><><><><><><><><><><><><><><><><><><><><>< BlitzKreig BBS Home of TAP (502)499-8933 <*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*> =========================================================================== Altered System Binaries Incident --------------------------------------------------------------------------- Information regarding a series of significant intrusion incidents on the Internet. Systems administrators should be aware that many systems on the Internet have been compromised due to this activity. To identify whether your systems have been affected by the activity we recommend that all system administrators check for the signs of intrusion detailed in this advisory. This advisory describes the activities that have been identified as part of this particular incident. This does not address the possibility that systems may have been compromised due to other, unrelated intrusion activity. --------------------------------------------------------------------------- I. Description The intruders gain initial access to a host by discovering a password for a user account on the system, exploiting a "+" in the "/etc/hosts.equiv" file, or any ".rhosts" files on the system. The intruder then connects to the system using rsh and attempts to become root on the compromised system. An alias of "decode" may used to gain root privileges. II. Impact Having gained root access on a system, the intruders may make unauthorized changes to system binaries that can capture account information for both local and remote systems. In addition, the intruder adds "+ +" to any ".rhosts" files to which the intruder has access. III. Solution A. Check your systems for signs of intrusion due to this incident. 1. Check the login, telnet, and uucpd binaries (for example, "/bin/login", "/usr/ucb/telnet", and "/usr/etc/in.uucpd" on Sun systems) against copies from distribution media. Note that a check for creation or modification times and sizes is not sufficient to assure that the files have not been modified. The CERT/CC suggests that you compare the output of the "sum(1)" or "cmp(1)" command on both the distribution and installed versions of the binaries. 2. If the check from (A.1) indicates that your binaries have been modified, check for the presence of a password log file. Since the name of the logfile is often changed, the name of the file should be obtained using the "strings(1)" command on the Trojan login, uucpd, or telnet binary. Examples of filenames used on other systems are: "/usr/spool/. " (dot space) "/var/spool/secretmail/.l" "/var/spool/secretmail/.log" "/var/spool/secretmail/.tty" "/var/spool/secretmail/.lock" "/usr/tmp/.log" "/usr/spool/uucp/.sys" "/usr/spool/uucppublic/.hushlogin" "/usr/uucp/.sys" "/mnt2/lost+found/.tmp/.log" "/usr/spool/mqueue/.AFG001" Verify that the contents of files found using the "strings(1)" command do not contain valid username/password combinations. 3. Check for the presence of "+" in the "/etc/hosts.equiv" file. NOTE that Sun Microsystems installs the SunOS operating system with a default "+" in the /etc/hosts.equiv file for easy network access. This should be removed unless required in your operating environment and protected by a firewall network configuration. Leaving the "+" intact will allow any non-root user on the Internet to login to the system without a password. 4. Check the home directory for each entry in the "/etc/passwd" file for the presence of a ".rhosts" file containing "+ +" (plus space plus). 5. Assure that your "/etc/fstab", "/etc/inetd.conf", and "/etc/exports" files have not been modified. B. Take the following steps to secure your systems. 1. Save copies of the identified files to removable media and remove any password log files as found in (A.2) above. 2. Replace any modified binaries with copies from distribution media. 3. Remove the "+" entry from the "/etc/hosts.equiv" file and the "+ +" (plus space plus) entry from any ".rhosts" files. 4. Change ownership of the "/etc" directory to userid "root" if it is owned by "bin" (as distributed by Sun). 5. Change every password on the system and assure that the new passwords are robust using a package such as Crack or Cops (available via anonymous ftp from cert.org). 6. Inspect and restore any changes made to your "/etc/fstab", "/etc/exports", or "/etc/inetd.conf" files. If any modifications are found in these files, you will need to unmount file systems and restart daemons once the files have been restored. Alternatively the system could be rebooted. 7. Remove the "decode" alias from your global mail aliases file ("/etc/aliases" on Sun systems, "/usr/lib/aliases" on other UNIX systems). --------------------------------------------------------------------------- =========================================================================== Multiple SunOS Vulnerabilities Patched --------------------------------------------------------------------------- Information concerning several vulnerabilities in the Sun Microsystems, Inc. (Sun) operating system (SunOS). These vulnerabilities affect all architectures and supported versions of SunOS including 4.1, 4.1.1, and 4.1.2 on sun3, sun3x, sun4, sun4c, and sun4m. The patches have been released as upgrades to three existing patch files. Since application of these patches involves rebuilding your system kernel file (/vmunix), it is recommended that you apply all patches simultaneously. Use the procedure described below to apply the patches and rebuild the kernel. Sun has provided patches for these vulnerabilities as updates to Patch IDs 100173, 100376, and 100567. They are available through your local Sun Answer Centers worldwide as well as through anonymous ftp from the ftp.uu.net (137.39.1.9) system (in the /systems/sun/sun-dist directory). Fix Patch ID Filename Checksum NFS Jumbo 100173-08 100173-08.tar.Z 32716 562 Integer mul/div 100376-04 100376-04.tar.Z 12884 100 ICMP redirects 100567-02 100567-02.tar.Z 23118 13 Please note that Sun Microsystems sometimes updates patch files. If you find that the checksum is different please contact Sun Microsystems or CERT for verification. --------------------------------------------------------------------------- NFS jumbo patch upgrade, SunOS 4.1, 4.1.1, 4.1.2, all architectures I. Description The upgrade to the NFS Jumbo patch addresses a vulnerability that allows an intruder to become root using NFS. This vulnerability affects all architectures and supported versions of SunOS. II. Impact A remote user may exploit this vulnerability to gain root access. III. Solution Extract the new files to be installed in the kernel. Install the patch files in /sys/`arch -k`/OBJ as described in the README file included in the patch file. Be sure to make a backup of each of the files you are replacing before moving the patched file to the /sys/`arch -k`/OBJ directory. Config, make, and install the new kernel to include all patches described in this advisory appropriate to your system. Reboot each host using the appropriate kernel. Refer to the Systems and Network Administration manual for instructions on building and configuring a new custom kernel. Integer mul/div patch upgrade, SunOS 4.1, 4.1.1, 4.1.2, SPARC architectures I. Description The integer mul/div patch upgrade addresses an additional problem with the integer multiplication emulation code on SPARC architectures that allows an intruder to become root. This vulnerability affects SPARC architectures (sun4, sun4c, and sun4m) for all supported versions of SunOS (4.1, 4.1.1, and 4.1.2). II. Impact A local user may exploit a bug in the emulation routines to gain root access or crash the system. III. Solution Extract the new files to be installed in the kernel. Note that this patch applies only to SPARC architectures. Install the patch files in /sys/`arch -k`/OBJ as described in the README file included in the patch file. Be sure to make a backup of each of the files you are replacing before moving the patched file to the /sys/`arch -k`/OBJ directory. Config, make, and install the new kernel to include all patches described in this advisory appropriate to your system. Reboot each host using the appropriate kernel. Refer to the Systems and Network Administration manual for instructions on building and configuring a new custom kernel. ICMP redirects patch upgrade, SunOS 4.1, 4.1.1, 4.1.2, all architectures I. Description The ICMP redirects patch addresses a denial of service vulnerability with SunOS that allows an intruder to close existing network connections to and from a Sun system. This vulnerability affects all Sun architectures and supported versions of SunOS. II. Impact A remote user may deny network services on a Sun system. III. Solution Extract the new file to be installed in the kernel (the patch is the same for all supported versions of SunOS). Install the patch files in /sys/`arch -k`/OBJ as described in the README file included in the patch file. Be sure to make a backup of each of the files you are replacing before moving the patched file to the /sys/`arch -k`/OBJ directory. Config, make, and install the new kernel to include all patches described in this advisory appropriate to your system. Reboot each host using the appropriate kernel. Refer to the Systems and Network Administration manual for instructions on building and configuring a new custom kernel. --------------------------------------------------------------------------- =========================================================================== VMS Monitor Vulnerability --------------------------------------------------------------------------- Information concerning a potential vulnerability with Digital Equipment Corporation's VMS Monitor. This vulnerability is present in V5.0 through V5.4-2 but has been corrected in V5.4-3 through V5.5-1. The Software Security Response Team at Digital has provided the following information concerning this vulnerability. NOTE: Digital suggests that customers who are unable to upgrade their systems implement the workaround described below. For additional information, please contact your local Digital Equipment Corporation customer service representative. Beginning of Text provided by Digital Equipment Corporation ============================================================================== SSRT-0200 PROBLEM: Potential Security Vulnerability Identified in Monitor SOURCE: Digital Equipment Corporation AUTHOR: Software Security Response Team - U.S. Colorado Springs USA PRODUCT: VMS Symptoms Identified On: VMS, Versions 5.0, 5.0-1, 5.0-2, 5.1, 5.1-B, 5.1-1, 5.1-2, 5.2, 5.2-1, 5.3, 5.3-1, 5.3-2, 5.4, 5.4-1, 5.4-2 ******************************************************* SOLUTION: This problem is not present in VMS V5.4-3 (released in October 1991) through V5.5-1 (released in July, 1992.) ******************************************************* Copyright (c) Digital Equipment Corporation, 1992 All Rights Reserved. Published Rights Reserved Under The Copyright Laws Of The United States. ------------------------------------------------------------------------------- PROBLEM/IMPACT: ------------------------------------------------------------------------------- Unauthorized privileges may be expanded to authorized users of a system under certain conditions, via the Monitor utility. Should a system be compromised through unauthorized access, there is a risk of potential damage to a system environment. This problem will not permit unauthorized access entry, as individuals attempting to gain unauthorized access will continue to be denied through the standard VMS security mechanisms. ------------------------------------------------------------------------------- SOLUTION: ------------------------------------------------------------------------------- This potential vulnerability does not exist in VMS V5.4-3 (released in October 1991) and later versions of VMS through V5.5-1. Digital strongly recommends that you upgrade to a minimum of VMS V5.4-3, and further, to the latest release of VMS V5.5-1. (released in July, 1992) ------------------------------------------------------------------------------ INFORMATION: ------------------------------------------------------------------------------- If you cannot upgrade at this time Digital recommends that you implement a workaround (examples attached below) to avoid any potential vulnerability. As always, Digital recommends that you periodically review your system management and security procedures. Digital will continue to review and enhance the security features of its products and work with customers to maintain and improve the security and integrity of their systems. ------------------------------------------------------------------------------- WORKAROUND ------------------------------------------------------------------------------- A suggested workaround would be to remove the installed image SYS$SHARE:SPISHR.EXE via VMS INSTALL and/or restrict the use of the MONITOR utility to "privileged" system administrators. Below are the examples of doing both; [1] To disable the MONITOR utility the image SYS$SHARE:SPISHR.EXE should be deinstalled. From a privileged account; For cluster configurations; --------------------------- $ MC SYSMAN SYSMAN> SET ENVIRONMENT/CLUSTER SYSMAN> DO INSTALL REMOVE SYS$SHARE:SPISHR.EXE SYSMAN> DO RENAME SYS$SHARE:SPISHR.EXE SPISHR.HOLD SYSMAN> EXIT For non-VAXcluster configurations; --------------------------------- $INSTALL INSTALL>REMOVE SYS$SHARE:SPISHR.EXE INSTALL>EXIT $RENAME SYS$SHARE:SPISHR.EXE SPISHR.HOLD [2] If you wish to restrict access to the MONITOR command so that only a limited number of authorized (or privileged) persons are granted access to the utility, one method might be to issue the following example commands; From a privileged account; For cluster configurations; --------------------------- $ MC SYSMAN SYSMAN> SET ENVIRONMENT/CLUSTER SYSMAN> DO INSTALL REMOVE SYS$SHARE:SPISHR.EXE SYSMAN> DO SET FILE/ACL=(ID=*,ACCESS=NONE) SYS$SHARE:SPISHR.EXE SYSMAN> DO SET FILE/ACL=(ID=SYSTEM,ACCESS=READ+EXECUTE) SYS$SHARE:SPISHR.EXE SYSMAN> DO INSTALL ADD SYS$SHARE:SPISHR.EXE/OPEN/HEADER/SHARE/PROTECT SYSMAN> EXIT $ THIS WILL IMPACT the MONITOR UTILITY FOR REMOTE MONITORING. LOCAL MONITORING WILL CONTINUE TO WORK FOR PERSONS HOLDING THE ID's GRANTED ACL ACCESS. see additional note(s) below For non-VAXcluster configurations; ---------------------------------- $ INSTALL INSTALL>REMOVE SYS$SHARE:SPISHR.EXE INSTALL>EXIT $ SET FILE /ACL=(ID=*,ACCESS=NONE) SYS$SHARE:SPISHR.EXE $ SET FILE /ACL=(ID=SYSTEM,ACCESS=READ+EXECUTE) SYS$SHARE:SPISHR.EXE $ INSTALL INSTALL>ADD SYS$SHARE:SPISHR.EXE/OPEN/HEADER/SHARE/PROTECT INSTALL>EXIT $ IN THE ABOVE EXAMPLES, THE "SET FILE /ACL" LINE SHOULD BE REPEATED FOR ALL ACCOUNTS THAT ARE REQUIRED/ALLOWED TO USE THE DCL MONITOR COMMAND. NOTE: The ID -SYSTEM- is an example, and should be substituted as necessary with valid user ID's that are associated with accounts you wish to grant access to. =========================================================================== End of Text provided by Digital Equipment Corporation ---------------------------------------------------------------------------