Copy Link
Add to Bookmark
Report
Modernz 64
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
/* *\
/ * * \
/ * * \
/ * * \
/ * System Vulnerabilities * \
| * * |
| * * |
| * * |
| * Another Modernz Presentation * |
| * * |
\ * by * /
\ * Multiphage * /
\ * * /
\ * written 11-05-92 * / */
*******************************************************************************
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
*******************************************************************************
The Modernz can be contacted at:
MATRIX BBS
WOK-NOW!
World of Kaos NOW!
World of Knowledge NOW!
St. Dismis Institute
- Sysops: Wintermute
Digital-demon
(908) 905-6691
(908) WOK-NOW!
(908) 458-xxxx
1200/2400/4800/9600
14400/19200/38400
Home of Modernz Text Philez
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
<*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*>
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
TANSTAAFL
Pheonix Modernz
The Church of Rodney
- Sysop: Tal Meta
(908) 830-TANJ
(908) 830-8265
Home of TANJ Text Philez
<*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*>
CyberChat
Sysop: Hegz
(908)506-6651
(908)506-7637
300/1200/2400/4800/9600
14400/19200/38400
Modernz Site
TLS HQ
<><><><><><><><><><><><><><<><<><><><><><><><><><><><><><><><><><><><><><><><><
The Lost Realm
Western PA UASI site!
Western PA. SANfranchise
(412) 588-5056 300/1200/2400
SysOp: Orion Buster
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
The Last Outpost
PowerBBS Support Board
UASI ALPHA Division
NorthWestern PA UASI site!
(412) 662-0769 300/1200/2400
24 hours! SysOp: The Almighty Kilroy
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
BlitzKreig BBS
Home of TAP
(502)499-8933
<*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*>
===========================================================================
AIX crontab Vulnerability
---------------------------------------------------------------------------
Information concerning a vulnerability in crontab(1) in version 3.2
of IBM's AIX operating system.
IBM is aware of this problem and a fix is available as apar number "ix26997"
for AIX version 3.2. The version information for the patched /usr/bin/crontab
is shown in the following what(1) output:
% what /usr/bin/crontab
04 1.23 com/cmd/cntl/cron/crontab.c, cmdcntl, bos320, 9218320f 4/8/92 11:50:42
07 1.8 com/cmd/cntl/cron/permit.c, bos, bos320 4/25/91 17:16:59
11 1.15 com/cmd/cntl/cron/cronsub.c, bos, bos320 8/18/91 20:42:32
06 1.9 com/cmd/cntl/cron/funcs.c, bos, bos320 6/8/91 21:22:40
If your crontab contains older modules than the above output indicates, we
suggest that you install the fix.
---------------------------------------------------------------------------
I. Description
The distributed version of /usr/bin/crontab contains a security
vulnerability.
II. Impact
Local users can gain unauthorized root access to the system.
III. Solution
The CERT/CC suggests that sites install the fix that IBM has made
available. As an interim step, we suggests that sites prevent all
non-root users from running /usr/bin/crontab by removing (or renaming)
the /var/adm/cron/cron.allow and /var/adm/cron/cron.deny files.
- Obtain the fix from IBM Support.
1. To order from IBM call 1-800-237-5511 and ask
that the fix be shipped. Patches may be obtained
outside the U.S. by contacting your local IBM
representative.
2. If you are on the Internet, use anonymous ftp to obtain
the fix from software.watson.ibm.com (129.34.139.5).
Patch Filename Checksum
AIX 3.2 pub/aix3/cronta.tar.Z 02324 154
The patch must be retrieved using binary mode.
- Install the fix following the instructions in the README file.
===========================================================================
SunOS Environment Variables and setuid/setgid Vulnerability
---------------------------------------------------------------------------
Information concerning a vulnerability involving environment variables
and setuid/setgid programs under Sun Microsystems Computer Corporation
SunOS. This vulnerability exists on all Sun architectures running
SunOS 4.0 and higher.
In-house and third-party software can also be impacted by this
vulnerability. For example, the current versions of rnews, sudo,
smount, and npasswd are known to be vulnerable under SunOS. See the
Description section of this advisory for details of how to identify
software which may be vulnerable.
The workaround detailed in this advisory can be used to protect
vulnerable software on SunOS operating system versions for which
patches are unavailable, or for local or third party software which
may be vulnerable.
Sun has provided patches for SunOS 4.1, 4.1.1, and 4.1.2 programs
which are known to be impacted by this vulnerability. They are
available through your local Sun Answer Center as well as through
anonymous ftp from the ftp.uu.net (137.39.1.9) system in the
/systems/sun/sun-dist directory.
Fix PatchID Filename Checksum
login and su 100630-01 100630-01.tar.Z 36269 39
sendmail 100377-04 100377-04.tar.Z 14692 311
Note: PatchID 100630-01 contains the international version of
/usr/bin/login. PatchID 100631-01 contains the domestic version
of /usr/bin/login and is only available from Sun Answer Centers for
sites that use the US Encryption Kit.
Please note that Sun will occasionally update patch files. If you
find that the checksum is different please contact Sun or the CERT/CC
for verification.
---------------------------------------------------------------------------
I. Description
A security vulnerability exists if a set-user-id program changes
its real and effective user ids to be the same (but not to the
invoker's id), and subsequently causes a dynamically-linked program
to be exec'd. A similar vulnerability exists for set-group-id programs.
In particular, SunOS /usr/lib/sendmail, /usr/bin/login,
/usr/bin/su, and /usr/5bin/su are vulnerable to this problem.
II. Impact
Local users can gain unauthorized privileged access to the system.
III. Solution
A. Obtain and install the patches from Sun or from ftp.uu.net following
the provided instructions.
B. The following workaround can be used to protect vulnerable binaries
for which patches are unavailable for your SunOS version,
or for local or third party software which may be vulnerable.
The example given is a workaround for /usr/lib/sendmail.
1. As root, rename the existing version of /usr/lib/sendmail
and modify the permissions to prevent misuse.
# mv /usr/lib/sendmail /usr/lib/sendmail.dist
# chmod 755 /usr/lib/sendmail.dist
2. In an empty temporary directory, create a file wrapper.c
containing the following C program source (remember to
strip any leading white-space characters from the #define lines).
/* Start of C program source */
/* Change the next line to reflect the full pathname
of the file to be protected by the wrapper code */
#define COMMAND "/usr/lib/sendmail.dist"
#define VAR_NAME "LD_"
main(argc,argv,envp)
int argc;
char **argv;
char **envp;
{
register char **cpp;
register char **xpp;
register char *cp;
for (cpp = envp; cp = *cpp;) {
if (strncmp(cp, VAR_NAME, strlen(VAR_NAME))==0) {
for (xpp = cpp; xpp[0] = xpp[1]; xpp++);
/* void */ ;
}
else {
cpp++;
}
}
execv(COMMAND, argv);
perror(COMMAND);
exit(1);
}
/* End of C program source */
3. As root, compile the C program source for the wrapper and
install the resulting binary.
# make wrapper
# mv ./wrapper /usr/lib/sendmail
# chown root /usr/lib/sendmail
# chmod 4711 /usr/lib/sendmail
4. Steps 1 through 3 should be repeated for other vulnerable
programs with the appropriate substitution of pathnames and file
names. The "COMMAND" C preprocessor variable within the C program
source should also be changed to reflect the appropriate renamed
system binary.
---------------------------------------------------------------------------