CERT Advisory 058

eZine lover (@eZine)

Published in 

CERT Advisory

 · 4 years ago

  

 
-----BEGIN PGP SIGNED MESSAGE----- 

=========================================================================== 
CA-93:04a                     CERT Advisory 
                            February 18, 1993 
      REVISION NOTICE: Commodore Amiga UNIX finger Vulnerability 
				    
- --------------------------------------------------------------------------- 

	       *** THIS IS A REVISED CERT ADVISORY *** 
	       *** IT CONTAINS UPDATED INFORMATION *** 

The CERT Coordination Center has received information concerning a 
vulnerability in the "finger" program of Commodore Business Machine's 
Amiga UNIX product.  The vulnerability affects Commodore Amiga UNIX 
versions 1.1, 2.03, 2.1, 2.1p1, 2.1p2, and 2.1p2a.  Commodore is aware 
of the vulnerability, and both a workaround and a patch are available. 
Affected sites should apply either the workaround or the patch, and 
directions are provided below.  

The Commodore contact e-mail address given in CERT Advisory CA-93:04 
was incorrect.  This revised advisory provides the correct e-mail 
address.  If you have any further questions, contact David Miller of 
Commodore via e-mail at davidm@commodore.com. 

- --------------------------------------------------------------------------- 

I.    Description 

      The "finger" command in Amiga UNIX contains a security 
      vulnerability. 

 
II.   Impact 

      Non-privileged users can gain unauthorized access to files. 

 
III.  Solution 

      Commodore has suggested a workaround and a patch, as follows: 

      A. Workaround 

         As root, modify the permission of the existing /usr/bin/finger 
         to prevent misuse. 

                # /bin/chmod 0755 /usr/bin/finger 

      B. Patch 

         As root, install the "pubsrc" package from the distribution tape.  

         In the file, "/usr/src/pub/cmd/finger/src/finger.c", add the line: 

                setuid(getuid()); 

         immediately before the line reading: 

                display_finger(finger_list); 

         (Optionally) save a copy of the existing /usr/bin/finger and modify 
         its permission to prevent misuse. 

                # /bin/mv /usr/bin/finger /usr/bin/finger.orig 
                # /bin/chmod 0755 /usr/bin/finger.orig 

         In the directory, "/usr/src/pub/cmd/finger", issue the command: 

                # cd /usr/src/pub/cmd/finger 
                # make install 

- ------------------------------------------------------------------------------  
The CERT Coordination Center wishes to thank Commodore Business 
Machines for their response to this problem. 
- ------------------------------------------------------------------------------  

If you believe that your system has been compromised, contact the CERT 
Coordination Center or your representative in FIRST (Forum of Incident 
Response and Security Teams). 

Internet E-mail: cert@cert.org 
Telephone: 412-268-7090 (24-hour hotline) 
           CERT personnel answer 7:30 a.m.-6:00 p.m. EST(GMT-5)/EDT(GMT-4), 
           on call for emergencies during other hours. 

CERT Coordination Center 
Software Engineering Institute 
Carnegie Mellon University 
Pittsburgh, PA 15213-3890 

Past advisories, information about FIRST representatives, and other 
information related to computer security are available for anonymous FTP 
from cert.org (192.88.209.5). 

 
-----BEGIN PGP SIGNATURE----- 
Version: 2.6.2 

iQCVAwUBMaMxI3VP+x0t4w7BAQFhUAP/VUG9htXQq0Odl6pAheUVfNFtAOT6ywdb 
mV88uhz3olhWRRIw7fiUgtWKRphs66SajufMyekHEJc3hydopdffwEH0f7HBU0JY 
QDg1wB/2J7LkrHXON4Qbv08MjTsvoorsOOzd/H0a4HPgmG1C+IfL0I/kW9IkjYFv 
l9snJaWOvWQ= 
=HKdP 
-----END PGP SIGNATURE-----