CIAC B-23

Published in

· 4 years ago

  

        _____________________________________________________ 
             The Computer Incident Advisory Capability 
                         ___  __ __    _     ___ 
                        /       |     / \   / 
                        \___  __|__  /___\  \___ 
        _____________________________________________________ 
                         Information Bulletin 

May 1, 1991, 1200 PDT                                     Number B-23 

                   Ultrix V4.0 and V4.1 Vulnerability 
________________________________________________________________________ 
PROBLEM:  /usr/bin/chroot is installed with the setuid bit set. 
PLATFORM: DEC Ultrix V4.0 and V4.1, all architectures. 
DAMAGE:  Allows authorized users to gain unauthorized privileges. 
SOLUTIONS: Fixed in Ultrix V4.2. Manually change file mode of 
        /usr/bin/chroot to 700 for Ultrix V4.0 and V4.1 
IMPACT OF WORKAROUND:  Non-privileged users no longer have access to 
        the chroot command. 
_______________________________________________________________________ 
              Critical /usr/bin/chroot Vulnerability Facts 

CIAC has been advised of a vulnerability in DEC's Ultrix V4.0 and V4.1 
operating systems running on all architectures. DEC is aware of this 
problem, and has corrected it in Ultrix V4.2. The DEC provided fix for 
Ultrix V4.0 and V4.1 is: 

        (login as root) 
        # chmod 700 /usr/bin/chroot 
        # ls -l /usr/bin/chroot 
        (verify the file protections are "-rwx------") 

 
For additional information or assistance, please contact CIAC:    
  
        Hal Brand 
        (415) 422-6312 or (FTS) 532-6312, or 

        Call CIAC at (415) 422-8193 or (FTS) 532-8193 or  
        send e-mail to ciac@cheetah.llnl.gov.   
     
        Send FAX messages to:  (415) 423-0913 or (FTS) 543-0913 
_____ 
The CERT/CC and Digital Equipment Corporation provided information 
contained in this bulletin.  This document was prepared as an account 
of work sponsored by an agency of the United States Government. Neither 
the United States Government nor the University of California nor any 
of their employees, makes any warranty, express or implied, or assumes 
any legal liability or responsibility for the accuracy, completeness, 
or usefulness of any information, apparatus, product, or process 
disclosed, or represents that its use would not infringe privately 
owned rights.  Reference herein to any specific commercial products, 
process, or service by trade name, trademark, manufacturer, or 
otherwise, does not necessarily constitute or imply its endorsement, 
recommendation or favoring by the United States Government or the 
University of California. The views and opinions of authors expressed 
herein do not necessarily state or reflect those of the United States 
Government or the University of California, and shall not be used for 
advertising or product endorsement purposes.