-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===============================================================================
>>                                                      CERT-NL, 01-Mar-2000 <<
>> All CERT-NL information has been moved to http://cert.surfnet.nl.  Links  <<
>> to CERT-NL information contained in this advisory are therefore outdated. <<
>>                                                                           <<
>> CERT-NL also has stopped the CERT-CC-Mirror service.  Due to this the     <<
>> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the  <<
>> complete CERT-CC advisory texts:                     http://www.cert.org  <<
===============================================================================
===============================================================================
Security Advisory                                                       CERT-NL
===============================================================================
Author/Source : CERT-NL (Erik-Jan Bos)                      Index  :    S-93-13
Distribution  : World                                       Page   :          1
Classification: External                                    Version:      Final
Subject       : SunOS/Solaris "expreserve" Vulnerability    Date   :  02-Jul-93
===============================================================================


CERT-NL has received updated patch information concerning a
vulnerability in /usr/lib/expreserve in Sun Microsystems, Inc. (Sun)
operating system (SunOS). This vulnerability affects all sun3 and sun4
architectures and supported versions of SunOS including 4.1, 4.1.1,
4.1.2, 4.1.3, Solaris 2.0 (SunOS 5.0), Solaris 2.1 (SunOS 5.1), and
Solaris 2.2 (SunOS 5.2). This problem has become widely known, and
CERT-NL recommends that sites take action to address this vulnerability
as soon as possible.

Sun has produced a patch for SunOS 4.1, 4.1.1, 4.1.2, and 4.1.3
addressing this vulnerability for sun3 and sun4 architectures.  Sun has
also developed a patch for SunOS 5.x/Solaris 2.x systems. This revised
advisory provides the information for obtaining the patch for SunOS
5.x/Solaris 2.x systems.

A workaround is provided below that can be used on all systems,
including Solaris, until a patch is installed.

The patch can be obtained from local Sun Answer Centers worldwide as
well as through anonymous FTP from the ftp.uu.net (192.48.96.9) system
in the /systems/sun/sun-dist directory.  In Europe, this patch is
available from mcsun.eu.net (192.16.202.1) in the /sun/fixes directory.
SURFnet connected sites are strongly advised to obtain patches from the
SURFnet InfoServer ftp.nic.surfnet.nl [192.87.46.3] in the directory
surfnet/net-security/cert-nl/patches/sun-fixes.

System        Patch ID     Filename           BSD Checksum  Solaris Checksum
- ------        --------     ---------------    -----------   ----------------
SunOS         101080-01    101080-01.tar.Z    45221    13   Not applicable
Solaris 2.0   101119-01    101119-01.tar.Z    47944    27   61863   54 
Solaris 2.1   101089-01    101089-01.tar.Z    07227    27    4501   54 
Solaris 2.2   101090-01    101090-01.tar.Z    02491    27   44985   54 

The checksums shown above are from the BSD-based checksum (on Solaris,
/usr/ucb/sum; on 4.x, /bin/sum) and from the SysV version that Sun
released on Solaris (/usr/bin/sum). Please note that Sun sometimes
updates patch files.  If you find that the checksum is different please
contact Sun or CERT-NL for verification.

- -----------------------------------------------------------------------------

I.   Description

     Expreserve is a utility that preserves the state of a file being
     edited by vi(1) or ex(1) when an edit session terminates abnormally
     or when the system crashes.  A vulnerability exists that allows 
     users to overwrite any file on the system.

II.  Impact

     It is possible to gain root privileges using this vulnerability.

III. Solution

     A.  Obtain and install the appropriate patch according to the 
         instructions included with the patch.

     B.  Until you are able to install the appropriate patch, CERT-NL
         recommends the following workaround be used on all systems.
         This workaround will disable expreserve functionality.
         The result of this workaround is that if vi(1) or ex(1) is running,
         and the sessions are interrupted, the files being edited will not
         be preserved and all edits not explicitly saved by the user will
         be lost.  Users should be encouraged to save their files often.

         As root, remove the execute permissions on the existing
         /usr/lib/expreserve program:

         # /usr/bin/chmod  a-x  /usr/lib/expreserve 
         
- ---------------------------------------------------------------------------
The CERT Coordination Center wishes to thank Christopher Lott of
Universitaet Kaiserslautern for reporting this vulnerability,
and Sun Microsystems, Inc. for their response to this problem.
- ---------------------------------------------------------------------------

CERT-NL wishes to thank CERT Coordination Center for bringing this
information to our attention.


==============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet
is the Dutch network for educational, research and related institutes. CERT-NL
is a member of the Forum of Incident Response and Security Teams (FIRST).

All CERT-NL material is available under:
  http://cert.surfnet.nl/

In case of computer or network security problems please contact your local
CERT/security-team or CERT-NL  (if your institute is NOT a SURFnet customer
please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).

   Email:     cert-nl@surfnet.nl     ATTENDED REGULARLY ALL DAYS
   Phone:     +31 302 305 305        BUSINESS HOURS ONLY
   Fax:       +31 302 305 329        BUSINESS HOURS ONLY
   Snailmail: SURFnet bv
              Attn. CERT-NL
              P.O. Box 19035
              NL - 3501 DA  UTRECHT
              The Netherlands

NOODGEVALLEN:    06 22 92 35 64      ALTIJD BEREIKBAAR
EMERGENCIES : +31 6 22 92 35 64      ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED*
PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT
TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU.
===============================================================================

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i

iQA/AwUBOL6WBTSYjBqwfc9jEQKj1wCbBUx424JA+vplgmMb3QCNJsZ9vJkAnjWf
1JXYSIYEJB3Ag+qRywcubkXs
=WRuK
-----END PGP SIGNATURE-----