-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===============================================================================
>>                                                      CERT-NL, 01-Mar-2000 <<
>> All CERT-NL information has been moved to http://cert.surfnet.nl.  Links  <<
>> to CERT-NL information contained in this advisory are therefore outdated. <<
>>                                                                           <<
>> CERT-NL also has stopped the CERT-CC-Mirror service.  Due to this the     <<
>> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the  <<
>> complete CERT-CC advisory texts:                     http://www.cert.org  <<
===============================================================================
===============================================================================
Security Advisory                                                       CERT-NL
===============================================================================
Author/Source : CERT-NL (Don Stikvoort)                     Index  :    S-93-15
Distribution  : World                                       Page   :          1
Classification: External                                    Version:      Final
Subject       : SCO /bin/passwd Vulnerability               Date   :  05-Aug-93
===============================================================================

CERT-NL has received the following information from CERT Coordination
Center:


- - --- Start of original information

The CERT Coordination Center and the Santa Cruz Operation, Inc., (SCO) have
recently identified a potential for compromising system integrity on several
releases of SCO's Operating Systems.  This potential will not allow
unauthorized access to a system, but it may deny legitimate users the ability 
to log onto the system.

The releases of SCO product that are affected are as follows:

        SCO UNIX System V/386 Release 3.2 Operating System Version 2.0 
        SCO UNIX System V/386 Release 3.2 Operating System Version 4.0 
        SCO UNIX System V/386 Release 3.2 Operating System Version 4.0 with
    Maintenance Supplement Version 4.1
        SCO Open Desktop Release 1.1.x
        SCO Open Desktop Release 2.0

Santa Cruz Operation and CERT recommend that sites using these SCO products 
take action to eliminate this vulnerability from their systems. This problem 
will be corrected in upcoming releases of SCO operating systems.

The Santa Cruz Operation has provided a Support Level Supplement (SLS), as
described below. They have also provided an interim workaround until sites 
can obtain and install the Supplement.

If you have any questions about obtaining or installing the security
supplement, contact SCO Support during normal business hours or send
electronic mail to support@sco.com.

        USA/Canada: 6am-5pm Pacific Daylight Time (PDT)
        -----------
        1-800-347-4381  (voice)
        1-408-427-5443  (fax)

        Pacific Rim, Asia, and Latin American customers: 6am-5pm Pacific
        ------------------------------------------------ Daylight Time 
                                                         (PDT)
        1-408-425-4726  (voice)
        1-408-427-5443  (fax)

        Europe, Middle East, Africa: 9am-5:30pm British Standard Time (BST)
        ----------------------------
        +44 (0)923 816344 (voice)
        +44 (0)923 817781 (fax)

- - -----------------------------------------------------------------------------

I.   Description

     A problem exists in /bin/passwd in the SCO operating system versions
     detailed above.

II.  Impact

     This vulnerability can deny legitimate users the ability to log onto
     the system.

III. Solution

     The Santa Cruz Operation and CERT recommend that all affected sites 
     obtain and install the Support Level Supplement. Instructions are 
     provided below.

     The Santa Cruz Operation and CERT also recommend that sites consider 
     applying the following workaround until they are able to obtain 
     and install the Support Level Supplement. 

     A. Workaround

     This workaround will prevent users from changing their passwords 
     until the Support Level Supplement is installed. 

     As root, modify the permission on the existing /bin/passwd
     to prevent misuse.

            # /bin/chmod 2110 /bin/passwd

     Before installing the update, the permissions should again be reset. 
     As root, modify the permission on the existing /bin/passwd.

            # /bin/chmod 2111 /bin/passwd

     B. Supplement

     SCO has prepared a Support Level Supplement (SLS) to address this 
     issue.  This is free to all customers, regardless of Support status. 
     Sites can obtain this update via anonymous FTP from ftp.sco.COM 
     (132.147.106.6). The files are located in:

        Filename          File Contents               Size      Checksum
        /SLS/uod368.Z     Update                     105857      62288
        /SLS/uod368.ltr   ASCII Cover letter and       5514      29520
                          installation instructions

     The update may also be obtained from SCO via:

     --  anonymous UUCP in the /usr/spool/uucppublic/SLS directory 
         on the SOS bulletin board
     --  CompuServe in the SCO Unix Library Section of the SCO Forum
     --  hardcopy format (on diskette) from the media department at 
         SCO Support.  

     To retrieve and install the SCO Support Level Supplement, you must follow 
     the instructions below. The detailed instructions described below will 
     not be included in future advisories.

============================================================================
                Beginning of Text provided by SCO
============================================================================

FTP download information:
=========================

You must have a connection to the Internet to use this service, and
should be familiar with the FTP command. 

The command to use is:

ftp ftp.sco.COM   

      or

ftp 132.147.106.6

You will be prompted for a login and password.  Log in as "anonymous" and
use your E-MAIL address as the password.

On ftp.sco.COM the fix and the cover letter files are in the ./SLS directory.
You will want to "cd" to this directory, set "binary", and "get" the files
uod368.Z and uod368.ltr.

Note that these files are also available from UUNET via anonymous FTP at
ftp.uu.net in the /sco-archive/SLS directory. 

UUCP download information:
==========================

for the USA, Canadian, Pacific Rim, Asia, and Latin American customers:
- - -----------------------------------------------------------------------
Machine name:   sosco
UUCP user:      uusls    (no password)
Modem Phone numbers:  
Telebit Trailblazer Plus      408-429-1786  9600 baud
Telebit 1500 V.32, 2@         408-425-3502  2400, 9600 baud
Hayes V Series 9600, 2@       408-427-4470  9600 baud

for Europe, the Middle East, and Africa:
- - ----------------------------------------
Machine name: scolon
UUCP user: uusls
Password: bbsuucp
Modem Phone numbers: 
Dowty Trailblazer +44 (0)923 210911

The following information explains how to transfer the SLS from the
machine sosco using UUCP. A similar procedure can be used for scolon,
by changing the Systems file entry appropriately. This information assumes 
that you are using an SCO Operating System to download the files. Other 
systems may or may not be similar in their UUCP setup.

Before attempting to transfer, you must have a modem configured to dial out
from your computer.  For more information on configuring a modem, see the
chapter on "Adding Terminals and Modems" in the System Administrator's
Guide.

Once you have your modem configured for dialing out, you must set up
your UUCP configuration to recognize the SCO system which contains the
files.  If you have a 2400 baud or lower speed modem, add the following
line to the end of the "Systems" configuration file in the directory
/usr/lib/uucp:
  
sosco Any ACU Any 14084253502 ogin:-@-ogin:-@-ogin: uusls

                              or

sosco Any ACU Any 14084274470 ogin:-@-ogin:-@-ogin: uusls


If you have a Telebit brand modem, use the following line:

sosco Any ACU Any 14084291786 ogin:-@-ogin:-@-ogin: uusls

Once your system is configured, you can use the uucp(C) command to
request files from the remote system.  All files for Support Level
Supplements reside in /usr/spool/uucppublic/SLS.

The first file that should be downloaded is "uod368.Z" (the actual fix).
The uucp(C) command to transfer this file into the local directory
/usr/spool/uucppublic on your system would be:

uucp sosco!/usr/spool/uucppublic/SLS/uod368.Z /usr/spool/uucppublic/uod368.Z

(If you are using the C shell command interpreter, you must enter a
backslash character "\" before the exclamation mark "!" to prevent
the C shell history mechanism from intercepting the rest of the
command line.)

Next you would repeat the above procedure for "uod368.ltr" (the
cover letter for the fix). 

Obtaining a hard copy of the SLS:
=================================

This SLS is available in hard copy form.  Customers should order it from their
Support provider or by calling SCO Support during normal business hours.  
Please be sure to ask for "Support Level Supplement UOD368, the Security 
Supplement".  This is free to all customers, regardless of Support status.

        USA/Canada: 
        -----------
        1-800-347-4381  (voice)
        1-408-427-5443  (fax)

        Pacific Rim, Asia, and Latin American customers: 
        ------------------------------------------------
        1-408-425-4726  (voice)
        1-408-427-5443  (fax)

        Europe, Middle East, Africa: 
        ----------------------------
        +44 (0)923 816344 (voice)
        +44 (0)923 817781 (fax)


Installation Preparation:
=========================

1. Uncompress the file:

      uncompress uod368.Z

2. Format a diskette that is large enough to contain the file
   using the format(C) command. 

3. Use the dd(C) command to transfer the file to diskette. 

       dd if=uod368 of=/dev/fd0135ds18  for 3.5" diskettes or

       dd if=uod368 of=/dev/fd096ds15  for 5.25" diskettes 

Follow the directions in the uod368.ltr file to install the Supplement.

============================================================================
                 End of Text provided by SCO
============================================================================
- - ---------------------------------------------------------------------------
The CERT Coordination Center wishes to thank Peter Wemm of DIALix Services 
for reporting this problem and Chris Durham, Technical Support, The Santa 
Cruz Operation, for responding to this problem.
- - ---------------------------------------------------------------------------


- - --- End of original information

CERT-NL gratefully acknowledges CERT Coordination Center for bringing
this information to our attention.

==============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet
is the Dutch network for educational, research and related institutes. CERT-NL
is a member of the Forum of Incident Response and Security Teams (FIRST).

All CERT-NL material is available under:
  http://cert.surfnet.nl/

In case of computer or network security problems please contact your local
CERT/security-team or CERT-NL  (if your institute is NOT a SURFnet customer
please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).

   Email:     cert-nl@surfnet.nl     ATTENDED REGULARLY ALL DAYS
   Phone:     +31 302 305 305        BUSINESS HOURS ONLY
   Fax:       +31 302 305 329        BUSINESS HOURS ONLY
   Snailmail: SURFnet bv
              Attn. CERT-NL
              P.O. Box 19035
              NL - 3501 DA  UTRECHT
              The Netherlands

NOODGEVALLEN:    06 22 92 35 64      ALTIJD BEREIKBAAR
EMERGENCIES : +31 6 22 92 35 64      ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED*
PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT
TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU.
===============================================================================

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i

iQA/AwUBOL6WBjSYjBqwfc9jEQI5/ACdHTq4Q71I3SMrHLnLINWogBOCNZMAnRCy
CEbYGyVAnHoI0KjaH0+ph7Kk
=Hq00
-----END PGP SIGNATURE-----