-----BEGIN PGP SIGNED MESSAGE-----

Subject: Caldera Security Advisory SA-1997.19: Vulnerabilities in NetKit-B

Caldera Security Advisory SA-1997.19
RPM build date:        26-Jul-1997 (for netkit-base)
Advisory issue date:   22-Sep-1997

Topic: Vulnerabilities in NetKit-B

I. Problem Description

  There are several vulnerabilities in the network tools from
  the NetKit-B package.

  rshd, rlogind, and rexecd wouldn't close all file descriptors,
  including that of /etc/shadow. With the right setup, any user
  coming in via rsh or rlogin could thereby read /etc/shadow.

  rshd/rlogind would print different messages for non-existent
  users or wrong password.

  rusersd had some buffer overflows.

  fingerd wouldn't drop privileges if it failed to open /etc/passwd.
  Mostly a theoretical problem because it's quite difficult to
  create a file handle starvation, and there aren't currently any
  known other problems that could be exploited.

  bsd-finger-0.10 fixes a denial of service situation where
  users' .plan or .project files are named pipes.

  netkit-inetd-0.10 fixes an issue with group list handling that
  could cause trouble if inetd were restarted from the command
  line. This is presently believed to be a non-issue but it never
  hurts to be careful.
    
  netkit-inetd-0.10 fixes a denial of service problem with the
  daytime port.

  This release fixes a mistake in rlogind that could have
  security implications (the previous version honored
  hosts.equiv for root, which is contrary to the specification.)
    
  This release also fixes a problem with the PAM support wherein
  it was possible for a remote user to distinguish between
  wrong passwords and nonexistent usernames.

  This release fixes a problem in tftpd that tftp clients could
  exploit to read any file on the system readable by the user
  tftpd ran under.


II. Impact

  NetKit-B was present on the following OpenLinux releases:
    CND 1.0
    Base 1.0
    Lite 1.1
    Base 1.1
    Standard 1.1
  To determine if you are effected and need this update you may do
  the following:
    rpm -q NetKit-B
  If the results show that any version of NetKit-B is installed,
  then you will need to update.

III. Solution

  Replace NetKit-B with the netkit-0.10 packages.
  They can be found on Caldera's ftp site at:

  ftp://www.caldera.com/pub/openlinux/updates/1.1/current/RPMS/
    and
  ftp://www.caldera.com/pub/openlinux/updates/1.1/current/SRPMS/
    for the sources.

  The MD5 checksums (from the "md5sum" command) for these 
  packages are:

1137a1e04fa16170b5a56c2a4ecb965e  RPMS/bsd-finger-0.10-2.i386.rpm
a7cab9168896e683cc942b8bf14d1983  RPMS/netkit-base-0.10-1.i386.rpm
499f0a5fd72c17967271a763812524f4  RPMS/netkit-bootparamd-0.10-1.i386.rpm
d14993032bf1298e6604aaacb34587f3  RPMS/netkit-ftp-0.10-2.i386.rpm
68509512b790106edb4f0331d71c1ac4  RPMS/netkit-ntalk-0.10-1.i386.rpm
a3f6d5f8172c616f623e8e86147f756a  RPMS/netkit-routed-0.10-1.i386.rpm
732ac460d808877e37a10e7b56c744c6  RPMS/netkit-rsh-0.10-3.i386.rpm
e42a6d77ed1ddbc8380b6b4ecdd61613  RPMS/netkit-rusers-0.10-2.i386.rpm
9502e684e8f476dd21e05e37ecc0b1dd  RPMS/netkit-rwall-0.10-3.i386.rpm
441a5b897578f7b9f46ee44f8d5df49e  RPMS/netkit-rwho-0.10-1.i386.rpm
30fb248281c733309ff9a973fcd33c20  RPMS/netkit-telnet-0.10-1.i386.rpm
bb982ac6c87a745717f248e14e7f62f2  RPMS/netkit-tftp-0.10-1.i386.rpm
51bf07055ce92d7a38832289f9cf8e74  RPMS/netkit-timed-0.10-1.i386.rpm
eb0acd95225a4aa27644d9b859ea9931  SRPMS/bsd-finger-0.10-2.src.rpm
94a0d9c6f9c70b2b5ee2a0980903d772  SRPMS/netkit-base-0.10-1.src.rpm
b22471b45e999b64eeef72035ac6d69e  SRPMS/netkit-bootparamd-0.10-1.src.rpm
5712584af2fb1a795a80b200789a9176  SRPMS/netkit-ftp-0.10-2.src.rpm
115f9b638058c761bb5e688c997c275b  SRPMS/netkit-ntalk-0.10-1.src.rpm
85037fba6e8e8e61cae09777ac2c4ba5  SRPMS/netkit-routed-0.10-1.src.rpm
04bb9835a99840a71b2670f39a4addf5  SRPMS/netkit-rsh-0.10-3.src.rpm
d3d4cdf93934f0e0fb4476394ea69737  SRPMS/netkit-rusers-0.10-2.src.rpm
fcadb7fd9c47fd421f80f17a22750370  SRPMS/netkit-rwall-0.10-3.src.rpm
013c01c54398aa693a3319c2dadd26bb  SRPMS/netkit-rwho-0.10-1.src.rpm
377726693dafd2fe03345f94b1b160e8  SRPMS/netkit-telnet-0.10-1.src.rpm
35909f6d4f96c7242c3e5297d9beec35  SRPMS/netkit-tftp-0.10-1.src.rpm
bdc9fff6f6aa2df64c2936acbc9aab29  SRPMS/netkit-timed-0.10-1.src.rpm

  Since these are network applications, it is recommended that
  you bring the system down to single user mode to make
  the changes.  Do the following:

    1)  Login as root from the console of the system when no other users
  are logged on

    2)  Type 'telinit 1' (This will bring the system down to single user
    mode.  You will be prompted to enter the root
    password for maintanance.)

    3)  Enter the root password and change to the directory containing 
        the binary RPMs.

    4)  Type the following:
      rpm -e NetKit-B
        rpm -i netkit-base-0.10-1.i386.rpm
        rpm -i netkit-bootparamd-0.10-1.i386.rpm
        rpm -i netkit-ftp-0.10-2.i386.rpm
        rpm -i netkit-ntalk-0.10-1.i386.rpm
        rpm -i netkit-routed-0.10-1.i386.rpm
        rpm -i netkit-rsh-0.10-3.i386.rpm
        rpm -i netkit-rusers-0.10-2.i386.rpm
        rpm -i netkit-rwall-0.10-3.i386.rpm
        rpm -i netkit-rwho-0.10-1.i386.rpm
        rpm -i netkit-telnet-0.10-1.i386.rpm
        rpm -i netkit-tftp-0.10-1.i386.rpm
        rpm -i netkit-timed-0.10-1.i386.rpm
        rpm -i bsd-finger-0.10-2.i386.rpm

    5)  Logout from the maintenance shell.  (The system will
        return to the default runlevel.)

  Note: after netkit-base-0.10-1 is installed, you will
  see the message, "Please kill and restart inetd manually."
  This message is generated by the RPM.
  Since you are in single user mode, inetd has already been 
  killed.  When you logout, the system will be brought back
  to the default runlevel, and inetd will start again 
  automatically.  Hence, if you upgrade in the manner
  described above, you can ignore this message.

IV. References
                         
  This and other Caldera security resources are located at:

                http://www.caldera.com/tech-ref/security/

  This closes Caldera's internal problem reports #552 and #803.

V. PGP Signature

  This message was signed with the PGP key for <security@caldera.com>.

  This key can be obtained from:
    ftp://ftp.caldera.com/pub/pgp-keys/

  Or on an OpenLinux CDROM under:
    /OpenLinux/pgp-keys/

  $Id: SA-1997.19,v 1.1 1997/09/22 22:08:16 ron Exp $

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBNCbsjen+9R4958LpAQHSjgP/YESA5Hu6SQwiwqcVfe8KPhb73sYrp7VH
uUiRu5uVSa8zJJ3zuVRLRHX6XmcLaxmky9Olk1t02lKE4VQ6HTcFGkUdxR+U7Muh
qVJp5ZJOj7iBZi3w8Td+hEVNBOQ3X53DWVl1g+mfNDYHZTiaESkJIKlNAZHNvTR9
QrnMExID1Ik=
=sQzW
-----END PGP SIGNATURE-----