CS-96.06
f925dca73a4760d925c80dd185235247e2e963dce4570cf2fea5a089a519b0e1
-----BEGIN PGP SIGNED MESSAGE-----
- ----------------------------------------------------------------------------
CERT(*) Summary CS-96.6
November 26, 1996
Last Revised: October 2, 1997
Updated copyright statement
The CERT Coordination Center periodically issues the CERT Summary to
draw attention to the types of attacks currently being reported to our
Incident Response Team. The summary includes pointers to sources of
information for dealing with the problems. We also list new or updated
files that are available for anonymous FTP from
ftp://info.cert.org/pub/
Past CERT Summaries are available from
ftp://info.cert.org/pub/cert_summaries/
- ----------------------------------------------------------------------------
Recent Activity
- ---------------
Since the September CERT Summary, we have noticed these continuing trends
in incidents reported to us.
1. cgi-bin/phf Exploits
We continue to see frequent reports of attempts to exploit the vulnerability
in the CGI example program "phf". The phf program, which is installed by
default with several implementations of httpd servers, contains a weakness
that can allow intruders to execute arbitrary commands on the server. The
most common attack involves an attempt to retrieve the httpd server's
/etc/passwd file, and sample scripts for exploiting this vulnerability in phf
have been widely posted on the Internet.
While we are encouraged to see that the majority of the recently reported
attacks have failed (because the attacked sites had already removed the phf
program), the steady reports of continuing attacks indicate that these phf
exploits are still being widely attempted.
For more information about this vulnerability, see
ftp://info.cert.org/pub/cert_advisories/CA-96.06.cgi_example_code
For related information about protecting your password files, please see
ftp://info.cert.org/pub/tech_tips/passwd_file_protection
2. Continuing Linux Exploits
We continue to see incidents in which Linux machines have been the victims
of root compromises. In many of these incidents, the compromised systems
were unpatched or misconfigured, and the intruders exploited well-known
vulnerabilities for which CERT advisories have been published.
If you are running Linux, we strongly urge you to keep current with all
security patches and workarounds. If your system has been root compromised,
we also recommend that you review
ftp://info.cert.org/pub/tech_tips/root_compromise
Further, you may want to monitor the Linux newsgroups and mailing lists for
security patches and workarounds. More information can be found at
http://bach.cis.temple.edu/linux/linux-security/
- ----------------------------------
What's New in the CERT FTP Archive
- ----------------------------------
We have made the following changes since the last CERT Summary (September 24,
1996).
* New Additions
ftp://info.cert.org/pub/cert_advisories/
CA-96.22.bash_vuls Addresses two problems with the GNU
Project's Bourne Again SHell (bash):
one in yy_string_get() and one in
yy_readline_get().
CA-96.23.workman_vul Describes a vulnerability in the
WorkMan compact disc-playing program
that affects UNIX System V Release 4.0
and derivatives and Linux systems.
CA-96.24.sendmail.daemon.mode Addresses a vulnerability that allows
intruders to gain root
privileges. Includes patch and upgrade
information.
ftp://info.cert.org/pub/cert_bulletins/
VB-96.17.linux Linux Security FAQ Update from
Alexander Yuriev. Includes information
about a mount/umount vulnerability.
VB-96.18.sun Addresses vulnerabilities in the libc
and libnsl libraries of Solaris 2.5
(SunOS 5.5) and Solaris 2.5.1
(SunOS 5.5.1) from Sun Microsystems,
Inc. Includes patch information.
ftp://info.cert.org/pub/latest_sw_versions/
bash Added information on bash 1.14.7.
sendmail Added information on sendmail 8.8.3.
* Updated Files
ftp://info.cert.org/pub/
Sysadmin_Tutorial.announcement Added date of next course offering.
ftp://info.cert.org/pub/cert_advisories/
CA-94:01.ongoing.network.monitoring.attacks
Clarified introductory
information. Added a pointer to the
CERT tech tip on root compromises.
CA-95:02.binmail.vulnerabilities Removed Appendices B & C, which
contained outdated information. In
section B, added information that
mail.local is now part of
sendmail. Added a pointer to sendmail.
CA-96.09.rpc.statd Updated information from Silicon
Graphics Inc.
CA-96.20.sendmail_vul Added a pointer to CA-96.24.
CA-96.21.tcp_syn_flooding Revised second paragraph of
introduction for clarity. Added new
information for Silicon Graphics
Inc. (SGI), Berkeley Software Design,
Inc. (BSDI), Sun Microsystems, Inc.
Revised appendix information on
reserved private network
numbers. Added pointer to information
in ftp://info.cert.org/pub/vendors.
CA-96.22.bash_vuls Added Appendix A containing
information from IBM Corporation,
LINUX, and Silicon Graphics,
Inc. (SGI). Removed patch for problem
in yy_readline_get, as the problem
described for yy_string_get is not
exploitable for yy_readline_get.
ftp://info.cert.org/pub/tools/mail.local/
README Added information that mail.local is
now a part of sendmail. Added a
pointer to sendmail.
ftp://info.cert.org/pub/tools/sendmail/
sendmail.8.8.3.patch
sendmail.8.8.3.tar.Z
sendmail.8.8.3.tar.gz
sendmail.8.8.3.tar.sig
ftp://info.cert.org/pub/vendors/hp/
HP.contact_info Replaced instructions for subscribing
by email with the new URLs people must
use.
- ---------------------------------------------------------------------------
How to Contact the CERT Coordination Center
Email cert@cert.org
Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST
(GMT-5)/EDT(GMT-4), and are on call for
emergencies during other hours.
Fax +1 412-268-6989
Postal address
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
USA
To be added to our mailing list for CERT advisories and bulletins, send your
email address to
cert-advisory-request@cert.org
CERT advisories and bulletins are posted on the USENET news group
comp.security.announce
CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from
http://www.cert.org/
ftp://info.cert.org/pub/
If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise you to encrypt your message.
We can support a shared DES key or PGP. Contact the CERT staff for more
information.
Location of CERT PGP key
ftp://info.cert.org/pub/CERT_PGP.key
- ------------------------------------------------------------------------------
Copyright 1996 Carnegie Mellon University. Conditions for use, disclaimers,
and sponsorship information can be found in
http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff .
If you do not have FTP or web access, send mail to cert@cert.org with
"copyright" in the subject line.
CERT is registered in the U.S. Patent and Trademark Office.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History:
Oct 02, 1997 Updated copyright history
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBNDgCFXVP+x0t4w7BAQH4kAP+MpxqZxWSPOsdIbNNnq+gCri7vzzFbyMq
spt1s0B1/3nOLXW9chKrjEVa+/ovCLR32ajiqX3or8jtoqZF7S7TwbGByg3//wyc
ICqoSNMoiny4A6KgSfxQ4H2UBF0nlDDRJwOTlC+w7WelnmWWlqrzSvqclOKB8llF
NDmVncj1oJs=
=Shb0
-----END PGP SIGNATURE-----