________________________________________________________________________
              THE COMPUTER INCIDENT ADVISORY CAPABILITY

                                 CIAC

                         INFORMATION BULLETIN
________________________________________________________________________

             SunView/SunTools selection_svc Vulnerability 

August 23, 1990, 1600 PST                              Number A-32

CIAC has been advised that there is a vulnerability (Sun Bug ID
1039576) in systems running SunView under SunOS 4.x (or SunTools under
SunOS 3.x).  The SunView/SunTools selection_svc facility may allow a
remote user unauthorized access to selected files from a computer
running SunView.   The problem exists in Sun3 and Sun4 platforms
running SunOS 3.x, 4.0, 4.0.1, 4.0.3, and 4.1 as well as 386i platforms
running SunOS 4.0, 4.01, and 4.0.2.   Because the selection_svc process
continues to run until terminated, this vulnerability can be exploited
even after a user changes to another window system after running
SunView/SunTools or logs off the system.  (The problem is in
SunView/SunTools, however, and not with other window systems such as
X11.)  CERT/CC provides additional details:

    On Sun3 and Sun4 systems, a remote system can read any file that is
    readable to the user running SunView.  On the 386i, a remote system 
    can read any file on the workstation running SunView regardless of
    protections.  Note that if root runs Sunview, all files are 
    potentially accessible by a remote system.  If the password file with 
    the encrypted passwords is world readable, an intruder can take the 
    password file and attempt to guess passwords.

A patch for this vulnerability is available for Sun 4.x systems.  Call 
your local Sun answer center, phone (800) USA-4SUN, anonymous ftp into 
sun-fixes on uunet.uu.net, or send e-mail to:

    security-features@sun.com 

Sun Microsystems has recently established a customer warning system for
reporting new vulnerabilities and disseminating relevant information.
Send e-mail to:

  security-alert@sun.com

or leave a message on the voice mail system at (415) 336-7205.  Please 
also advise CIAC of any new vulnerabilities you may discover.
 
For additional information or assistance, please contact CIAC: 

  David Brown
  (415) 423-9878 or (FTS) 543-9878
  FAX:  (415) 423-0913, (FTS) 543-0913 or (415) 422-4294

CIAC's 24-hour emergency hot-line number is (415) 971-9384.   If you
call the emergency number and there is no answer, please let the number
ring until voice mail comes on.  Please leave a voice mail message;
someone will return your call promptly.  You may send e-mail to:

  ciac@tiger.llnl.gov
 
CERT/CC and Brad Powell of Sun Microsystems provided information
included in this bulletin.  Neither the United States Government nor
the University of California nor any of their employees, makes any
warranty,  expressed or implied, or assumes any legal liability or
responsibility for the accuracy, completeness, or usefulness of any
information, product, or process disclosed, or represents that its use
would not infringe privately owned rights.  Reference herein to any
specific commercial products, process, or service by trade name,
trademark manufacturer, or otherwise, does not necessarily constitute
or imply its endorsement, recommendation, or favoring by the United
States Government or the University of California.  The views and
opinions of authors expressed herein do not necessarily state or
reflect those of the United States Government nor the University of
California, and shall not be used for advertising or product
endorsement purposes.