_____________________________________________________
             The Computer Incident Advisory Capability
                         ___  __ __    _     ___
                        /       |     / \   /
                        \___  __|__  /___\  \___
        _____________________________________________________
                         Information Bulletin       

             OpenWindows 2.0 selection_svc Vulnerability 

January 16, 1991, 1700 PST                              Number B-11

________________________________________________________________________
PROBLEM:  Security vulnerability on Sun computers running OpenWindows
          2.0 allows theft of critical files.  
PLATFORM:  SunOS  release  4.0.3, 4.1 , Sun386i  4.0.1/4.0.2
DAMAGE:  Theft of critical system files.  
PATCH:  Available through anonymous ftp from ftp.uu.net or from Sun
  (contact Sun at  1-800-USA4SUN for details).  A patch for SunOS
  4.0.3 will be available soon.  Critical Facts about the
  OpenWindows 2.0 selection_svc Vulnerability
_______________________________________________________________________
   Critical Facts about the OpenWindows 2.0 selection_svc Vulnerability

CIAC has been advised that there is a vulnerability (Sun Bugid 1040747)
in systems running OpenWindows 2.0 in compatibility mode.  This problem
is similar in scope to the SunView/SunTools selection_svc vulnerability
described in CIAC Information Bulletin Number A-32, (Sun Bugid 1039576
and Sun Patchid 100085-03), excerpted here:

The SunView/SunTools selection_svc facility may allow a remote user
unauthorized access to selected files from a computer running SunView.
[...]  Because the selection_svc process continues to run until
terminated, this vulnerability can be exploited even after a user
changes to another window system after running SunView/SunTools or logs
off the system.  (The problem is in SunView/SunTools, however, and not
with other window systems such as X11.)

In essence, the SunView/SunTools bug allows an unauthorized user on a
remote system to read any file that is readable to the user running
SunView.  In addition, an unauthorized user on a remote 386i system can
read any file on a workstation running SunView regardless of
protections.  Please note that if root runs Sunview, all files are
potentially accessible by a remote system.

The threat to OpenWindows is similar to the above.  Sun gives more 
details:

One of the OpenWindows 2.0 tools uses the same mechanism for displaying
sunview windows in OpenWindows 2.0 in compatibility mode [ as the
unfixed SunView/SunTools selection_svc ]. This tool "sv_xv_sel_svc"
should be replaced with the new version.

If the password file is world readable, an intruder can copy this file
and attempt to guess passwords.  This threat can be eliminated if you
obtain and install a new version of sv_xv_sel_svc from the Sun Answer
Centers or uunet.  Binaries for both a Sun3 and Sun4 are available.
The Bugid for this is 1040747 and Patchid is 100184-02.  If you obtain
your patch from uunet,  please note that the checksum of this
compressed tarfile is 100184-02.tar.Z: 33786 35

The following installation instructions are provided by Sun
Microsystems.  (No additional README information will be available from
uunet.)

Patch-ID#  100184-02
Keywords:bugid 1040747
Synopsis: sv_xv_sel_svc and rpc can be used to gain access to system files
Date: 14/Dec/90

SunOS release: 4.0.3 or later
Unbundled Product: Open Windows
Unbundled Release: Version 2

Topic:
BugId's fixed with this patch: 1040747
Architectures for which this patch is available: sun4 sun3
Patches which may conflict with this patch:
Obsoleted by: Open Windows Version 3

Problem Description:
sv_xv_sel_svc and rpc can be used to gain access to system files.

INSTALL:
mv $OPENWINHOME/bin/xview/sv_xv_sel_svc $OPENWINHOME/bin/xview/sv_xv_sel
   _svc.orig
cp `arch`/sv_xv_sel_svc $OPENWINHOME/bin/xview/sv_xv_sel_svc

To obtain this patch from the Sun Answer Center, call your local Sun
answer center, phone (800) USA-4SUN, or send e-mail to:

security-features@sun.com

To reach Sun Microsystems' customer warning system, send e-mail to:

security-alert@sun.com

or leave a message on the voice mail system at (415) 336-7205.  Please
also advise CIAC of any new vulnerabilities you may discover.

  David S. Brown (415) 423-9878 or (FTS) 543-9878

  Send e-mail to ciac@tiger.llnl.gov 

Call CIAC at (415) 422-8193 or (FTS) 532-8193, or send FAX messages to
(415) 423-0913 or (FTS) 543-0913.  FELIX, the CIAC Bulletin Board, can
be accessed at 1200 or 2400 baud at (415) 423-4753 or (FTS) 543-4753.
(9600 baud access can be obtained from Lawrence Berkeley and Lawrence
Livermore Laboratories at 423-9885.)

This announcement bulletin was prepared with assistance from Dave
Liebreich, Sterling Software @ NASA Ames Research Center.  CERT/CC and
Brad Powell of Sun Microsystems provided information included in this
bulletin.  Neither the United States Government nor the University of
California nor any of their employees, makes any warranty,  expressed
or implied, or assumes any legal liability or responsibility for the
accuracy, completeness, or usefulness of any information, product, or
process disclosed, or represents that its use would not infringe
privately owned rights.  Reference herein to any specific commercial
products, process, or service by trade name, trademark manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation, or favoring by the United States Government or the
University of California.  The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government nor the University of California, and shall not be used for
advertising or product endorsement purposes.