_____________________________________________________
             The Computer Incident Advisory Capability
                         ___  __ __    _     ___
                        /       |     / \   /
                        \___  __|__  /___\  \___
        _____________________________________________________
                           INFORMATION BULLETIN 

   Vulnerability in the rdist utility on UNIX platforms

October 23, 1991, 1000 PDT                                      Number C-4

-----------------------------------------------------------------------------
PROBLEM: Bug in /usr/ucb/rdist may allow unauthorized file changes
PLATFORM: All UNIX platforms supporting the rdist utility (See Below)
DAMAGE: Could be exploited to create setuid files
SOLUTIONS: Apply patch supplied by the vendor (see list below) or disallow 
     access by non-privledged users until a patch is available
-----------------------------------------------------------------------------
       Critical Facts about the rdist vulnerability

CIAC has learned of a vulnerability associated with the Berkeley
Software Distribution (BSD) rdist utility.  This program can commonly
be found at /usr/ucb/rdist; however, the location may vary depending
on the vendor and system configuration.  This vulnerability may allow
unauthorized system modification by non-privileged users.  This
vulnerability appears to be in all versions of rdist shipped by
vendors supporting this utility to date.

VENDORS THAT DO NOT SHIP /usr/ucb/rdist
(Note: Even though these vendors do not ship rdist, it may have been
       added later (for example, by the system administrator).  It is 
       also possible that vendors porting one of these operating systems 
       may have added rdist.  In both cases corrective action must be taken.)

  Amdahl
  AT&T System V 
  Data General

The following list of vendors will supply a patched version of rdist
to replace the vulnerable version.  

Cray Research, Inc.   UNICOS 6.0/6.E/6.1   Field Alert #132   SPR 47600

     For further information contact the Support Center at 1-800-950-CRAY or 
     612-683-5600 or e-mail support@crayamid.cray.com.

NeXT Computer, Inc.  NeXTstep Release 2.x

     A new version of rdist may be obtained from your
     authorized NeXT Support Center.  If you are an authorized
     support center, please contact NeXT through your normal
     channels.  NeXT also plans to make this new version of
     rdist available on the public NeXT FTP archives.

Silicon Graphics   IRIX 3.3/4.0/4.0.1

     Patches may be obtained via anonymous ftp from sgi.com in the
     sgi/rdist directory.

Sun Microsystems, Inc.   SunOS 4.0.3/4.1/4.1.1   Patch ID 100383-02

     Patches may be obtained via anonymous ftp from ftp.uu.net or from local
     Sun Answer Centers worldwide.

If there is no patch available yet for your system, CIAC recommends
that you modify the execute permission of the rdist utility so that
unprivledged users cannot execute it.  To do this, locate the rdist
file (usually located in /usr/ucb/rdist) and execute the following as
root:  

     chmod 711 /usr/ucb/rdist

The impact of this workaround is that non-privledged users and
programs will not be able to execute the rdist utility as root.

Please contact CIAC for assistance.

  David Brown
  (510) 423-9878**/(FTS) 543-9878
  dsbrown@llnl.gov

Send e-mail to ciac@llnl.gov or call CIAC at (510) 422-8193**/(FTS)
532-8193.  FAX messages to: (510) 423-8002**/(FTS) 543-8002.

Previous CIAC bulletins and other information is available via
anonymous ftp from irbis.llnl.gov (ip address 128.115.19.60).  
 
**Note area code has changed from 415, although the 415 area code will
work until Jan. 1992.

CIAC would like to thank Barbara Fraser of the Computer Emergency
Response Team/Coordination Center for some of the information provided
in this bulletin.  Neither the United States Government nor the
University of California nor any of their employees, makes any
warranty, expressed or implied, or assumes any legal liability or
responsibility for the accuracy, completeness, or usefulness of any
information, product, or process disclosed, or represents that its use
would not infringe privately owned rights.  Reference herein to any
specific commercial products, process, or service by trade name,
trademark manufacturer, or otherwise, does not necessarily constitute
or imply its endorsement, recommendation, or favoring by the United
States Government or the University of California.  The views and
opinions of authors expressed herein do not necessarily state or
reflect those of the United States Government nor the University of
California, and shall not be used for advertising or product
endorsement purposes.