c-04.ciac-rdist-vulnerability-on-unix
ae03910b95ffd6c96892e3b1c14467a9492b3a48df983f2b050222b6647cb5df
_____________________________________________________
The Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________
INFORMATION BULLETIN
Vulnerability in the rdist utility on UNIX platforms
October 23, 1991, 1000 PDT Number C-4
-----------------------------------------------------------------------------
PROBLEM: Bug in /usr/ucb/rdist may allow unauthorized file changes
PLATFORM: All UNIX platforms supporting the rdist utility (See Below)
DAMAGE: Could be exploited to create setuid files
SOLUTIONS: Apply patch supplied by the vendor (see list below) or disallow
access by non-privledged users until a patch is available
-----------------------------------------------------------------------------
Critical Facts about the rdist vulnerability
CIAC has learned of a vulnerability associated with the Berkeley
Software Distribution (BSD) rdist utility. This program can commonly
be found at /usr/ucb/rdist; however, the location may vary depending
on the vendor and system configuration. This vulnerability may allow
unauthorized system modification by non-privileged users. This
vulnerability appears to be in all versions of rdist shipped by
vendors supporting this utility to date.
VENDORS THAT DO NOT SHIP /usr/ucb/rdist
(Note: Even though these vendors do not ship rdist, it may have been
added later (for example, by the system administrator). It is
also possible that vendors porting one of these operating systems
may have added rdist. In both cases corrective action must be taken.)
Amdahl
AT&T System V
Data General
The following list of vendors will supply a patched version of rdist
to replace the vulnerable version.
Cray Research, Inc. UNICOS 6.0/6.E/6.1 Field Alert #132 SPR 47600
For further information contact the Support Center at 1-800-950-CRAY or
612-683-5600 or e-mail support@crayamid.cray.com.
NeXT Computer, Inc. NeXTstep Release 2.x
A new version of rdist may be obtained from your
authorized NeXT Support Center. If you are an authorized
support center, please contact NeXT through your normal
channels. NeXT also plans to make this new version of
rdist available on the public NeXT FTP archives.
Silicon Graphics IRIX 3.3/4.0/4.0.1
Patches may be obtained via anonymous ftp from sgi.com in the
sgi/rdist directory.
Sun Microsystems, Inc. SunOS 4.0.3/4.1/4.1.1 Patch ID 100383-02
Patches may be obtained via anonymous ftp from ftp.uu.net or from local
Sun Answer Centers worldwide.
If there is no patch available yet for your system, CIAC recommends
that you modify the execute permission of the rdist utility so that
unprivledged users cannot execute it. To do this, locate the rdist
file (usually located in /usr/ucb/rdist) and execute the following as
root:
chmod 711 /usr/ucb/rdist
The impact of this workaround is that non-privledged users and
programs will not be able to execute the rdist utility as root.
Please contact CIAC for assistance.
David Brown
(510) 423-9878**/(FTS) 543-9878
dsbrown@llnl.gov
Send e-mail to ciac@llnl.gov or call CIAC at (510) 422-8193**/(FTS)
532-8193. FAX messages to: (510) 423-8002**/(FTS) 543-8002.
Previous CIAC bulletins and other information is available via
anonymous ftp from irbis.llnl.gov (ip address 128.115.19.60).
**Note area code has changed from 415, although the 415 area code will
work until Jan. 1992.
CIAC would like to thank Barbara Fraser of the Computer Emergency
Response Team/Coordination Center for some of the information provided
in this bulletin. Neither the United States Government nor the
University of California nor any of their employees, makes any
warranty, expressed or implied, or assumes any legal liability or
responsibility for the accuracy, completeness, or usefulness of any
information, product, or process disclosed, or represents that its use
would not infringe privately owned rights. Reference herein to any
specific commercial products, process, or service by trade name,
trademark manufacturer, or otherwise, does not necessarily constitute
or imply its endorsement, recommendation, or favoring by the United
States Government or the University of California. The views and
opinions of authors expressed herein do not necessarily state or
reflect those of the United States Government nor the University of
California, and shall not be used for advertising or product
endorsement purposes.