NO RESTRICTIONS
        _____________________________________________________
             The Computer Incident Advisory Capability
                         ___  __ __    _     ___
                        /       |     / \   /
                        \___  __|__  /___\  \___
        _____________________________________________________
                           INFORMATION BULLETIN 

    Vulnerability In AT&T /usr/etc/rexecd

February 25, 1992, 1100 PDT                               Number C-18

________________________________________________________________________
PROBLEM: A vulnerability exists in AT&T /usr/etc/rexecd
PLATFORM: AT&T TCP/IP Release 4.0 running on SVR4 systems for both the
  386/486 and 3B2 RISC platforms.
DAMAGE: misuse of /usr/etc/rexecd may allow a user on a remote machine
  to run commands as root on the target host (the host running
  the affected /usr/etc/rexecd).
SOLUTIONS: Disable the vulnerable program until a replacement or patch
  is obtained.
________________________________________________________________________
      Critical Information About ATT /usr/etc/rexecd

CIAC has learned of a new vulnerability in AT&T TCP/IP Release
4.0 running on SVR4 systems for both the 386/486 and 3B2 RISC platforms.

The existing error, in the remote execution server /usr/etc/rexecd,
has been corrected, and a new executable for rexecd is available from
AT&T by calling 800-543-9935.  Patches may be obtained outside the
U.S. by calling your local technical support.  The numbers associated
with the fix are 5127 (3.5" media) and 5128 (5.25" media).

Administrators of affected systems should execute, as root, the
following command to immediately turn off access to rexecd until the
new binary can be obtained.

        # chmod 400 /usr/etc/rexecd

You may then obtain and install the new patch.  The fix will be
supplied as one diskette, and it comes with one page of instructions
documenting the procedure for replacing the existing /usr/etc/rexecd
binary.

The problem does not exist in TCP/IP release 3.2 for SVR3, or any
earlier versions of the TCP/IP product running on either the 3B2 or
386 platforms.  In addition, the version of TCP/IP distributed with
SVR4 by UNIX(r) System Laboratories, Inc. (a subsidiary of AT&T) does
not contain this vulnerability.

UNIX(r) is a registered trademark of UNIX System Laboratories, Inc.

For additional information or assistance, please contact CIAC:

  David Brown
  (510) 423-9878/(FTS) 543-9878
  dsbrown@llnl.gov

Call CIAC at (510) 422-8193/(FTS) 532-8193 or send e-mail to
ciac@llnl.gov.  FAX messages to: (510) 423-8002/(FTS) 543-8002.

Previous CIAC bulletins and other information is available via
anonymous ftp from irbis.llnl.gov (ip address 128.115.19.60).  

CIAC would like to thank Bradley E. Smith, Network & Technical
Services, Bradley University, AT&T, and the CERT/CC for assistance
with this bulletin.

PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents.  Some of the other teams include the NASA NSI response
team, DARPA's CERT/CC, NAVCIRT, and the Air Force response team.  Your
agency's team will coordinate with CIAC.

Neither the United States Government nor the University of California
nor any of their employees, makes any warranty, expressed or implied,
or assumes any legal liability or responsibility for the accuracy,
completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately
owned rights.  Reference herein to any specific commercial products,
process, or service by trade name, trademark manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation, or favoring by the United States Government or the
University of California.  The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government nor the University of California, and shall not be used for
advertising or product endorsement purposes.