c-18.ciac-att-rexecd
6dd38ac645d0214043c8badbd3b2875e2a68f33c8b6d1d5e3eb25f681e8573bb
NO RESTRICTIONS
_____________________________________________________
The Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________
INFORMATION BULLETIN
Vulnerability In AT&T /usr/etc/rexecd
February 25, 1992, 1100 PDT Number C-18
________________________________________________________________________
PROBLEM: A vulnerability exists in AT&T /usr/etc/rexecd
PLATFORM: AT&T TCP/IP Release 4.0 running on SVR4 systems for both the
386/486 and 3B2 RISC platforms.
DAMAGE: misuse of /usr/etc/rexecd may allow a user on a remote machine
to run commands as root on the target host (the host running
the affected /usr/etc/rexecd).
SOLUTIONS: Disable the vulnerable program until a replacement or patch
is obtained.
________________________________________________________________________
Critical Information About ATT /usr/etc/rexecd
CIAC has learned of a new vulnerability in AT&T TCP/IP Release
4.0 running on SVR4 systems for both the 386/486 and 3B2 RISC platforms.
The existing error, in the remote execution server /usr/etc/rexecd,
has been corrected, and a new executable for rexecd is available from
AT&T by calling 800-543-9935. Patches may be obtained outside the
U.S. by calling your local technical support. The numbers associated
with the fix are 5127 (3.5" media) and 5128 (5.25" media).
Administrators of affected systems should execute, as root, the
following command to immediately turn off access to rexecd until the
new binary can be obtained.
# chmod 400 /usr/etc/rexecd
You may then obtain and install the new patch. The fix will be
supplied as one diskette, and it comes with one page of instructions
documenting the procedure for replacing the existing /usr/etc/rexecd
binary.
The problem does not exist in TCP/IP release 3.2 for SVR3, or any
earlier versions of the TCP/IP product running on either the 3B2 or
386 platforms. In addition, the version of TCP/IP distributed with
SVR4 by UNIX(r) System Laboratories, Inc. (a subsidiary of AT&T) does
not contain this vulnerability.
UNIX(r) is a registered trademark of UNIX System Laboratories, Inc.
For additional information or assistance, please contact CIAC:
David Brown
(510) 423-9878/(FTS) 543-9878
dsbrown@llnl.gov
Call CIAC at (510) 422-8193/(FTS) 532-8193 or send e-mail to
ciac@llnl.gov. FAX messages to: (510) 423-8002/(FTS) 543-8002.
Previous CIAC bulletins and other information is available via
anonymous ftp from irbis.llnl.gov (ip address 128.115.19.60).
CIAC would like to thank Bradley E. Smith, Network & Technical
Services, Bradley University, AT&T, and the CERT/CC for assistance
with this bulletin.
PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Some of the other teams include the NASA NSI response
team, DARPA's CERT/CC, NAVCIRT, and the Air Force response team. Your
agency's team will coordinate with CIAC.
Neither the United States Government nor the University of California
nor any of their employees, makes any warranty, expressed or implied,
or assumes any legal liability or responsibility for the accuracy,
completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation, or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government nor the University of California, and shall not be used for
advertising or product endorsement purposes.