_____________________________________________________
                 The Computer Incident Advisory Capability
                            ___  __ __    _     ___
                           /       |     / \   /
                           \___  __|__  /___\  \___
      _____________________________________________________

                               ADVISORY NOTICE

                   Vulnerability in SunOS expreserve Utility
 
June 11, 1993 0001 PDT                                         Number D-16
__________________________________________________________________________
PROBLEM:   The expreserve utility allows unauthorized access to system
           files.
PLATFORM:  Sun workstations running SunOS versions 4.1, 4.1.1, 4.1.2, 
           4.1.3, 5.0, 5.1, and 5.2.
DAMAGE:    Local users can gain root access.
SOLUTION:  Disable expreserve immediately, then install patch from Sun.
__________________________________________________________________________
  
         Critical Information about the expreserve Vulnerability

CIAC has learned that the expreserve utility in SunOS versions 4.1,
4.1.1, 4.1.2, 4.1.3, 5.0, 5.1, and 5.2 contains a serious
vulnerability that allows any file on the system to be overwritten.
This vulnerability can be used to obtain root access to the system.
CIAC strongly recommends that the expreserve utility be disabled
immediately, and that patched versions be installed as they become
available.  Sun Microsystems has released patch 101080-01 which
corrects the vulnerability in SunOS 4.x systems.  CIAC will announce
future patches as they become available.

Disabling expreserve
--------------------
To prevent use of the expreserve utility, execute the following command
as root:

                  /bin/chmod a-x /usr/lib/expreserve

The expreserve command normally is used to recover vi editor files
when vi terminates unexpectedly.  Disabling expreserve will disable
this recovery feature.  Users of vi should be advised of this
temporary change and encouraged to save their work frequently.

Patching SunOS version 4.x
--------------------------
Sun Microsystems has made available a patched version of expreserve
for SunOS Versions 4.1, 4.1.1, 4.1.2, and 4.1.3 that corrects this
vulnerability.  It is available both through your local Sun Answer
Center and anonymous ftp.  In the U.S., ftp to ftp.uu.net and retrieve
the file /systems/sun/sun-dist/101080-01.tar.Z.  In Europe, ftp to
mcsun.eu.net and retrieve the file /sun/fixes/101080-01.tar.Z.  After
retrieving the patch, its checksum may be verified using the following
command:

                     /bin/sum 101080-01.tar.Z

The sum command should return a checksum of 45221 13.  Note that Sun
Microsystems occasionally updates patch files, resulting in a changed
checksum.  Should you find that your checksum differs, please contact
CIAC or Sun Microsystems for verification before installing the
patch.

The patch may be extracted using the following commands:

                  /usr/ucb/uncompress 101080-01.tar.Z
                  /bin/tar xvf 101080-01.tar

To install the patch on your system, follow the instructions contained
in the README file that accompanies the patch.

For additional information or assistance, please contact CIAC at
(510)422-8193/FTS or send E-mail to ciac@llnl.gov.  FAX messages to
(510)423-8002/FTS.

CIAC wishes to acknowledge the contributions of the CERT Coordination
Center and Sun Microsystems in the preparation of this bulletin.

Previous CIAC bulletins and other information are available via
anonymous ftp from irbis.llnl.gov (IP 128.115.19.60).

PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents.  Your agency's team will coordinate with CIAC.  The Forum
of Incident Response and Security Teams (FIRST) is a world-wide
organization.  A list of FIRST member organizations and their
constituencies can be obtained by sending email to docserver@first.org
with an empty subject line and a message body containing the line:
send first-contacts.

This document was prepared as an account of work sponsored by an
agency of the United States Government.  Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, expressed or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, product, or process disclosed, or
represents that its use would not infringe privately owned rights.
Reference herein to any specific commercial products, process, or
service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or
favoring by the United States Government or the University of
California.  The views and opinions of authors expressed herein do not
necessarily state or reflect those of the United States Government nor
the University of California, and shall not be used for advertising or
product endorsement purposes.