what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ciacfy94.txt

ciacfy94.txt
Posted Sep 23, 1999

ciacfy94.txt

SHA-256 | 65fba83cf19424304261b63bf8d07c9edd9e9cd61ef6bd854824e34d5ada682e

ciacfy94.txt

Change Mirror Download
CIAC documents FY 1994
Series E

intro.txt ciac-introduction-to
cdb.txt CIAC-Virus-Database-11-93
ciacreq.txt ciac-doe requirements
HPACCESS.TXT how-to-download-HP-patches
xtermpat.txt xterm-patch-status

e-01.txt ciac-sun-sendmail-tar-audio-vulnerabilities
e-03.txt ciac-unix-sendmail-vulnerabilities
e-04.txt ciac-xterm-logfile-vulnerability
e-05.txt ciac-sunos-solbourne-loadmodule-modload-vulnerability
e-06.txt ciac-solaris-system-startup-vulnerability
e-07.txt ciac-unix-sendmail-update
e-08.txt ciac-restricted-distribution
e-09.txt ciac-network-monitoring-attacks
e-11.txt ciac-lotus-ccmail-security-upgrade
e-12.txt ciac-network-monitoring-attacks-update
e-13.txt ciac-patches-for-etc-utmp-vulnerability
e-14.txt ciac-wuarchive-ftpd-trojan-horse
e-15.txt ciac-restricted-distribution
e-16.txt ciac-restricted-distribution
e-17.txt ciac-ftp-daemon-vulnerabilities
e-18.txt ciac-sun-automountd-patch
e-19.txt ciac-nvir-a-virus-on-CD-ROM
e-20.txt ciac-chinon-cd-it.zip-trojan
e-21.txt ciac-restricted-distribution
e-22.txt ciac-restricted-distribution
e-23.txt ciac-HP-Vue-3.0
e-24.txt ciac-patches-for-ULTRIX-DECnet_ULTRIX-OSF_1
e-25.txt ciac-BSD-lpr-vulnerability-in-SGI-IRIX
e-26.txt ciac-UNIX-bin-login-vulnerability
e-27.txt ciac-restricted-distribution
e-28.txt ciac-restricted-distribution
e-29.txt ciac-IBM-AIX-bsh-queue-vulnerability
e-30.txt ciac-Majordomo-vulnerabilities
e-31.txt ciac-sendmail-d-oE-vulnerabilities
e-32.txt ciac-KAOS4-virus
e-33.txt
e-34.txt ciac One_half virus (MS-DOS)

_____________________________________________________
The Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________

ADVISORY NOTICE

(1) Security vulnerability in sendmail under SunOS 4.1.x and 5.x
(2) Security vulnerability in tar under SunOS 5.x
(3) Potential misuse of Sun microphones

October 21, 1993 1130 PDT Number E-01

__________________________________________________________________________
(1) Security vulnerability in sendmail under SunOS 4.1.x and 5.x

PROBLEM: Remote users may access system files using sendmail.
PLATFORM: SunOS 4.1.x and SunOS 5.x (Solaris 2.x).
DAMAGE: Unauthorized access to system files.
SOLUTION: Apply appropriate patch from Sun.
__________________________________________________________________________

Critical Information about Security Vulnerability in sendmail

The /usr/lib/sendmail utility under SunOS 4.1.x and SunOS 5.x permits
unauthorized access to some system files by remote users. This access may
allow compromise of the system. Note that this vulnerability is being
actively exploited. CIAC strongly recommends that sites take immediate
corrective action.

Sun Microsystems has released patched versions of the sendmail program
for all affected versions of SunOS:

BSD SVR4
System Patch ID Filename Checksum Checksum
----------- --------- --------------- --------- ----------
SunOS 4.1.x 100377-07 100377-07.tar.Z 36122 586 11735 1171
SunOS 5.1 100840-03 100840-03.tar.Z 01153 194 39753 388
SunOS 5.2 101077-03 101077-03.tar.Z 49343 177 63311 353

The checksums shown above are from the BSD-based checksum (on SunOS 4.1.x,
/bin/sum; on SunOS 5.x, /usr/ucb/sum) and from the SVR4 version that Sun
has released on SunOS 5.x (/usr/bin/sum).

Individuals with support contracts may obtain these patches from their
local Sun Answer Center or from SunSolve Online. Security patches are
also available without a support contract via anonymous FTP from
ftp.uu.net (IP 192.48.96.9) in the directory /systems/sun/sun-dist.


__________________________________________________________________________
(2) Security vulnerability in tar under SunOS 5.x

PROBLEM: Archives created with the tar utility contain extraneous
user information.
PLATFORM: SunOS 5.x (Solaris 2.x).
DAMAGE: User and system information may be unintentionally disclosed.
SOLUTION: Apply appropriate patch from Sun.
__________________________________________________________________________

Critical Information about Security Vulnerability in tar

Archive files created with the /bin/tar utility under SunOS 5.x contain
extraneous user information from the /etc/passwd and /etc/group files.
Note that the extraneous data does not include user passwords; however,
system configuration and user information may be unintentionally disclosed
should the archive files be distributed.

Sun Microsystems has released patched versions of the tar utility for all
affected versions of SunOS. The patched tar utility produces archive
files in the same format as all other versions; but any extraneous data is
set to zero. Restoring an existing archive file to disk, and then creating
a new file with the patched tar, will result in a clean archive file with
no extraneous data.

BSD SVR4
System Patch ID Filename Checksum Checksum
--------- --------- --------------- --------- ---------
SunOS 5.1 100975-02 100975-02.tar.Z 37034 374 13460 747
SunOS 5.2 101301-01 101301-01.tar.Z 22089 390 4703 779

The checksums shown above are from the BSD-based checksum (on SunOS 4.1.x,
/bin/sum; on SunOS 5.x, /usr/ucb/sum) and from the SVR4 version that Sun
has released on SunOS 5.x (/usr/bin/sum).

Individuals with support contracts may obtain these patches from their
local Sun Answer Center or from SunSolve Online. Security patches are
also available without a support contract via anonymous FTP from
ftp.uu.net (IP 192.48.96.9) in the directory /systems/sun/sun-dist.


__________________________________________________________________________
(3) Potential misuse of Sun microphones

PROBLEM: Microphones on Sun workstations may be used for eavesdropping.
PLATFORM: SunOS 4.1.x and SunOS 5.x (Solaris 2.x).
DAMAGE: Access to conversations held near the computer.
SOLUTION: Disconnect microphone or apply software solution described
below.
__________________________________________________________________________

Critical Information about Misuse of Sun Microphones

Sun Microsystems has released information regarding the potential for
microphones attached to Sun workstations to be used to eavesdrop on
conversations near the computer. Software solutions to reduce the risk
are described below. Note, however, that CIAC strongly recommends
microphones on systems in sensitive areas be either physically switched
off or disconnected from the system.

The initial permissions for the audio data device, /dev/audio, allow any
user with an account on the system to listen with the microphone when it
is turned on. Also, the permissions for the audio control device,
/dev/audioctl, allow anyone to vary playback and record settings such as
volume.

Unauthorized use of the system's audio devices may be prevented by
changing the permissions and ownership of /dev/audio and /dev/audioctl.

On SunOS 4.x systems, the /etc/fbtab file may be used to automatically
control access to the audio devices. As root, add the following lines
to the end of the fbtab file:

/dev/console 0600 /dev/audio
/dev/console 0600 /dev/audioctl

On SunOS 5.x (Solaris 2.x) systems, the file permissions must be manually
changed. As root, execute the following commands, specifying the username
of the individual that should have access to the microphone:

# chmod 600 /dev/audio*
# chown <desired username> /dev/audio*


______________________________________________________________________
CIAC would like to thank Mark Graff and Sun Microsystems, Inc. for the
information used in this bulletin.
______________________________________________________________________

For additional information or assistance, please contact CIAC at
(510) 422-8193 or send E-mail to ciac@llnl.gov. FAX messages to
(510) 423-8002.

Previous CIAC Bulletins and other information are available via anonymous
FTP from irbis.llnl.gov (IP address 128.115.19.60).

PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins. If you are not part of these communities, please
contact your agency's response team to report incidents. Your agency's team
will coordinate with CIAC. The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization. A list of FIRST member organizations
and their constituencies can be obtained by sending email to
docserver@first.org with an empty subject line and a message body containing
the line: send first-contacts.

This document was prepared as an account of work sponsored by an agency of
the United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for
the accuracy, completeness, or usefulness of any information, product, or
process disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products, process,
or service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring
by the United States Government or the University of California. The views
and opinions of authors expressed herein do not necessarily state or reflect
those of the United States Government nor the University of California, and
shall not be used for advertising or product endorsement purposes.


_____________________________________________________
US Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________

INFORMATION BULLETIN

Vulnerabilities in SGI IRIX Default Configuration

October 25, 1993 1330 PDT Number E-02
__________________________________________________________________________
PROBLEM: The default configuration of SGI IRIX software introduces
vulnerabilities.
PLATFORM: SGI IRIX, all versions including 4.x and 5.x.
DAMAGE: Accounts without passwords and default xhost configuration
can lead to system compromise.
SOLUTION: Add passwords, lock accounts, change xhost configuration
per this bulletin.
__________________________________________________________________________

Critical Information about SGI IRIX Default Configuration

CIAC has learned that SGI IRIX systems configured with operating
system defaults are vulnerable to attack. The auto-installation
procedure leaves some default accounts vulnerable to compromise, some
files are left world readable, and the default configuration for xhost
is vulnerable. CIAC recommends that IRIX system administrators check
the configuration of their systems as outlined below.


OPEN ACCOUNTS

Eight accounts are left open, without a password, at the end of the
installation procedure. Three of these accounts--root, lp, and
nuucp--are administrative accounts with system privileges. The other
five accounts are demos, tutor, guest, 4Dgifts, and tour.

CIAC recommends that these accounts be assigned valid passwords,
deleted, or disabled to ensure account security. Give an account a
password by executing the following command as root:

# passwd account_name

To disable ("lock") an account, use the passwd command with the -l
option, as below:

# passwd -l account_name

To delete an account, edit the /etc/passwd account directly as SGI's
utility "sysadm" will not edit these specific accounts. SGI
recommends account deletion be done with care, since the execution of
some system functions requires an account to be present.


LOGIN.OPTIONS VULNERABILITY

The file /etc/config/login.options (renamed /etc/default/login on 5.x)
contains some parameters for the system's login process. By default,
this file is world readable. CIAC recommends that if a system is
logging rsh and ftp activity, these permissions be removed by
executing the following command as root:

# chmod 640 /etc/config/login.options

Note: the options "SYSLOG=ALL" or "SYSLOG=FAIL", set within
login.options will not log any login attempts made through the
SGI-supplied graphical login process Pandora. In addition, the file
where login attempts are kept, /usr/adm/SYSLOG, should also not be
world readable.


NIS ALTERNATE PASSWORD FILE

If using NIS, an alternate password file can be created with any name
and placed anywhere. This password file should be set up to contain
only accounts of users that log in remotely. No administrative
accounts should be contained in this alternative password file since
all NIS users can easily see this file. Use of this file will make
the information in /etc/passwd useless to anyone who might break into
the system and try to crack passwords.

To define the password file, open or create the file
/etc/config/ypmaster.options, and create a line with the text:

PWFILE=/path/newpasswdfile.name

NOTE: this feature is available because shadow password files are
incompatible with NIS.


XHOST DEFAULTS

The system default configuration for xhost is "xhost +", which allows
any host on the same network to use X protocols to access the machine.
X has well known vulnerabilities and there are automated programs that
can remotely gain unauthorized access using X. CIAC recommends that
you either deny all access to all hosts through X or authorize only
specific known, trustworthy machines.

To deny or restrict X access to selected hosts follow these three
steps:

a. Create or edit the file "/etc/Xn.hosts" where 'n' is the display
number of the server on the local host, normally 0, as in
"/etc/X0.hosts".

To deny all X access to your system, the file /etc/X0.hosts will
contain a single character, "-".

To grant access to hosts "newhost.gov" and "secondhost.gov" and no
other hosts the file /etc/X0.hosts will consist of:

-
+newhost.gov
+secondhost.gov

b. Search through all files in the directory /usr/lib/X11/xdm for
occurances of the command "xhost +" or "/usr/bin/X11/xhost +".
Remove or comment out all such lines. For SGI IRIS these files are
by default:

/usr/lib/X11/xdm/xsession
/usr/lib/X11/xdm/xsession-remote
/usr/lib/X11/xdm/xsession.0

c. Inform users that any xhost commands should be removed or commented
out of user startup scripts, such as .cshrc, .login, .profile, etc.

To add an additional level of security to the X environment, CIAC
recommends the use of xauthority for host access control. To set up
xauthority, edit the file /usr/lib/X11/xdm/xdm-config and replace the
"off" with "on" in the following line:

DisplayManager*authorize:off

After all changes are made, SGI recommends that the system be rebooted
to ensure that all changes take effect and all passwords be modified
for all users' accounts that may have been compromised.

To ensure that X has been turned off for non-registered hosts, perform
the following test commands from an invalid machine:

setenv DISPLAY yourhostname:0
/usr/bin/X11/xterm

If a message appears which refuses the connection, then the system has
been configured correctly.


Much of the information in this bulletin has been extracted from the
chapter on system security in the SGI IRIX administrator's guide,
Chapter 8 for version 4.x and Chapter 9 for version 5.x. CIAC would
like to thank Donna Yobs of SGI and Fred W. Allen of LLNL for their
technical contributions to this bulletin, and to the ASSIST team for
alerting us to this vulnerability.

For additional information or assistance, please contact CIAC at (510)
422-8193 or send E-mail to ciac@llnl.gov. FAX messages to (510)
423-8002.

Previous CIAC Bulletins and other information are available via anonymous
FTP from irbis.llnl.gov (IP address 128.115.19.60).

PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins. If you are not part of these communities, please
contact your agency's response team to report incidents. Your agency's team
will coordinate with CIAC. The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization. A list of FIRST member organizations
and their constituencies can be obtained by sending email to
docserver@first.org with an empty subject line and a message body containing
the line: send first-contacts.

This document was prepared as an account of work sponsored by an agency of
the United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for
the accuracy, completeness, or usefulness of any information, product, or
process disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products, process,
or service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring
by the United States Government or the University of California. The views
and opinions of authors expressed herein do not necessarily state or reflect
those of the United States Government nor the University of California, and
shall not be used for advertising or product endorsement purposes.


_____________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________

ADVISORY NOTICE

UNIX sendmail Vulnerabilities

November 4, 1993 2300 PST Number E-03
__________________________________________________________________________
PROBLEM: Vulnerabilities have been discovered in the UNIX sendmail
utility.
PLATFORM: All implementations of UNIX sendmail.
DAMAGE: Local and remote users may execute commands and/or gain access
to system files.
SOLUTION: Apply workarounds or install new version of sendmail on ALL
systems running sendmail.
__________________________________________________________________________

Critical Information about UNIX sendmail Vulnerabilities


This advisory supersedes the sendmail information contained in CIAC
Advisory E-01.

CIAC has learned of a set of serious vulnerabilities affecting the UNIX
utility sendmail. These vulnerabilities affect a significant number of
sendmail implementations, permitting unauthorized access to system
commands and files by both local and remote users. In the absence of
specific vendor information, CIAC recommends that all implementations of
sendmail be considered vulnerable to attack.

CIAC is working with the CERT Coordination Center and the vendor community
to address this issue. At this time, there are no known patches available
for any vendor implementation that fully address all known sendmail
vulnerabilities. CIAC will publish information regarding vendor patches as
they become available.

Details of these vulnerabilities have been openly discussed in several
electronic forums, including the Firewalls mailing list and the USENET
newsgroup comp.security.unix. In addition, at least one automated tool
designed to exploit these vulnerabilities has been widely
distributed. Until vendor patches become available, CIAC strongly
recommends that sites apply one of the three possible solutions described
below to all systems running sendmail, including those systems behind
firewalls and mail hubs.

Restrict shell This workaround involves modifying the sendmail
commands configuration file to restrict the sendmail program
mailer facility using the sendmail restricted shell,
smrsh, by Eric Allman (the original author of
sendmail).

The sendmail restricted shell screens all attempts to
execute programs from sendmail, allowing only those
specifically authorized by the system administrator.
Attempts to invoke programs not in the allowed set
will fail and log the attempt.

Programs in the allowed set should be selected
carefully. Mail utilities found in /etc/aliases and
~/.forward files should be considered for inclusion
to prevent mail delivery failures (e.g. vacation,
procmail, and slocal). Note that it is important that
sites not include interpreters (e.g. /bin/sh,
/bin/csh, /bin/perl, /bin/uudecode, and /bin/sed) in
the set of allowed programs, as they may allow system
compromise.

The sendmail restricted shell may be obtained via
anonymous FTP from ftp.uu.net in the directory
/pub/security/smrsh. Consult the program documentation
for installation instructions.

Checksum Information
Filename BSD sum System V sum
-------- ------- ------------
README 30114 5 56478 10
smrsh.8 25757 2 42281 4
smrsh.c 46786 5 65517 9


Disable shell This approach also involves modifying the sendmail
commands configuration. However, this approach completely
disables the sendmail program mailer facility.
Attempts to invoke programs through sendmail will
fail. While this is a drastic solution, it may be
quickly implemented to protect a site while a more
long term approach is installed.

To implement this approach, edit the sendmail.cf
file, replacing the program mailer specification:

Mprog, P=/bin/sh, F=slFDM, S=10, R=20, A=sh -c $u

with:

Mprog, P=/bin/false, F=, S=10, R=20, A=

The configuration file should then be frozen, if
necessary, and the sendmail process restarted. See
the end of this advisory for more details.


Install The most recent version of Eric Allman's public
sendmail 8.6.4 domain sendmail has been updated to eliminate all
known vulnerabilities. Sites may choose to replace
their current implementation of sendmail with version
8.6.4 or later to secure their systems.

Note that depending on the currently installed sendmail
software, switching to sendmail 8.6.4 may potentially
require significant effort for the system administrator
to become familiar with the new program. Considerable
modification of the sendmail configuration may also be
required.

The latest version of sendmail may be obtained via
anonymous FTP from ftp.cs.berkeley.edu in the directory
/ucb/sendmail.

Checksum Information
Filename BSD sum System V sum
------------------------- --------- ------------
sendmail.8.6.4.base.tar.Z 07718 428 64609 856
sendmail.8.6.4.cf.tar.Z 28004 179 42112 357
sendmail.8.6.4.misc.tar.Z 57299 102 8101 203
sendmail.8.6.4.xdoc.tar.Z 33954 251 50037 502


CIAC strongly recommends that sites monitor their systems for signs of
sendmail attacks. System administrators should regularly examine the
following:

- All bounced mail, looking for unusual messages.

- Mail log files (e.g. /var/log/syslog), looking for unusual occurrences
of "|" characters.

To provide this information, sendmail must be configured to bounce mail to
the local postmaster and generate adequate logs. Receipt of bounced mail
is enabled by placing the following line in sendmail.cf:

OPpostmaster

A logging level of 9 or higher should also be specified in the
configuration file with a line similar to the following:

OL9

Whenever any changes are made to the sendmail configuration file, it is
necessary to kill all existing sendmail processes, refreeze the
configuration file (on some systems), and restart the sendmail daemon.
For example, under SunOS 4.1.2:

# /usr/bin/ps -aux | /usr/bin/grep sendmail
root 130 0.0 0.0 168 0 ? IW Oct 2 0:10 /usr/lib/sendmail -bd -q
# /bin/kill -9 130 (Kill the current sendmail process)
# /usr/lib/sendmail -bz (Refreeze the sendmail configuration file)
# /usr/lib/sendmail -bd -q30m (Restart the sendmail daemon)

Note that some sites do not use frozen configuration files. If the file
sendmail.fc does not exist in the same directory as sendmail.cf, frozen
configurations are not being used.

__________________________________________________________________________
CIAC wishes to thank the CERT Coordination Center and members of the FIRST
community for their contributions to this advisory. In addition, CIAC
would like to acknowledge the technical contributions of Eric Allman, Matt
Blaze, Andy Sherman, Gene Spafford, and Tim Seaver.
__________________________________________________________________________

For additional information or assistance, please contact CIAC at
(510) 422-8193 or send E-mail to ciac@llnl.gov. FAX messages to
(510) 423-8002.

Previous CIAC Bulletins and other information are available via anonymous
FTP from irbis.llnl.gov (IP address 128.115.19.60).

PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins. If you are not part of these communities, please
contact your agency's response team to report incidents. Your agency's team
will coordinate with CIAC. The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization. A list of FIRST member organizations
and their constituencies can be obtained by sending email to
docserver@first.org with an empty subject line and a message body containing
the line: send first-contacts.

This document was prepared as an account of work sponsored by an agency of
the United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for
the accuracy, completeness, or usefulness of any information, product, or
process disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products, process,
or service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring
by the United States Government or the University of California. The views
and opinions of authors expressed herein do not necessarily state or reflect
those of the United States Government nor the University of California, and
shall not be used for advertising or product endorsement purposes.

_____________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________

INFORMATION BULLETIN

xterm Logfile Vulnerability

November 11, 1993 2130 PST Number E-04
______________________________________________________________________________
PROBLEM: The logfile facility of the xterm program contains a security
vulnerability.
PLATFORM: UNIX systems with X11 software and xterm installed with setuid or
setgid privileges.
DAMAGE: Local users may gain root access to the system.
SOLUTION: Install a patched version of xterm.
______________________________________________________________________________

Critical Information about the xterm Logfile Vulnerability


CIAC has learned of a vulnerability in many versions of the X11 program xterm.
Local users may use the xterm logfile facility to create or modify files on
the system, enabling unauthorized access including root access. This
vulnerability has been shown to exist in X11 (Version 5 and earlier) in both
vendor supplied binaries and those compiled from the public X11 sources.

The vulnerability exists only on systems with xterm installed with setuid or
setgid privileges. For example, the "s" permission bit in the following
directory listing indicates the xterm binary is installed with the setuid bit
set:

% ls -l /opt/X11R5/bin/xterm
-rwsr-xr-x 1 root staff 183152 Nov 10 13:10 /opt/X11R5/bin/xterm*

Additionally, the vulnerability only exists in xterm binaries that permit
logging. To determine if this feature is enabled, execute the following
command:

% xterm -l

If a file of the form "XtermLog.axxxx" is created, logging is enabled.

CIAC recommends that affected sites implement one of the solutions described
below. All solutions require that a new version of xterm be installed. It is
important that old versions either be removed from the system or have the
setuid and setgid bits cleared.


Vendor Patch Vendor patches, if available, should be installed. The CERT
Coordination Center is coordinating the vendor response to this
issue and will maintain a list of currently available vendor
patches for xterm. The information will be available via
anonymous FTP from info.cert.org (IP 192.88.209.5) in the file
/pub/cert_advisories/xterm-patch-status. A current version of
this file is appended at the end of this bulletin.

For up-to-date patch information, please contact your vendor
or CIAC.


X11R5 Public Systems using the public X11 distribution and systems lacking
Patch #26 vendor patches may upgrade to the X Consortium's X11R5 Patch
Level 26. The X11 sources and patches are available via
anonymous FTP from ftp.x.org (IP 198.112.44.100). All patches,
up to and including fix-26, should be installed.

By default, fix-26 disables the logfile facility in xterm.
Similar functionality may be obtained through the use of
utilities such as the UNIX script(1) command.

______________________________________________________________________________
CIAC wishes to thank the CERT Coordination Center and Stephen Gildea of the
X Consortium for their contributions to this bulletin.
______________________________________________________________________________
For additional information or assistance, please contact CIAC at
(510) 422-8193 or send E-mail to ciac@llnl.gov. FAX messages to
(510) 423-8002.

Previous CIAC Bulletins and other information are available via anonymous FTP
from irbis.llnl.gov (IP address 128.115.19.60).
______________________________________________________________________________

CERT Coordination Center
xterm Vendor Status
November 11, 1993


This file is a supplement to the CERT Advisory CA-93:17 of November 11, 1993,
and will be updated as additional information becomes available.

The following is vendor-supplied information. The CERT Coordination Center
will not formally review, evaluate, or endorse this information. For more
up-to-date information, contact your vendor.

It is important to note that the vendor of your xterm may not be the same
as the vendor of your platform. You should take care to correctly identify
the vendor whose xterm you are using, so you can take the appropriate action.



Convex Fixed in CXwindows V3.1. Fixed in CXwindows V3.0
with TAC patch V3.0.131 applied. The Convex Technical
Assistance Center is available for additional information
at 800-952-0379.

Cray Fixed. Contact Cray for version/patch numbers.

DEC/OSF Attached is the information on the remedial images to
address the xterm issue for ULTRIX V4.3 (VAX & RISC)
and OSF/1 V1.2. The solutions have been included in
ULTRIX V4.4 (VAX & RISC) and OSF/1 V1.3.

Customers may call their normal Digital Multivendor
Customer Services Support Channel to obtain this kit.

----------------------------------------------------------
*ULTRIX,OSF/1] CSCPAT_4034 xterm Security Fix ECO Summary


COPYRIGHT (c) 1988, 1993 by Digital Equipment Corporation.
ALL RIGHTS RESERVED.

COMPONENT: xterm

OP/SYS: ULTRIX VAX and RISC, OSF/1

SOURCE: Digital Customer Support Center

ECO INFORMATION:

CSCPAT Kit: CSCPAT_4034 V1.1
CSCPAT Kit Size: 2152 blocks
Engineering Cross Reference: SSRT93-E-0230, SSRT93-E-0231,
SSRT93-E-232
Kit Applies To: ULTRIX V4.3, OSF/1 V1.2
System Reboot Required: NO
----------------------------------------------------------

SCO The current releases listed below are not vulnerable to
this problem. No xterm logging or scoterm logging is
provided:

SCO Open Desktop Lite, Release 3.0
SCO Open Desktop, Release 3.0
SCO Open Server Network System, Release 3.0
SCO Open Server Enterprise System, Release 3.0

Contact SCO for any further information.

Sequent Fixed. Contact Sequent for version/patch numbers.

Sun Sun's version of xterm has not been setuid root since at
least as far back as SunOS 4.1.1, and probably further.
An xterm that does not run setuid or setgid is not
vulnerable to the xterm logging problem.

CAUTION: A Sun patch was issued on December 6, 1992 to give
system administrators the option of running xterm setuid
root. Installing this patch will introduce the xterm
logging vulnerability. So check your xterm. If either
the setuid or setgid privilege bit is set on the xterm
program, the vulnerability can be exploited. Contact
Sun for further information.

X.org (Publicly distributed version of X.) You can patch X11R5
by applying all patches up to and including fix-26. See
the associated CERT Advisory (CA-93:17) for further
information.

______________________________________________________________________________

PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins. If you are not part of these communities, please
contact your agency's response team to report incidents. Your agency's team
will coordinate with CIAC. The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization. A list of FIRST member organizations
and their constituencies can be obtained by sending email to
docserver@first.org with an empty subject line and a message body containing
the line: send first-contacts.

This document was prepared as an account of work sponsored by an agency of the
United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for the
accuracy, completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately owned
rights. Reference herein to any specific commercial products, process, or
service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring
by the United States Government or the University of California. The views
and opinions of authors expressed herein do not necessarily state or reflect
those of the United States Government nor the University of California, and
shall not be used for advertising or product endorsement purposes.

_____________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________

INFORMATION BULLETIN

SunOS/Solbourne loadmodule and modload Vulnerability

December 15, 1993 1200 PST Number E-05
______________________________________________________________________________
PROBLEM: Security vulnerability in loadmodule and modload.
PLATFORM: OpenWindows 3.0 under SunOS 4.1.x on sun4 and Solbourne systems.
DAMAGE: Local users may gain root level access to the system.
SOLUTION: Apply patches to SunOS systems or implement workaround on Solbourne
machines.
______________________________________________________________________________

Critical Information about the loadmodule and modload Vulnerability

CIAC has received information from Sun Microsystems and Solbourne regarding a
security vulnerability in the /usr/etc/modload and $OPENWINHOME/bin/loadmodule
utilities that allows local users to execute commands as root. This
vulnerability affects systems with OpenWindows 3.0 installed under SunOS 4.1.x
on sun4 and Solbourne architectures. It does not affect Solaris 2.x systems,
sun3 architectures, or other versions of OpenWindows.

Sun Microsystems has released patched versions of the loadmodule and modload
utilities:

/bin/sum
Utility Patch ID Filename Checksum
---------- --------- --------------- --------
loadmodule 100448-02 100448-02.tar.Z 19410 5
modload 101200-02 101200-02.tar.Z 41677 28

Individuals with Sun support contracts may obtain these patches from their
local Sun Answer Center or from SunSolve Online. Security patches are also
available without a support contract via anonymous FTP from ftp.uu.net
(IP 192.48.96.9) in the directory /systems/sun/sun-dist.

Solbourne systems do not make use of the loadmodule utility. On these
systems, the vulnerability may be removed by turning off the file's setuid
bit by executing the following command as root:

chmod 0755 /usr/openwin/bin/loadmodule

______________________________________________________________________________

CIAC wishes to thank Sun Microsystems and Solbourne for their response to this
problem.
______________________________________________________________________________

For additional information or assistance, please contact CIAC:
Voice: (510) 422-8193
FAX: (510) 423-8002
STU-III: (510) 423-2604
E-mail: ciac@llnl.gov

Previous CIAC Bulletins and other information are available via anonymous FTP
from irbis.llnl.gov (IP address 128.115.19.60).
______________________________________________________________________________

PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins. If you are not part of these communities, please
contact your agency's response team to report incidents. Your agency's team
will coordinate with CIAC. The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization. A list of FIRST member organizations
and their constituencies can be obtained by sending email to
docserver@first.org with an empty subject line and a message body containing
the line: send first-contacts.

This document was prepared as an account of work sponsored by an agency of the
United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for the
accuracy, completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately owned
rights. Reference herein to any specific commercial products, process, or
service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring
by the United States Government or the University of California. The views
and opinions of authors expressed herein do not necessarily state or reflect
those of the United States Government nor the University of California, and
shall not be used for advertising or product endorsement purposes.

_____________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________

INFORMATION BULLETIN

Solaris System Startup Vulnerability


December 17, 1993 1500 PST Number E-06
______________________________________________________________________________
PROBLEM: Solaris system startup vulnerability.
PLATFORM: Solaris 2.x and Solaris x86 systems.
DAMAGE: Anyone with physical access to a workstation with eeprom(1m)
security enabled may gain root level privilege without supplying
the eeprom or root password.
SOLUTION: Change system scripts as described or restrict physical access.
______________________________________________________________________________

Critical Information about the Solaris System Startup Vulnerability

CIAC has received information from Sun Microsystems regarding a security
vulnerability in the Solaris system 2.x and x86 startups. This
vulnerability allows a person with physical access to a workstation with
eeprom(1m) security enabled to force a startup failure and subsequently
gain root privilege without supplying the eeprom or root password.
Changing the system scripts as described below or restricting physical
access to the workstations will eliminate this vulnerability. Note that
without eeprom security enabled, a workstation is vulnerable to any
unauthorized individual who has physical access.

Without the script changes, if fsck(8) fails during boot, the system will
run a privileged shell on the workstation. Since an attacker can force the
failure, CIAC recommends application of the changes described below. If
this is not possible, then restrict physical workstation access to only
those users allowed root privilege.

The changes will require the user to enter the root password before the
system runs the privileged shell. To make the changes, edit both /sbin/rcS
and /sbin/mountall. Change every occurrence of

/sbin/sh < /dev/console
to
/sbin/sulogin < /dev/console

The Sun distribution of /sbin/rcS contains an occurrence of the target
string at line 152; the distribution of /sbin/mountall contains one at line
66 and one at line 250.

An attacker with physical access to a workstation without eeprom security
enabled can easily compromise the system by booting it in single user mode.
CIAC thus recommends enabling eeprom security for all workstations without
strict physical access controls.
______________________________________________________________________________

CIAC wishes to thank Sun Microsystems for first bringing the vulnerability
to our attention, and both Sun Microsystems and the CERT Coordination
Center for portions of the information in this bulletin.
______________________________________________________________________________

For additional information or assistance, please contact CIAC:
Voice: (510) 422-8193
FAX: (510) 423-8002
STU-III: (510) 423-2604
E-mail: ciac@llnl.gov

Previous CIAC Bulletins and other information are available via anonymous FTP
from irbis.llnl.gov (IP address 128.115.19.60).
______________________________________________________________________________

PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins. If you are not part of these communities, please
contact your agency's response team to report incidents. Your agency's team
will coordinate with CIAC. The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization. A list of FIRST member organizations
and their constituencies can be obtained by sending email to
docserver@first.org with an empty subject line and a message body containing
the line: send first-contacts.

This document was prepared as an account of work sponsored by an agency of the
United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for the
accuracy, completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately owned
rights. Reference herein to any specific commercial products, process, or
service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring
by the United States Government or the University of California. The views
and opinions of authors expressed herein do not necessarily state or reflect
those of the United States Government nor the University of California, and
shall not be used for advertising or product endorsement purposes.


_____________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________

INFORMATION BULLETIN

UNIX sendmail Vulnerabilities Update

January 7, 1994 0900 PST Number E-07
______________________________________________________________________________
PROBLEM: Vulnerabilities in the UNIX sendmail utility.
PLATFORM: All implementations of UNIX sendmail.
DAMAGE: Local and remote users may execute commands and/or gain access to
system files.
SOLUTION: Apply workarounds or install patched version of sendmail on ALL
systems running sendmail.
______________________________________________________________________________

Critical Information about UNIX sendmail Vulnerabilities


This advisory updates the sendmail information contained in CIAC Advisory
E-03.

CIAC has learned of several vendor security patches addressing the
vulnerabilities in the UNIX utility sendmail described in CIAC Advisory E-03.
These vulnerabilities include the ability of local and remote users to execute
commands and write to system files on systems running sendmail, including
those systems behind firewalls.

CIAC Advisory E-03 described a set of workarounds to be used in the absence of
vendor patches. These may still be safely used even after vendor patches have
been installed.

The CERT Coordination Center is maintaining a list of vendor information on
available security patches for sendmail. It is available via anonymous FTP
from info.cert.org (IP 192.88.209.5) in /pub/cert_advisories/CA-93:16a.README.
A brief summary is provided below, and the current version of this file is
appended at the end of this bulletin.

Vendor Patch Status
----------------------------- --------------
sendmail 8.6.4 Available
IDA sendmail Available
BSDI Available
Data General Corporation Available
Digital Equipment Corporation Available
Hewlett-Packard Company Available
IBM Available
NeXT, Inc. Available soon
The Santa Cruz Operation Available soon
Sequent Computer Systems Available
Solbourne Available
Sony Corporation Available
Sun Microsystems, Inc. Available

______________________________________________________________________________

CIAC wishes to thank the CERT Coordination Center and the vendor community for
their response to this problem.
______________________________________________________________________________

For additional information or assistance, please contact CIAC:
Voice: (510) 422-8193
FAX: (510) 423-8002
STU-III: (510) 423-2604
E-mail: ciac@llnl.gov

Previous CIAC Bulletins and other information are available via anonymous FTP
from irbis.llnl.gov (IP address 128.115.19.60).
______________________________________________________________________________

PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins. If you are not part of these communities, please
contact your agency's response team to report incidents. Your agency's team
will coordinate with CIAC. The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization. A list of FIRST member organizations
and their constituencies can be obtained by sending email to
docserver@first.org with an empty subject line and a message body containing
the line: send first-contacts.

This document was prepared as an account of work sponsored by an agency of the
United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for the
accuracy, completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately owned
rights. Reference herein to any specific commercial products, process, or
service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring
by the United States Government or the University of California. The views
and opinions of authors expressed herein do not necessarily state or reflect
those of the United States Government nor the University of California, and
shall not be used for advertising or product endorsement purposes.
______________________________________________________________________________

CA-93:16a.README
Rev. January 7, 1994

This file is a supplement to the CERT Advisory CA-93:16a of January 7, 1994,
and will be updated as additional information becomes available.

The following is vendor-supplied information. Please notice that
some entries provide pointers to vendor advisories. For more up-to-date
information, contact your vendor.

-------------
Eric Allman, 8.6.4

Version 8.6.4 is available for anonymous FTP from ftp.cs.berkeley.edu
in the "ucb/sendmail" directory.

Standard Unix Sum
sendmail.8.6.4.base.tar.Z: 07718 428

System V Sum
64609 856 sendmail.8.6.4.base.tar.Z

MD5 Checksum
MD5 (sendmail.8.6.4.base.tar.Z) = 59727f2f99b0e47a74d804f7ff654621

-------------

Paul Pomes, IDA:

A new release is available for anonymous FTP from vixen.cso.uiuc.edu
as "pub/sendmail-5.67b+IDA-1.5.tar.gz".

Standard Unix Sum
sendmail-5.67b+IDA-1.5.tar.gz: 17272 1341

System V Sum
30425 2682 sendmail-5.67b+IDA-1.5.tar.gz

MD5 Checksum
MD5 (sendmail-5.67b+IDA-1.5.tar.gz) = a9b8e17fd6d3e52739d2195cead94300

-------------

BSDI

BSDI can supply either an easy-to-install port of the smrsh patch from
CERT or a port of sendmail-8.6.4 (contact BSDI Customer Support for
information in obtaining either of these solutions). In future
releases, BSDI will ship the newer sendmail that is not affected
by these problems. Releases affected by this advisory: BSD/386 V1.0.

BSDI Contact Information:
BSDI Customer Support
Berkeley Software Design, Inc.
7759 Delmonico Drive
Colorado Springs, CO 80919
Toll Free: +1 800 ITS BSD8 (+1 800 486 2738)
Phone: +1 719 260 8114
Fax: +1 719 598 4238
Email: support@bsdi.com

-------------

Data General Corporation

Patches are available from dg-rtp.rtp.dg.com (128.222.1.2) in
the directory "deliver/sendmail":

Rev Patch Number Sys V Checksum
------------ ------------------ --------
5.4.2 tcpip_5.4.2.p14 39298 512
MD5 (tcpip_5.4.2.p14) = c80428e3b791d4e40ebe703ba5bd249c

5.4R2.01 tcpip_5.4R2.01.p12 65430 512
MD5 (tcpip_5.4R2.01.p12) = 9c84cfdb4d79ee22224eeb713a414996

5.4R2.10 tcpip_5.4R2.10.p05 42625 512
MD5 (tcpip_5.4R2.10.p05) = 2d74586ff22e649354cc6a02f390a4be

These patches are loadable via the "syadm" utility and installation
instructions are included in the patch notes.

Trusted versions of DG/UX will use the same patches as
their base version of DG/UX.

Customers with any questions about these patches should contact
their local SEs or Sales Representatives.

-------------

Digital Equipment Corporation

Systems affected: ULTRIX Versions 4.3 (VAX), ULTRIX V4.3 & V4.3A (RISC),
DEC OSF/1 V1.2 & V1.3, using sendmail. The following patches are
available from your normal Digital support channel:

ULTRIX V4.3 (VAX), V4.3 (RISC) or V4.3a (RISC): CSCPAT #: CSCPAT_4044
OSF/1 V1.2 and V1.3: CSCPAT #: CSCPAT_4045

*These fixes will be included in future releases of ULTRIX and DEC OSF/1

Digital Equipment Corporation strongly urges Customers to upgrade
to a minimum of ULTRIX V4.3 or DEC OSF/1 V1.2, then apply the
Security kit to prevent this potential vulnerability.

The full text of Digital's advisory can be found in
/pub/vendors/dec/advisories/sendmail on info.cert.org.

-------------

Hewlett-Packard Company

For HP/UX, the following patches are available:

PHNE_3369 (series 300/400, HP-UX 8.x), or
PHNE_3370 (series 300/400, HP-UX 9.x), or
PHNE_3371 (series 700/800, HP-UX 8.x), or
PHNE_3372 (series 700/800, HP-UX 9.x), or
modify the sendmail configuration file (releases of HP-UX
prior to 8.0)

These patches may be obtained from HP via FTP (this is NOT
anonymous FTP) or the HP SupportLine. To obtain HP security
patches, you must first register with the HP SupportLine.
The registration instructions are available via
anonymous FTP at info.cert.org in the file
"pub/vendors/hp/supportline_and_patch_retrieval".

The full text of Hewlett-Packard's advisory can be found in
/pub/vendors/hp/advisories/sendmail on info.cert.org.

-------------

IBM

Patches for these problems can be ordered as APAR# ix40304 and
APAR# ix41354. Ix40304 is available now and ix41354 will be
sent as soon as it is available.

-------------

NeXT, Inc.

NeXT expects to have patches available soon.

-------------

The Santa Cruz Operation

Support level Supplement (SLS) net379A, will soon be available
for the following platforms:

SCO TCP/IP Release 1.2.0 for SCO UNIX or SCO XENIX
SCO TCP/IP Release 1.2.1 for SCO UNIX
SCO Open Desktop Release 2.0, 3.0
SCO Open Desktop Lite Release 3.0
SCO Open Server Network System, Release 3.0
SCO Open Server Enterprise System, Release 3.0

This SLS is currently orderable from SCO Support for all customers
who have one of the above products registered. It will be available
in the near future. Systems using MMDF as their mail system do
not need this SLS.

-------------

Sequent Computer Systems

Versions 3.0.17 and greater of Dynix are vulnerable
as are versions 2.2 and 2.3 of the TCP package for PTX.

Sequent customers should call the Sequent Hotline at
(800) 854-9969 and ask for the Sendmail Maintenance Release Tape.
Alternatively, ptx customers can upgrade to PTX/TCP/IP
version 2.2.3 or 2.3.1 as appropriate.

-------------

Solbourne

Patch p93122301 is available from Solboune to fix the sendmail
problems. This patch is equivalent to Sun patch 100377-08.
Customers may retrieve it via anonymous FTP from
solbourne.solbourne.com in the pub/support/OS4.1B directory:

Filename BSD SVR4
Checksum Checksum
--------------- --------- ---------
p93122301.tar.Z 63749 211 53951 421
MD5 (p93122301.tar.Z) = f7300f3ecfbbbfaa11a6695f42f14615

It is also available by sending email to solis@solbourne.com
and specifying "get patches/4.1b p93122301" in the body of the
mail message.

Earlier versions (4.1A.*) are no longer supported. The 4.1B
patch may well work on 4.1A.* systems but this has not been tested.
If you have any questions please call the SOURCE at 1-800-447-2861 or
send email to support@solbourne.com.

The full text of Solbourne's advisory can be found in
/pub/vendors/solbourne/advisories/sendmail on info.cert.org.

---------------

Sony Corporation

These vulnerabilities have been fixed in NEWS-OS 6.0.1.
A patch is available for NEWS-OS 4.x. Customers should
contact their dealers for any additional information.

---------------

Sun Microsystems, Inc.

Sun has made patches for sendmail available as described in
their SUN MICROSYSTEMS SECURITY BULLETIN: #00125, 12/23/93.
These patches can be found in the
/systems/sun/sun-dist directory on ftp.uu.net:

System Patch ID Filename BSD SVR4
Checksum Checksum
------ -------- --------------- --------- ---------
SunOS 4.1.x 100377-08 100377-08.tar.Z 05320 755 58761 1510
Solaris 2.1 100840-06 100840-06.tar.Z 59489 195 61100 390
Solaris 2.2 101077-06 101077-06.tar.Z 63001 179 28185 358
Solaris 2.3 101371-03 101371-03.tar.Z 27539 189 51272 377

MD5 checksums are:
MD5 (100377-08.tar.Z) = 8e8a14c0a46b6c707d283cacd85da4f1
MD5 (100840-06.tar.Z) = 7d8d2c7ec983a58b4c6a608bf1ff53ec
MD5 (101077-06.tar.Z) = 78e165dec0b8260ca6a5d5d9bdc366b8
MD5 (101371-03.tar.Z) = 687d0f3287197dee35941b9163812b56

A patch for x86 based systems will be forthcoming as patch 101352-02.

4.1 sites installing these patches may require sites to modify
their configuration files slightly. Full details are given in
the Sun advisory.

The full text of Sun Microsystems's advisory can be found in
/pub/vendors/sun/advisories/sendmail on info.cert.org.

-------------

Return-Path: ciac-bulletin@cheetah.llnl.gov
Delivery-Date: Thu, 03 Feb 1994 20:12:27 -0800
Return-Path: ciac-bulletin@cheetah.llnl.gov
Return-Path: <ciac-bulletin@cheetah.llnl.gov>
Received: from cheetah.llnl.gov by eek. (5.0/SMI-SVR4)
id AA15179; Thu, 3 Feb 1994 20:12:26 +0800
Received: from cheetah.llnl.gov (localhost.llnl.gov [127.0.0.1]) by cheetah.llnl.gov (8.6.4/8.6.4) with SMTP id UAA17283 for <ciac>; Thu, 3 Feb 1994 20:13:00 -0800
_____________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________

ADVISORY NOTICE

Network Monitoring Attacks


February 3, 1994 2130 PST Number E-09
______________________________________________________________________________
PROBLEM: Systematic compromise and exploitation of networked computers to
capture network transactions.
PLATFORM: Sun 4.x and Solbourne systems.
DAMAGE: Unauthorized access and use of resources; exposure of username,
password, host-name combinations, as well as other sensitive
information.
SOLUTION: Detection, prevention, and recovery steps described below.
______________________________________________________________________________

Critical information about the Network Monitoring Attacks

CIAC and other response teams have observed many compromised systems
surreptitiously monitoring network traffic, obtaining username, password,
host-name combinations (and potentially other sensitive information) as
users connect to remote systems using telnet, rlogin, and ftp. This is for
both local and wide area network connections. The intruders may (and
presumably do) use this information to compromise new hosts and expand the
scope of the attacks. Once system administrators discover a compromised
host, they must presume monitoring of all network transactions from or to
any host "visible" on the network for the duration of the compromise, and
that intruders potentially possess any of the information so exposed.

The attacks proceed as follows. The intruders gain unauthorized, privileged
access to a host that supports a network interface capable of monitoring
the network in "promiscuous mode," reading every packet on the network
whether addressed to the host or not. They accomplish this by exploiting
unpatched vulnerabilities or learning a username, password, host-name
combination from the monitoring log of another compromised host. The
intruders then install a network monitoring tool that captures and records
the initial portion of all network traffic for ftp, telnet, and rlogin
sessions. They typically also install "Trojan" programs for login, ps, and
telnetd to support their unauthorized access and other clandestine
activities.

System administrators must begin by determining if intruders have
compromised their systems. The CERT Coordination Center has released a tool
to detect network interface devices in promiscuous mode. Instructions for
obtaining and using the tool appears later in this bulletin--the tool is
available via anonymous ftp. If a site discovers that intruders have
compromised their systems, the site must determine the extent of the attack
and perform recovery as described below. System administrators must also
prevent future attacks as described below.

CIAC advises system administrators to follow the steps described below. The
following guidelines have been extracted (with minor modifications) from
the CERT Coordination Center's Advisory CA-94:01, and full credit is given
to them.

[Beginning of CERT extract.]

A. Detection

The network monitoring tool can be run under a variety of
process names and log to a variety of filenames. Thus, the
best method for detecting the tool is to look for 1) Trojan
horse programs commonly used in conjunction with this attack,
2) any suspect processes running on the system, and 3) the
unauthorized use of /dev/nit.

1) Trojan horse programs:

The intruders have been found to replace one or more of the
following programs with a Trojan horse version in conjunction
with this attack:

/usr/etc/in.telnetd
and /bin/login - Used to provide back-door access for the
intruders to retrieve information
/bin/ps - Used to disguise the network monitoring process

Because the intruders install Trojan horse variations of
standard UNIX commands, CERT recommends not using other
commands such as the standard UNIX sum(1) or cmp(1) commands
to locate the Trojan horse programs on the system until these
programs can be restored from distribution media, run from
read-only media (such as a mounted CD-ROM), or verified using
cryptographic checksum information.

In addition to the possibility of having the checksum
programs replaced by the intruders, the Trojan horse programs
mentioned above may have been engineered to produce the same
standard checksum and timestamp as the legitimate version.
Because of this, the standard UNIX sum(1) command and the
timestamps associated with the programs are not sufficient to
determine whether the programs have been replaced.

CERT recommends that you use both the /usr/5bin/sum and
/bin/sum commands to compare against the distribution media
and assure that the programs have not been replaced. The use
of cmp(1), MD5, Tripwire (only if the baseline checksums were
created on a distribution system), and other cryptographic
checksum tools are also sufficient to detect these Trojan
horse programs, provided these programs were not available
for modification by the intruder. If the distribution is
available on CD-ROM or other read-only device, it may be
possible to compare against these volumes or run programs off
these media.

2) Suspect processes:

Although the name of the network monitoring tool can vary
from attack to attack, it is possible to detect a suspect
process running as root using ps(1) or other process-listing
commands. Until the ps(1) command has been verified against
distribution media, it should not be relied upon--a Trojan
horse version is being used by the intruders to hide the
monitoring process. Some process names that have been
observed are sendmail, es, and in.netd. The arguments to the
process also provide an indication of where the log file is
located. If the "-F" flag is set on the process, the
filename following indicates the location of the log file
used for the collection of authentication information for
later retrieval by the intruders.

If the network monitoring tool is currently running on your
system, it is possible to detect this by checking for
unauthorized use of the /dev/nit interface. CERT has created
a minimal tool for this purpose. The source code for this
tool is available via anonymous FTP on info.cert.org in the
/pub/tools/cpm directory or on ftp.uu.net in the
/pub/security/cpm directory as cpm.1.0.tar.Z. The checksum
information is:

Filename Standard UNIX Sum System V Sum
-------------- ----------------- ------------
cpm.1.0.tar.Z: 11097 6 24453 12

MD5 Checksum
MD5 (cpm.1.0.tar.Z) = e29d43f3a86e647f7ff2aa453329a155

This archive contains a readme file, also included at the end
of this extract, containing instructions on installing and
using this detection tool.

B. Prevention

There are two actions that are effective in preventing this
attack. A long-term solution requires eliminating
transmission of clear-text passwords on the network. For
this specific attack, however, a short-term workaround
exists. Both of these are described below.

1) Long-term prevention:

CERT recognizes that the only effective long-term solution to
prevent these attacks is by not transmitting reusable
clear-text passwords on the network. CERT has collected some
information on relevant technologies. This information is
included as Appendix B in this advisory. Note: These
solutions will not protect against transient or remote access
transmission of clear-text passwords through the network.

Until everyone connected to your network is using the above
technologies, your policy should allow only authorized users
and programs access to promiscuous network interfaces. The
tool described in Section III.A.3 above may be helpful in
verifying this restricted access.

2) Short-term workaround:

Regardless of whether the network monitoring software is
detected on your system, CERT recommends that ALL SITES take
action to prevent unauthorized network monitoring on their
systems. You can do this either by removing the interface, if
it is not used on the system or by attempting to prevent the
misuse of this interface.

For systems other than Sun and Solbourne, contact your vendor
to find out if promiscuous mode network access is supported
and, if so, what is the recommended method to disable or
monitor this feature.

For SunOS 4.x and Solbourne systems, the promiscuous
interface to the network can be eliminated by removing the
/dev/nit capability from the kernel. The procedure for doing
so is outlined below (see your system manuals for more
details). Once the procedure is complete, you may remove the
device file /dev/nit since it is no longer functional.

Procedure for removing /dev/nit from the kernel:

1. Become root on the system.

2. Apply "method 1" as outlined in the System and Network
Administration manual, in the section, "Sun System
Administration Procedures," Chapter 9, "Reconfiguring the
System Kernel." Excerpts from the method are reproduced
below:

# cd /usr/kvm/sys/sun[3,3x,4,4c]/conf
# cp CONFIG_FILE SYS_NAME

[Note that at this step, you should replace the CONFIG_FILE
with your system specific configuration file if one exists.]

# chmod +w SYS_NAME
# vi SYS_NAME

#
# The following are for streams NIT support. NIT is used by
# etherfind, traffic, rarpd, and ndbootd. As a rule of thumb,
# NIT is almost always needed on a server and almost never
# needed on a diskless client.
#
pseudo-device snit # streams NIT
pseudo-device pf # packet filter
pseudo-device nbuf # NIT buffering module

[Comment out the preceding three lines; save and exit the
editor before proceeding.]

# config SYS_NAME
# cd ../SYS_NAME
# make

# mv /vmunix /vmunix.old
# cp vmunix /vmunix

# /etc/halt
> b

[This step will reboot the system with the new kernel.]

[NOTE that even after the new kernel is installed, you need
to take care to ensure that the previous vmunix.old , or
other kernel, is not used to reboot the system.]


C. Scope and recovery

If you detect the network monitoring software at your site,
CERT recommends following three steps to successfully
determine the scope of the problem and to recover from this
attack.

1. Restore the system that was subjected to the network
monitoring software.

The systems on which the network monitoring and/or Trojan
horse programs are found have been compromised at the root
level; your system configuration may have been altered. See
Appendix A of this advisory for help with recovery.

2. Consider changing router, server, and privileged account
passwords due to the wide-spread nature of these attacks.

Since this threat involves monitoring remote connections,
take care to change these passwords using some mechanism
other than remote telnet, rlogin, or FTP access.

3. Urge users to change passwords on local and remote
accounts.

Users who access accounts using telnet, rlogin, or FTP either
to or from systems within the compromised domain should
change their passwords after the intruder's network monitor
has been disabled.

4. Notify remote sites connected from or through the local
domain of the network compromise.

Encourage the remote sites to check their systems for
unauthorized activity. Be aware that if your site routes
network traffic between external domains, both of these
domains may have been compromised by the network monitoring
software.

---------------------------------------------------------------------------
cpm 1.0 README FILE


cpm - check for network interfaces in promiscuous mode.

Copyright (c) Carnegie Mellon University 1994
Thursday Feb 3 1994

CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890


This program is free software; you can distribute it and/or modify
it as long as you retain the Carnegie Mellon copyright statement.

It can be obtained via anonymous FTP from info.cert.org:pub/tools/cpm.tar.Z.

This program is distributed WITHOUT ANY WARRANTY; without the IMPLIED
WARRANTY of merchantability or fitness for a particular purpose.

This package contains:
README
MANIFEST
cpm.1
cpm.c

To create cpm under SunOS, type:
% cc -Bstatic -o cpm cpm.c

On machines that support dynamic loading, such as Sun's, CERT recommends
that programs be statically linked so that this feature is disabled.

CERT recommends that after you install cpm in your favorite directory,
you take measures to ensure the integrity of the program by noting
the size and checksums of the source code and resulting binary.


The following is an example of the output of cpm and its exit status.

Running cpm on a machine where both the le0 and le2 interfaces are
in promiscuous mode, under csh(1):

% cpm
le0
le2
% echo $status
2
%

Running cpm on a machine where no interfaces are in promiscuous
mode, under csh(1):

% cpm
% echo $status
0
%

[End of CERT extract.]
______________________________________________________________________________

CIAC wishes to acknowledge the contributions of the CERT Coordination
Center for their timely and thorough advisory, their detection tool, and
their diligence and support throughout this ongoing incident.
______________________________________________________________________________

For additional information or assistance, please contact CIAC:
Voice: (510) 422-8193
FAX: (510) 423-8002
STU-III: (510) 423-2604
E-mail: ciac@llnl.gov

Previous CIAC Bulletins and other information are available via anonymous FTP
from irbis.llnl.gov (IP address 128.115.19.60).
______________________________________________________________________________

PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins. If you are not part of these communities, please
contact your agency's response team to report incidents. Your agency's team
will coordinate with CIAC. The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization. A list of FIRST member organizations
and their constituencies can be obtained by sending email to
docserver@first.org with an empty subject line and a message body containing
the line: send first-contacts.

This document was prepared as an account of work sponsored by an agency of the
United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for the
accuracy, completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately owned
rights. Reference herein to any specific commercial products, process, or
service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring
by the United States Government or the University of California. The views
and opinions of authors expressed herein do not necessarily state or reflect
those of the United States Government nor the University of California, and
shall not be used for advertising or product endorsement purposes.


_____________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________

Information Bulletin

Lotus cc:Mail Security Upgrade Available

March 7, 1994 900 PST Number E-11
______________________________________________________________________________
PROBLEM: Passwords are vulnerable on local hard drives
PLATFORM: Lotus cc:Mail Windows 2.0 and 2.01
DAMAGE: Accounts could be compromised if another person is allowed access
to a cc:Mail user's personal computer
SOLUTION: Retrieve and install cc:Mail 2.02 for Windows, then have all
users change their passwords.
______________________________________________________________________________

Critical Information about Lotus CCMAIL Security Upgrade

CIAC has received information from Lotus regarding a vulnerability in cc:Mail
for Windows. Under certain circumstances, the user's password can be viewed
on their local hard drive. This vulnerability exists only in cc:Mail Windows
2.0 and 2.01.

To correct the problem, a software upgrade, cc:Mail for Windows 2.02, has
been made available. This upgrade is contained in the file WINFIX.ZIP.
WINFIX.ZIP can be downloaded from three sources: anonymous ftp, CompuServe,
or the Lotus cc:Mail BBS. The file is available via anonymous ftp from
ftp.ccmail.com in the /pub/windows directory. On the anonymous ftp server,
WINFIX.ZIP is dated Feb 19 00:53 and is 279803 bytes long.

In CompuServe, perform the following commands:

a. Enter the Lotus forum by typing GO LOTUSC from any CompuServe prompt.
b. Enter Section 10 when prompted for which section.
c. From within Section 10, select "Download" and download the file
WINFIX.ZIP.

The Lotus cc:Mail BBS is available to everyone via modem. The telephone
number is (415) 691-0401. Your modem setting should be: 8 data bits, No
Parity, 1 stop bit. Once connected, go to the "File Area" by typing "F".
Select the download option and download the file WINFIX.ZIP. On the BBS,
WINFIX.ZIP is 279803 bytes long and is dated 2/18/94 at 2:02a.

After unzipping WINFIX.ZIP, the following files are available:

ccmail.exe 628656 bytes
readme.now 1062 bytes

Your next step is to install this upgrade. Change to the directory (which is
likely to be m:\ccmail) that contains the old version of ccmail.exe. Rename
the old copy of ccmail.exe to ccmail.old, and then copy the new ccmail.exe to
the directory. If cc:Mail for Windows has been installed on a network, the
system administrator only needs to change the network copy of ccmail.exe. If
cc:Mail for Windows has been installed locally, ccmail.exe must be installed
in the proper directory of every workstation.

After installation of ccmail.exe, all users should change their password.

______________________________________________________________________________

CIAC would like to thank Lally Thomas and Gary Schuppert of CDSI for bringing
this problem to our attention.
______________________________________________________________________________

For additional information or assistance, please contact CIAC:
Voice: (510) 422-8193
FAX: (510) 423-8002
STU-III: (510) 423-2604
E-mail: ciac@llnl.gov

Previous CIAC Bulletins and other information are available via anonymous FTP
from irbis.llnl.gov (IP address 128.115.19.60).
______________________________________________________________________________

PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins. If you are not part of these communities, please
contact your agency's response team to report incidents. Your agency's team
will coordinate with CIAC. The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization. A list of FIRST member organizations
and their constituencies can be obtained by sending email to
docserver@first.org with an empty subject line and a message body containing
the line: send first-contacts.

This document was prepared as an account of work sponsored by an agency of the
United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for the
accuracy, completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately owned
rights. Reference herein to any specific commercial products, process, or
service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring
by the United States Government or the University of California. The views
and opinions of authors expressed herein do not necessarily state or reflect
those of the United States Government nor the University of California, and
shall not be used for advertising or product endorsement purposes.
______________________________________________________________________________


_____________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
_____________________________________________________

ADVISORY NOTICE

Network Monitoring Attacks Update


March 18, 1994 1800 PST Number E-12
______________________________________________________________________________
PROBLEM: Continued network monitoring attacks.
PLATFORM: All computers supporting logins over the Internet.
DAMAGE: Unauthorized access and use of resources; exposure of username,
password, host-name combinations, as well as other sensitive
information.
SOLUTION: Detection and prevention steps described below.
______________________________________________________________________________

Critical Information about the Network Monitoring Attacks

This Advisory supersedes any other version of Bulletin E-12 dated prior to
March 18, 1994. This Advisory updates information contained in CIAC
Advisory E-09.

The number of Internet sites compromised by the ongoing series of network
monitoring (sniffing) attacks continues to increase. The number of accounts
compromised world-wide is now estimated to exceed 100,000. This series of
attacks represents the most serious Internet threat in its history.

IMPORTANT: THESE NETWORK MONITORS DO NOT SPECIFICALLY TARGET INFORMATION
FROM UNIX SYSTEMS; ALL SYSTEMS SUPPORTING NETWORK LOGINS ARE
POTENTIALLY VULNERABLE. IT IS IMPERATIVE THAT SITES ACT TO SECURE
THEIR SYSTEMS.


Attack Description
==================

The attacks are based on network monitoring software, known as a "sniffer",
installed surreptitiously by intruders. The sniffer records the initial 128
bytes of each login, telnet, and FTP session seen on the local network
segment, compromising ALL traffic to or from any machine on the segment as
well as traffic passing through the segment being monitored. The captured
data includes the name of the destination host, the username, and the password
used. This information is written to a file and is later used by the
intruders to gain access to other machines.

Note: To date, these attacks have only involved sniffers on Unix systems
running SunOS 4.x. However, nearly all networked computers have the
capability of monitoring the network.

In most cases, the intruders initially gain access to systems using one of
the following techniques:

- Retrieve the password file via TFTP on improperly configured systems.
- Retrieve the password file from systems running insecure versions of NIS.
- Gain access to the local file systems via NFS mount points exported
without restrictions.
- Use a login name and password captured by a sniffer running on another
system.

Once on a system, the intruders gain root privilege by exploiting known
vulnerabilities, including rdist, Sun Sparc integer division, and world
writeable utmp files; or by making use of a captured root password. They then
install the sniffer software, logging the captured session information to a
hidden file. In addition, the intruders generally install Trojan replacements
for one or more of the following critical system files in order to disguise
their presence on the system:

- /bin/login
- /usr/etc/in.telnetd
- /usr/kvm/ps
- /usr/ucb/netstat


Detection
=========

The following techniques may be used to detect the presence of a sniffer
on a system running SunOS 4.x:

1. The integrity of key system files may be verified using the database of
MD5 checksums contained in Appendix B of this Advisory. The use of MD5
checksums is essential, as many of the Trojan binaries currently being
used have been engineered to generate the same "/bin/sum" checksum as
the original binary. The MD5 signature algorithm by RSA Data Security,
Inc. is cryptographically strong and is not believed to be susceptible
to such an attack.

In addition to the checksum database, CIAC is providing a program to
automate the verification of system files. This program is included in
Appendix A. The program, the checksum database, source for md5, and a
man page are also available via anonymous FTP from irbis.llnl.gov
(IP 128.115.19.60) in the directory /pub/util/crypto.

Filename MD5 Checksum
-------- --------------------------------
md5check.1.0.tar 113d5d66e73c95967801b512d3dd692d
md5_sun.v1 780a0f1f3717819c59135716e5f6a1ce

Note that the MD5 checksum database is not complete. Some patch revisions
and OS releases were unavailable for testing. If a checksum DOES NOT
match, consider these possible reasons:

a. The file may be legitimate, but not included in this database. To
check this possibility, compare the file against the original
distribution media.

b. You may have made local modifications to the file. To check this
possibility, compare the file to a known good version.

c. The file may be a Trojan replacement installed by an intruder.
We encourage you to make a copy of the file, replace it with a known
good version, and check for additional signs of compromise. Contact
CIAC for further assistance.

2. The sniffer software places the network interface in promiscuous mode to
allow examination of each packet on the network segment. This mode can be
detected with the CPM utility described in Appendix C.

3. Scan your file system for any unusual directories or files. Look for
unusual names like ".. " (dot dot space space) or " " (space). A useful
technique for locating such files is to examine the file system for
files that have recently changed. For example, the command

find / -ctime -7 -print

will locate all files that have changed in the last 7 days.

4. Examine the process table with a known good version of ps, checking for
long running processes with unusually high amounts of CPU time and/or
unusual names.


Prevention
==========

1. Verify that all applicable security patches have been installed. These
patches will limit the amount of damage that is possible, even if an
intruder has captured a password for the system. Appendix D lists all
SunOS security patches released as of March 18, 1994.

2. Install a change detection tool such as Security Profile Inspector (SPI)
or Tripwire to detect future changes to system binaries. For the latest
information about the availability of SPI contact Tony Bartoletti, SPI
Project Leader, 510-422-3881 or azb@llnl.gov. A mailserver exists for
information about Tripwire availability. Send E-mail to
"tripwire-request@cs.purdue.edu" with a message body consisting solely of
the word "help", and the server will respond with instructions on how to
get source, patches and join the tripwire mailing list.

3. The only long term solution to the problem of network password sniffing
is the use of one-time passwords. These passwords change with each use,
and are of no value to an intruder. Several implementations exist,
including both hardware and software solutions. Contact information is
provided in Appendix E.

At a minimum, users should use different passwords for each account and
each system, remote systems in particular. Passwords must be changed
frequently, especially on systems accessed over networks.

--------------------------------------------------------------------

Appendix A: "md5check"


The following program is a "nawk" script that can be run against the list of
checksums "md5_sun.v1" in Appendix B:

nawk -f md5check md5_sun.v1

The program, the checksum database, source for md5, and a man page are also
available via anonymous FTP from irbis.llnl.gov (IP 128.115.19.60) in the
directory /pub/util/crypto.

Filename MD5 Checksum
---------------- --------------------------------
md5check.1.0.tar 113d5d66e73c95967801b512d3dd692d
md5_sun.v1 780a0f1f3717819c59135716e5f6a1ce


------- Cut Here -------
# "md5check" version 1 (3/17/94)
BEGIN { FS = "[ \t]*:[ \t]*"; }

# Print notices from the configuration file
/^##/ { print substr ($0, 3); next; }

# Only handle MD5 checksums currently
/^md5/ {
source = sprintf("%-7s %-8s %-6s %s", $2, $3, $5, $4);
file = $6;
sum = hex_lower($7);
if (md5[file] == "") {
print "Checking", file;
testcmd = "test -r " file;
if ( system(testcmd) != 0 ) {
print " Could not open", file;
md5[file] = "x";
next;
} else {
md5cmd = "md5 " file
md5cmd | getline md5[file];
close (md5cmd);

# Strip off any leading text and set to lowercase
sub(".*[ \t]", "", md5[file]);
md5[file] = hex_lower(md5[file]);
}
}
if (md5[file] == "x" || file in matched) {
# Could not open or already matched
next;
}
if (md5[file] == sum) {
# We have a match - remember which one
matched[file] = source;
num_match++;
if (file in not_matched) {
num_no_match--;
delete not_matched[file];
}
} else {
if (! (file in not_matched)) {
num_no_match++;
not_matched[file] = 1;
}
}
}

END {
printf "\n%d files DID NOT MATCH a known checksum\n", num_no_match;
printf "%d files did match a known checksum\n", num_match;

print "\nThe following files DID NOT MATCH a known checksum";
for (filename in not_matched) {
printf "\t%s\n", filename;
}

print "\nThe following files did match a known checksum";
for (filename in matched) {
printf "\t%s\n\t\t%s\n", filename, matched[filename];
}

}
function hex_lower(s) {
gsub("A","a",s); gsub("B","b",s); gsub("C","c",s);
gsub("D","d",s); gsub("E","e",s); gsub("F","f",s);
return s
}
------- Cut Here -------

--------------------------------------------------------------------

Appendix B: "md5_sun.v1"

## Checksum Table for Selected SunOS Binary Files (v1: 3/17/94)
##
## PLEASE NOTE: The entries included in this table do not represent complete
## coverage of all released versions of these files.
## In particular, checksum data for outdated patch releases is
## limited.
##
## Failure to match a checksum for a given file does not
## necessarily indicate the presence of a Trojan binary.
## Failure indicates that the file's checksum did not match any
## contained in this table. The file's authenticity should be
## verified against distribution media or local modifications.
##
## Success at matching a file's checksum indicates that the
## corresponding file is free from tampering.
##
# (MD5 is the RSA Data Security, Inc. Message Digest Algorithm)
#
# format of data
#
# XSUMTYPE:OSNAME:OSVERSION:SOURCE:ARCH:FILE:XSUM

#/bin/login
md5:SunOS:4.1:100201-06:sun3:/bin/login:00d95a04ecce2193b9c6e16516d37855
md5:SunOS:4.1:100201-06:sun4:/bin/login:e746fed42be0433a53cce082acfee23c
md5:SunOS:4.1:100630-01:sun3:/bin/login:11d5ed4445face25642100ec0ab1ed3c
md5:SunOS:4.1:100630-01:sun4:/bin/login:b6d013403c54949c0e476afd966ef261
md5:SunOS:4.1.1:Original Dist:sun3:/bin/login:073d378264f25245c154be8a12f208e9
md5:SunOS:4.1.1:Original Dist:sun4:/bin/login:92611eb1ef1f221c1e9c76db8da44a99
md5:SunOS:4.1.1:100201-06:sun3:/bin/login:00d95a04ecce2193b9c6e16516d37855
md5:SunOS:4.1.1:100201-06:sun4:/bin/login:e746fed42be0433a53cce082acfee23c
md5:SunOS:4.1.1:100630-01:sun3:/bin/login:11d5ed4445face25642100ec0ab1ed3c
md5:SunOS:4.1.1:100630-01:sun4:/bin/login:b6d013403c54949c0e476afd966ef261
md5:SunOS:4.1.1:100632-06:sun4:/bin/login:12c4b39cb94b8dcdad0a10e1c59345c6
md5:SunOS:4.1.1:100633-01:sun4:/bin/login:9634cda7a353d0043a22ad2b0eebaab2
md5:SunOS:4.1.2:Original Dist:sun4:/bin/login:637503c0e2b46791820609d87629db91
md5:SunOS:4.1.2:100630-01:sun4:/bin/login:b6d013403c54949c0e476afd966ef261
md5:SunOS:4.1.2:100631-01:sun3:/bin/login:65d1e270fbb13984f5e0036b9e4a1011
md5:SunOS:4.1.2:100631-01:sun4:/bin/login:976a0431dbd23ec1535c1679e215095b
md5:SunOS:4.1.2:100632-06:sun4:/bin/login:12c4b39cb94b8dcdad0a10e1c59345c6
md5:SunOS:4.1.2:100633-01:sun4:/bin/login:9634cda7a353d0043a22ad2b0eebaab2
md5:SunOS:4.1.3:100630-02:sun3:/bin/login:11d5ed4445face25642100ec0ab1ed3c
md5:SunOS:4.1.3:100630-02:sun4:/bin/login:b6d013403c54949c0e476afd966ef261
md5:SunOS:4.1.3:100632-06:sun4:/bin/login:12c4b39cb94b8dcdad0a10e1c59345c6
md5:SunOS:4.1.3:Original Dist:sun4:/bin/login:e88e84d228d05e8f54a0d57d62d0710d
md5:SunOS:4.1.3c:Original Dist:sun4:/bin/login:e88e84d228d05e8f54a0d57d62d0710d
md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/bin/login:4e437a85e05f886ff5082ac58108d882

#/usr/kvm/ps
md5:SunOS:4.1.1:Original Dist:sun3x:/usr/kvm/ps:ac96820499c2da78d65700e230f66df2
md5:SunOS:4.1.1:Original Dist:sun3:/usr/kvm/ps:b4633eed82815a233d2ca8d8df8d655e
md5:SunOS:4.1.1:Original Dist:sun4:/usr/kvm/ps:390ef406ba27b1d591ba6f281986369b
md5:SunOS:4.1.1:Original Dist:sun4c:/usr/kvm/ps:cb58a8259ff580389b115b7861793b48
md5:SunOS:4.1.2:Original Dist:sun4:/usr/kvm/ps:efca4ca10a088e557c6c69695dadcfa6
md5:SunOS:4.1.2:Original Dist:sun4c:/usr/kvm/ps:9d489c87d709a540aced718a04e38e11
md5:SunOS:4.1.2:Original Dist:sun4m:/usr/kvm/ps:e9e364f3936a5b16d7e2fb812d11e475
md5:SunOS:4.1.2:100981-02:sun4:/usr/kvm/ps:86b8b5eb7212c94c9c570cd20c9af2ae
md5:SunOS:4.1.2:100981-02:sun4c:/usr/kvm/ps:4871287498c0ab7b17d97848ebe34d15
md5:SunOS:4.1.2:100981-02:sun4m:/usr/kvm/ps:97cc063bafa6aaf032cb1b67b444c5a8
md5:SunOS:4.1.3:Original Dist:sun4:/usr/kvm/ps:226ab466429f5d4de4f6a108bae1c518
md5:SunOS:4.1.3:Original Dist:sun4c:/usr/kvm/ps:83b369e5d8c34db4d5d6725140d0b216
md5:SunOS:4.1.3:100981-02:sun4:/usr/kvm/ps:a4809a70e66b415bae8a165dc4ffb185
md5:SunOS:4.1.3:100981-02:sun4c:/usr/kvm/ps:cf10e206de67755e801e4c9d96c239a9
md5:SunOS:4.1.3:100981-02:sun4m:/usr/kvm/ps:d6237550748855bee17ce96465cd1331
md5:SunOS:4.1.3_u1:Original Dist:sun4m:/usr/kvm/ps:92c3b1495ab80446ddb6979c890cee58
md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/kvm/ps:b14b75017dfe75ea1b89d147c6b49cb7
md5:SunOS:4.1.3_u1:Original Dist:sun4c:/usr/kvm/ps:e24eab973f1b1cfd6bf5b54310a2207f
md5:SunOS:4.1.3_u1:101442-01:sun4:/usr/kvm/ps:174731efb18020dacde9f205ad04a4bf

#/usr/etc/in.telnetd
md5:SunOS:4.0.3:100125-05:sun3:/usr/etc/in.telnetd:dce91901f9fd15f7f6f6c94fb7824428
md5:SunOS:4.0.3:100125-05:sun4:/usr/etc/in.telnetd:2e67031ad7984c22cfacc8a0b4c3d6ee
md5:SunOS:4.0.3c:100125-05:sun4c:/usr/etc/in.telnetd:943574a9befb9fac3fce2fc111f68d51
md5:SunOS:4.1:100125-05:sun3:/usr/etc/in.telnetd:2544753907d24a699c9cdfddcab0d2e3
md5:SunOS:4.1:100125-05:sun3x:/usr/etc/in.telnetd:3af506b9b02b6a299f5e081c3abfce1f
md5:SunOS:4.1:100125-05:sun4:/usr/etc/in.telnetd:5448303462518cca8390a84b5f312abe
md5:SunOS:4.1.1:Original Dist:sun3:/usr/etc/in.telnetd:333ffc49f21e675f3099772661549b7d
md5:SunOS:4.1.1:Original Dist:sun4:/usr/etc/in.telnetd:7706ba7270a28f3470ccbe965f8fc7a1
md5:SunOS:4.1.1:100125-05:sun3:/usr/etc/in.telnetd:c4dca8a653f60feaed63a25786aee2ed
md5:SunOS:4.1.1:100125-05:sun3x:/usr/etc/in.telnetd:6c409bd315711aae29b8285ffc4bb90c
md5:SunOS:4.1.1:100125-05:sun4:/usr/etc/in.telnetd:29f24e09ffebc36fb14f9fee4bf2d6fc
md5:SunOS:4.1.1:Original Dist:sun3x:/usr/etc/in.telnetd:503be2c540d03281fdada476d5b0b247
md5:SunOS:4.1.1:Original Dist:sun3:/usr/etc/in.telnetd:333ffc49f21e675f3099772661549b7d
md5:SunOS:4.1.1:Original Dist:sun4c:/usr/etc/in.telnetd:503be2c540d03281fdada476d5b0b247
md5:SunOS:4.1.2:Original Dist:sun4:/usr/etc/in.telnetd:913095f91bbf06e98635f964951e0e2d
md5:SunOS:4.1.2:Original Dist:sun4c:/usr/etc/in.telnetd:503be2c540d03281fdada476d5b0b247
md5:SunOS:4.1.2:Original Dist:sun4m:/usr/etc/in.telnetd:503be2c540d03281fdada476d5b0b247
md5:SunOS:4.1.3:Original Dist:sun4:/usr/etc/in.telnetd:b94ac90e4fe63f1c7a0199a27a7c4d80
md5:SunOS:4.1.3:Original Dist:sun4c:/usr/etc/in.telnetd:503be2c540d03281fdada476d5b0b247
md5:SunOS:4.1.3c:Original Dist:sun4:/usr/etc/in.telnetd:b94ac90e4fe63f1c7a0199a27a7c4d80
md5:SunOS:4.1.3c:Original Dist:sun4m:/usr/etc/in.telnetd:503be2c540d03281fdada476d5b0b247
md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/etc/in.telnetd:831c59628b1197c612f19289a786eaeb

#/usr/etc/ifconfig
md5:SunOS:4.1.1:Original Dist:sun3x:/usr/etc/ifconfig:c9fe06259a49a58edfc6f1fe68665990
md5:SunOS:4.1.1:Original Dist:sun3:/usr/etc/ifconfig:0da82be29c7173759316f51417fb420a
md5:SunOS:4.1.1:Original Dist:sun4:/usr/etc/ifconfig:c9fe06259a49a58edfc6f1fe68665990
md5:SunOS:4.1.2:Original Dist:sun4:/usr/etc/ifconfig:47d6e495207cc2b7037bd94a12cf565b
md5:SunOS:4.1.2:Original Dist:sun4c:/usr/etc/ifconfig:c9fe06259a49a58edfc6f1fe68665990
md5:SunOS:4.1.2:Original Dist:sun4m:/usr/etc/ifconfig:c9fe06259a49a58edfc6f1fe68665990
md5:SunOS:4.1.3:Original Dist:sun4:/usr/etc/ifconfig:de44e217c94fa4f4c6fdfbcae419cb8b
md5:SunOS:4.1.3:Original Dist:sun4c:/usr/etc/ifconfig:c9fe06259a49a58edfc6f1fe68665990
md5:SunOS:4.1.3c:Original Dist:sun4:/usr/etc/ifconfig:de44e217c94fa4f4c6fdfbcae419cb8b
md5:SunOS:4.1.3c:Original Dist:sun4m:/usr/etc/ifconfig:c9fe06259a49a58edfc6f1fe68665990
md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/etc/ifconfig:22d9340368aec82ebdd63518613bc6ab

#/usr/lib/libc.a
md5:SunOS:4.1.1:100267-09:sun3:/usr/5lib/libc.a:af8a721ca332754cdff2a1f1b74b8e8f
md5:SunOS:4.1.1:100267-09:sun3:/usr/5lib/libc_p.a:1b930986afb11494b4e1e0fd4f9540b0
md5:SunOS:4.1.1:100267-09:sun3:/usr/lib/libc.a:6b0ff2e11f3042d453ee502787ac29d7
md5:SunOS:4.1.1:100267-09:sun3:/usr/lib/libc_p.a:ad9bd3c42db06fb0c45674eaafc5c4f8
md5:SunOS:4.1.1:100267-09:sun4:/usr/5lib/libc.a:8c396b0695abb59fea66bc6615d9f101
md5:SunOS:4.1.1:100267-09:sun4:/usr/5lib/libc_p.a:d98a993e3f6c308f3679690dd4f5e8d7
md5:SunOS:4.1.1:100267-09:sun4:/usr/lib/libc.a:da7c2504a1cb5073d7e9bb7de580db32
md5:SunOS:4.1.1:100267-09:sun4:/usr/lib/libc_p.a:9879d72df71d9956f62f058ddf70d0f8
md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/5lib/libc.a:4daced1b11335f613bf7a5792bfeff77
md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/5lib/libc_p.a:bd2037193776678e48324f523064b95b
md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/lib/libc.a:ae4bcb481e7267c1def082ed6acf4bd9
md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/lib/libc_p.a:696c03eb30c696b712f38907d3c2ee45
md5:SunOS:4.1.1:Original Dist:sun4:/usr/5lib/libc.a:68686e4ed99b5dcf98ac4e3350ff6645
md5:SunOS:4.1.1:Original Dist:sun4:/usr/lib/libc.a:cbba2b6e294f0087a0b9116290946d46
md5:SunOS:4.1.1:Original Dist:sun3:/usr/5lib/libc.a:89b9040707c28810554dfaca6993e7d0
md5:SunOS:4.1.1:Original Dist:sun3:/usr/lib/libc.a:15d385b850be70a30077e66b67dc5f09
md5:SunOS:4.1.2:Original Dist:sun4:/usr/5lib/libc.a:e7ab3d2658611114833f25a4279db158
md5:SunOS:4.1.2:Original Dist:sun4:/usr/lib/libc.a:f95fabcdbaaf34ac3da6174e635724e3
md5:SunOS:4.1.3:Original Dist:sun4:/usr/5lib/libc.a:c6669804e4def2e1e49ad5628c52ee75
md5:SunOS:4.1.3:Original Dist:sun4:/usr/lib/libc.a:ab06bfd723df7802d25291576736ce23
md5:SunOS:4.1.3c:Original Dist:sun4:/usr/5lib/libc.a:5ef2ccf958dc6734c3e412127884c559
md5:SunOS:4.1.3c:Original Dist:sun4:/usr/lib/libc.a:6f5d5c343b262c03a3f976d2830f4d06
md5:SunOS:4.1.1:Original Dist:sun4:/usr/5lib/libc_p.a:21766ed7fdb431bb0435e48ea0764d42
md5:SunOS:4.1.1:Original Dist:sun4:/usr/lib/libc_p.a:709d9a093b637e64234a03f1c48583e7
md5:SunOS:4.1.1:Original Dist:sun3:/usr/5lib/libc_p.a:3e3fcdfeb1636c708f1a2fec14c13b9f
md5:SunOS:4.1.1:Original Dist:sun3:/usr/lib/libc_p.a:18f6043209f019ec58e50ab4f4771d40
md5:SunOS:4.1.2:Original Dist:sun4:/usr/5lib/libc_p.a:c0b13f61038a198e6be3c09e137dee0e
md5:SunOS:4.1.2:Original Dist:sun4:/usr/lib/libc_p.a:a40b2af6cde4734289f06d8325c8cf2e
md5:SunOS:4.1.3:Original Dist:sun4:/usr/5lib/libc_p.a:bb06ddd972dd5549a3d6cc38a9537893
md5:SunOS:4.1.3:Original Dist:sun4:/usr/lib/libc_p.a:72c8bee2000b2562225077784ea61bac
md5:SunOS:4.1.3c:Original Dist:sun4:/usr/5lib/libc_p.a:8ccee0cc285a298c713b8bace38da815
md5:SunOS:4.1.3c:Original Dist:sun4:/usr/lib/libc_p.a:157a7dc7a8fc77f1a5a06a85d3bab16c

#/usr/kvm/pstat
md5:SunOS:4.1.1:Original Dist:sun3x:/usr/kvm/pstat:a131828d02092ab56e98ac8d63b1125d
md5:SunOS:4.1.1:Original Dist:sun4:/usr/kvm/pstat:6de82bb539b54c2bd0be79dfc7712507
md5:SunOS:4.1.1:Original Dist:sun4c:/usr/kvm/pstat:5e6058397f8e86df7456e36ad54f9b1e
md5:SunOS:4.1.2:Original Dist:sun4c:/usr/kvm/pstat:a1cfc4f23be423aede09e23bcbf6268a
md5:SunOS:4.1.2:Original Dist:sun4m:/usr/kvm/pstat:c2abc2313450cfd72ccd93448fef967b
md5:SunOS:4.1.3:Original Dist:sun4:/usr/kvm/pstat:0076043c06cd24ae927128f02da9b935
md5:SunOS:4.1.3:Original Dist:sun4c:/usr/kvm/pstat:225d4542b70f15af39c96a4d3b48a631
md5:SunOS:4.1.3c:Original Dist:sun4m:/usr/kvm/pstat:e3a519a93a8b6a02fd6c64a6b3db476d
md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/kvm/pstat:2a1cbf06988208179adf132349c3a403
md5:SunOS:4.1.3_u1:Original Dist:sun4m:/usr/kvm/pstat:2f3af3afbfa5942575bbcb02b13ebac1
md5:SunOS:4.1.3_u1:Original Dist:sun4c:/usr/kvm/pstat:d15776947e0d60fc7d5ae755f65e779b

#/usr/etc/in.ftpd
md5:SunOS:4.1.1:Original Dist:sun3x:/usr/etc/in.ftpd:c95b40609c510cfcc65504972d1f3ae1
md5:SunOS:4.1.1:Original Dist:sun3:/usr/etc/in.ftpd:7ff869b0d0eeec61b08a81a085759681
md5:SunOS:4.1.1:Original Dist:sun4:/usr/etc/in.ftpd:7a17e92251d08c56d001a1f5654fcb35
md5:SunOS:4.1.1:Original Dist:sun4c:/usr/etc/in.ftpd:c95b40609c510cfcc65504972d1f3ae1
md5:SunOS:4.1.2:Original Dist:sun4:/usr/etc/in.ftpd:8b1bfb5ba15d2898fffa373b1005e7ff
md5:SunOS:4.1.2:Original Dist:sun4c:/usr/etc/in.ftpd:c95b40609c510cfcc65504972d1f3ae1
md5:SunOS:4.1.2:Original Dist:sun4m:/usr/etc/in.ftpd:c95b40609c510cfcc65504972d1f3ae1
md5:SunOS:4.1.3:Original Dist:sun4:/usr/etc/in.ftpd:79a29ae3f1deb02efb743d9cd39f6f2f
md5:SunOS:4.1.3:Original Dist:sun4c:/usr/etc/in.ftpd:c95b40609c510cfcc65504972d1f3ae1
md5:SunOS:4.1.3c:Original Dist:sun4:/usr/etc/in.ftpd:79a29ae3f1deb02efb743d9cd39f6f2f
md5:SunOS:4.1.3c:Original Dist:sun4m:/usr/etc/in.ftpd:c95b40609c510cfcc65504972d1f3ae1
md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/etc/in.ftpd:3e8f757252dd562ad80ae79e78d06fb7

#/usr/etc/in.rexecd
md5:SunOS:4.1.1:Original Dist:sun3x:/usr/etc/in.rexecd:fd51458be842565c712f8d57cf5a6f28
md5:SunOS:4.1.1:Original Dist:sun3:/usr/etc/in.rexecd:4d9811877f622348dd454172fbb40a66
md5:SunOS:4.1.1:Original Dist:sun4:/usr/etc/in.rexecd:fd51458be842565c712f8d57cf5a6f28
md5:SunOS:4.1.2:Original Dist:sun4:/usr/etc/in.rexecd:6d9f39193ac39bc9680a4fb44fdfb50f
md5:SunOS:4.1.2:Original Dist:sun4c:/usr/etc/in.rexecd:fd51458be842565c712f8d57cf5a6f28
md5:SunOS:4.1.2:Original Dist:sun4m:/usr/etc/in.rexecd:fd51458be842565c712f8d57cf5a6f28
md5:SunOS:4.1.3:Original Dist:sun4:/usr/etc/in.rexecd:37316f4d63faa445ea448ec7c670f94f
md5:SunOS:4.1.3:Original Dist:sun4c:/usr/etc/in.rexecd:fd51458be842565c712f8d57cf5a6f28
md5:SunOS:4.1.3c:Original Dist:sun4:/usr/etc/in.rexecd:37316f4d63faa445ea448ec7c670f94f
md5:SunOS:4.1.3c:Original Dist:sun4m:/usr/etc/in.rexecd:fd51458be842565c712f8d57cf5a6f28
md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/etc/in.rexecd:be66f45bb60f31aaa23377f23c66caca

#/usr/etc/in.rshd
md5:SunOS:4.1.1:Original Dist:sun3x:/usr/etc/in.rshd:3d81a586add92ef033088d928c7ae7dc
md5:SunOS:4.1.1:Original Dist:sun3:/usr/etc/in.rshd:17f91e72bbf70d5cf3e75a3068d5c461
md5:SunOS:4.1.1:Original Dist:sun4:/usr/etc/in.rshd:a4eb9385df064b9a751ede87fd0804a2
md5:SunOS:4.1.1:Original Dist:sun4c:/usr/etc/in.rshd:3d81a586add92ef033088d928c7ae7dc
md5:SunOS:4.1.2:Original Dist:sun4:/usr/etc/in.rshd:e45ab7d2dc4c3e7346292f85259c0432
md5:SunOS:4.1.2:Original Dist:sun4c:/usr/etc/in.rshd:3d81a586add92ef033088d928c7ae7dc
md5:SunOS:4.1.2:Original Dist:sun4m:/usr/etc/in.rshd:3d81a586add92ef033088d928c7ae7dc
md5:SunOS:4.1.3:Original Dist:sun4c:/usr/etc/in.rshd:3d81a586add92ef033088d928c7ae7dc
md5:SunOS:4.1.3:Original Dist:sun4:/usr/etc/in.rshd:686c2bb25752e6bec5090e2732a46207
md5:SunOS:4.1.3c:Original Dist:sun4:/usr/etc/in.rshd:686c2bb25752e6bec5090e2732a46207
md5:SunOS:4.1.3c:Original Dist:sun4m:/usr/etc/in.rshd:3d81a586add92ef033088d928c7ae7dc
md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/etc/in.rshd:e5ca89c51427d917690fbcc1395507b4

#/usr/etc/in.tftpd
md5:SunOS:4.1.1:Original Dist:sun3x:/usr/etc/in.tftpd:73ea84bdcff54ace0e601f5c3d2f90b0
md5:SunOS:4.1.1:Original Dist:sun3:/usr/etc/in.tftpd:ccec1773e5945a0b8397a74ec07112df
md5:SunOS:4.1.1:Original Dist:sun4:/usr/etc/in.tftpd:e6b495aec9b8a24f5e58ebc19fd1eec7
md5:SunOS:4.1.1:Original Dist:sun4c:/usr/etc/in.tftpd:73ea84bdcff54ace0e601f5c3d2f90b0
md5:SunOS:4.1.2:Original Dist:sun4:/usr/etc/in.tftpd:4b924bda12c61674771c84caa0fa1e80
md5:SunOS:4.1.2:Original Dist:sun4c:/usr/etc/in.tftpd:73ea84bdcff54ace0e601f5c3d2f90b0
md5:SunOS:4.1.2:Original Dist:sun4m:/usr/etc/in.tftpd:73ea84bdcff54ace0e601f5c3d2f90b0
md5:SunOS:4.1.3:Original Dist:sun4:/usr/etc/in.tftpd:bfaf4492223126181ca9333220cbcf02
md5:SunOS:4.1.3:Original Dist:sun4c:/usr/etc/in.tftpd:73ea84bdcff54ace0e601f5c3d2f90b0
md5:SunOS:4.1.3c:Original Dist:sun4:/usr/etc/in.tftpd:bfaf4492223126181ca9333220cbcf02
md5:SunOS:4.1.3c:Original Dist:sun4m:/usr/etc/in.tftpd:73ea84bdcff54ace0e601f5c3d2f90b0
md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/etc/in.tftpd:0ff3883f2b99f06d4f897347c58a79d9

#/usr/etc/inetd
md5:SunOS:4.1.1:Original Dist:sun3x:/usr/etc/inetd:c3a0f2bb985babcd43a438ce53de54ae
md5:SunOS:4.1.1:Original Dist:sun3:/usr/etc/inetd:0764c23ac95b4ea5a8683c8761337485
md5:SunOS:4.1.1:Original Dist:sun4:/usr/etc/inetd:c3a0f2bb985babcd43a438ce53de54ae
md5:SunOS:4.1.2:Original Dist:sun4:/usr/etc/inetd:e6054cbb343d21791c6457e78822d5f1
md5:SunOS:4.1.2:Original Dist:sun4c:/usr/etc/inetd:c3a0f2bb985babcd43a438ce53de54ae
md5:SunOS:4.1.2:Original Dist:sun4m:/usr/etc/inetd:c3a0f2bb985babcd43a438ce53de54ae
md5:SunOS:4.1.3:Original Dist:sun4:/usr/etc/inetd:c3a923cbf5023b48ffdef3d043190a81
md5:SunOS:4.1.3:Original Dist:sun4c:/usr/etc/inetd:c3a0f2bb985babcd43a438ce53de54ae
md5:SunOS:4.1.3c:Original Dist:sun4:/usr/etc/inetd:c3a923cbf5023b48ffdef3d043190a81
md5:SunOS:4.1.3c:Original Dist:sun4m:/usr/etc/inetd:c3a0f2bb985babcd43a438ce53de54ae
md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/etc/inetd:722d3e46a2f8e52ffadd7450fbbd1438

#/usr/bin/newgrp
md5:SunOS:4.1.1:Original Dist:sun3:/usr/bin/newgrp:e3d6e9d43345372f5aa0d5c96570b155
md5:SunOS:4.1.1:Original Dist:sun4:/usr/bin/newgrp:d3749b2a6e99f14feede9430d1feee46
md5:SunOS:4.1.2:Original Dist:sun4:/usr/bin/newgrp:875e7cf58cec91c6fb44ec6e5d89ef0f
md5:SunOS:4.1.3:Original Dist:sun4:/usr/bin/newgrp:7c0aad251ccb8de9c050d53c823f334f
md5:SunOS:4.1.3c:Original Dist:sun4:/usr/bin/newgrp:7c0aad251ccb8de9c050d53c823f334f
md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/bin/newgrp:04edbbb4d06bf056c4959d3b85560fe6

#/usr/bin/passwd
md5:SunOS:4.1.1:Original Dist:sun3:/usr/bin/passwd:11499df2dfc4f75c5466e09b64fe1097
md5:SunOS:4.1.1:Original Dist:sun4:/usr/bin/passwd:d4e3ee198d6e3934bc2356ce495e77c7
md5:SunOS:4.1.2:Original Dist:sun4:/usr/bin/passwd:2dcec1f0e106354a85058f4c2c66e2bd
md5:SunOS:4.1.3:Original Dist:sun4:/usr/bin/passwd:6fdb875b621de4dbffab6f6782ec2ba3
md5:SunOS:4.1.3c:Original Dist:sun4:/usr/bin/passwd:6fdb875b621de4dbffab6f6782ec2ba3
md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/bin/passwd:97f3231b48d6e29b829357b72043aadc

#/usr/bin/su
md5:SunOS:4.1.1:Original Dist:sun3:/usr/bin/su:829e4e39edc3a8d299f5525c866dc324
md5:SunOS:4.1.1:Original Dist:sun4:/usr/bin/su:94b0bc99dcb9dcdbc3e8ece7e127a906
md5:SunOS:4.1.2:Original Dist:sun4:/usr/bin/su:23fe0a40ec522c5add89cd6ab2731170
md5:SunOS:4.1.3:Original Dist:sun4:/usr/bin/su:0d2f5665c9befdf2f7aeafa4d77266bb
md5:SunOS:4.1.3c:Original Dist:sun4:/usr/bin/su:0d2f5665c9befdf2f7aeafa4d77266bb
md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/bin/su:c49812d55df4712194f832f099d40aa7

#Shared Libraries
md5:SunOS:4.1.1:Original Dist:sun4:/usr/5lib/libc.so.2.6:1d66abbac68785d6f8fa8ff53200845e
md5:SunOS:4.1.1:Original Dist:sun4:/usr/lib/libc.so.1.6:d4dc2514248834d95ee6b5c77a7eda86
md5:SunOS:4.1.1:Original Dist:sun3:/usr/5lib/libc.so.1.15:26c5c2e8b147f3f6d96bdff369853cad
md5:SunOS:4.1.1:Original Dist:sun3:/usr/lib/libc.so.0.15:2262f263e711bff2bd4d9d6f87ea5edd
md5:SunOS:4.1.2:Original Dist:sun4:/usr/5lib/libc.so.2.7:b1e624d4293907511e4ee9e8e77e74dd
md5:SunOS:4.1.2:Original Dist:sun4:/usr/lib/libc.so.1.7:76c095597088ee5bc82a2c1ce0a419ce
md5:SunOS:4.1.3:Original Dist:sun4:/usr/5lib/libc.so.2.8:d3c8366dca51488864cc8d80c106f190
md5:SunOS:4.1.3:Original Dist:sun4:/usr/lib/libc.so.1.8:aabfb3300f2d872cdc6d9fb10514e246
md5:SunOS:4.1.3c:Original Dist:sun4:/usr/5lib/libc.so.2.8:af3584319d80525c2ca8e8ea8920d131
md5:SunOS:4.1.3c:Original Dist:sun4:/usr/lib/libc.so.1.8:91a8dde1c328e474ec08557c211a4dcb
md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/5lib/libc.so.2.9:722852b7e5df15de70e3c1a1f96c04d9
md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/lib/libc.so.1.9:2d5bc65422472f7d4119712ccf795bf3

--------------------------------------------------------------------

Appendix C: "cpm"

The CPM 1.0 README File

cpm - check for promiscuous mode in network interfaces.

Copyright (c) Carnegie Mellon University 1994
Thursday Feb 3 1994

CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890


This program is free software; you can distribute it and/or modify
it as long as you retain the Carnegie Mellon copyright statement.

It can be obtained via anonymous FTP from info.cert.org:pub/tools/cpm.tar.Z.

This program is distributed WITHOUT ANY WARRANTY and without an IMPLIED
WARRANTY of merchantability or fitness for a particular purpose.

This package contains:
README
MANIFEST
cpm.1
cpm.c

To create cpm under SunOS, type:
% cc -Bstatic -o cpm cpm.c

On machines that support dynamic loading, such as Sun's, CERT recommends
that programs be statically linked so that this feature is disabled.

CERT recommends that after you install cpm in your favorite directory,
you take measures to ensure the integrity of the program by noting
the size and checksums of the source code and resulting binary.

The following is an example of the output of cpm and its exit status.

Running cpm on a machine where both the le0 and le2 interfaces are
in promiscuous mode, under csh(1):

% cpm
le0
le2
% echo $status
2
%

Running cpm on a machine where no interfaces are in promiscuous
mode, under csh(1):

% cpm
% echo $status
0
%

-------------------------------------------------------------

Appendix D: "SunOS security patches"

Solaris and SunOS Security Patch Information

For information about rdist see CIAC Bulletin C-04. For information about
integer division under SunOS see CIAC Bulletin B-41. Previous CIAC notices
are available on the Internet via anonymous FTP from irbis.llnl.gov (IP
address 128.115.19.60).

CIAC has compiled a list of all security related patches currently available
from Sun Microsystems. The patches have been grouped by SunOS version and are
detailed below. CIAC recommends the installation of any applicable patches
that either are not currently present on a system or are present in the form of
an older version of the patch.

SunOS security patches are available through both your Sun Answer Center and
anonymous FTP. In the U.S., ftp to ftp.uu.net (IP address 192.48.96.9) and
retrieve the patches from the directory /systems/sun/sun-dist. In Europe, ftp
to ftp.eu.net (IP address 192.16.202.2) and retrieve the patches from the
/sun/fixes directory. The patches are contained in compressed tarfiles with
filenames based on the ID number of the patch (e.g. patch 100085-03 is
contained in the file 100085-03.tar.Z), and must be retrieved using FTP's
binary transfer mode.

After obtaining the patches, compute the checksum of each compressed tarfile
and compare with the values indicated below. For example, the command
"/usr/bin/sum 100085-03.tar.Z" should return "44177 740". Please note that Sun
Microsystems occasionally updates patch files, resulting in a changed checksum.
If you should find a checksum that differs from those listed below, please
contact Sun Microsystems or CIAC for verification before using the patch.

The patches may be extracted from the compressed tarfiles using the commands
uncompress and tar. For example, to extract patch 100085-03 from the
compressed tarfile 100085-03.tar.Z, execute the commands "uncompress
100085-03.tar.Z" and "tar -xvf 100085-03.tar".

For specific instructions regarding the installation of a particular patch,
consult the README file accompanying each patch. As multiple patches may
affect the same files, it is recommended that patches be installed
chronologically by revision date, with the exception of patches for which an
explicit order is specified.

=======================
SunOS 5.3 (Solaris 2.3)
=======================
Patch ID Last Revised Checksum Description
-------- ------------ --------- -------------------------------------
101371-03 23-Dec-93 51272 377 sendmail vulnerabilities


=======================
SunOS 5.2 (Solaris 2.2)
=======================
Patch ID Last Revised Checksum Description
-------- ------------ --------- -------------------------------------
101090-01 28-Jun-93 44985 54 expreserve can overwrite any file
101301-01 21-Oct-93 4703 779 tar archives may contain extraneous info
101077-06 23-Dec-93 28185 358 sendmail vulnerabilities


=======================
SunOS 5.1 (Solaris 2.1)
=======================
Patch ID Last Revised Checksum Description
-------- ------------ --------- -------------------------------------
100833-02 12-Jan-93 24412 309 C2 auditing missing in some programs
100840-01 12-Jan-93 25050 220 sendmail bypasses mailhost
100884-01 12-Feb-93 63299 5220 Security fixes for sun4m machines
101089-01 28-Jun-93 4501 54 expreserve can overwrite any file
100975-02 21-Oct-93 13460 747 tar archives may contain extraneous info
100840-06 23-Dec-93 61100 390 sendmail vulnerabilities

=======================
SunOS 5.0 (Solaris 2.0) is no longer supported (upgrade is essential for
======================= security)


===========
SunOS 4.1.3
===========
Patch ID Last Revised Checksum Description
-------- ------------ --------- -------------------------------------
100478-01 14-Feb-92 64588 58 OpenWindows 3.0 xlock vulnerability
100296-04 18-Jun-92 15271 40 File systems exported incorrectly
100507-04 3-Sep-92 57590 61 tmpfs file system vulnerability
100372-02 8-Sep-92 22739 712 tfs fails under C2
100103-11 29-Sep-92 19847 6 Permissions incorrect on many files
100567-04 27-Oct-92 15728 11 ICMP packets can be forged
100564-05 11-Nov-92 00115 824 C2 jumbo patch
100482-04 16-Nov-92 06594 342 ypserv will send NIS maps to anyone
100513-02 2-Dec-92 34315 483 Console can be redirected
100623-03 11-Dec-92 56063 141 NFS file handles can be guessed
100173-10 7-Jan-93 48086 788 NFS jumbo patch
100383-06 26-Jan-93 58984 121 rdist can create setuid root files
100452-28 29-Jan-93 07299 1688 cmdtool may reveal passwords
100305-11 12-Feb-93 38582 500 The lp daemon can delete system files
100891-01 19-Feb-93 33195 3075 Netgroup and xlock vulnerabilities
100224-06 5-Mar-93 57647 54 mail and rmail can invoke root shells
101080-01 9-Jun-93 45221 13 expreserve can overwrite any file
100448-02 15-Dec-93 19410 5 OpenWindows 3.0 loadmodule hole
101200-02 15-Dec-93 41677 28 Security hole in modload
100377-08 23-Dec-93 05320 755 sendmail vulnerabilities
100593-03 17-Mar-94 52095 242 dump vulnerabilities
100272-07 17-Mar-94 26553 39 in.comsat vulnerabilities
101480-01 17-Mar-94 47917 44 in.talkd vulnerabilities
101481-01 17-Mar-94 46562 80 shutdown vulnerabilities
100909-02 17-Mar-94 61539 108 syslogd vulnerabilities
101482-01 17-Mar-94 61148 41 write vulnerabilities


===========
SunOS 4.1.2
===========
Patch ID Last Revised Checksum Description
-------- ------------ --------- -------------------------------------
100184-02 14-Dec-90 06627 33 OpenWindows 2.0 vulnerability
100478-01 14-Feb-92 64588 58 OpenWindows 3.0 xlock vulnerability
100630-01 18-May-92 28074 39 Environment variables vulnerability
100633-01 22-May-92 33264 20 Environment variables with Sun's ARM
100296-04 18-Jun-92 15271 40 File systems exported incorrectly
100376-04 16-Jul-92 12884 100 Integer division vulnerability
100507-04 3-Sep-92 57590 61 tmpfs file system vulnerability
100372-02 8-Sep-92 22739 712 tfs fails under C2
100103-11 29-Sep-92 19847 6 Permissions incorrect on many files
100567-04 27-Oct-92 15728 11 ICMP packets can be forged
100564-05 11-Nov-92 00115 824 C2 jumbo patch
100482-04 16-Nov-92 06594 342 ypserv will send NIS maps to anyone
100513-02 2-Dec-92 34315 483 Console can be redirected
100623-03 11-Dec-92 56063 141 NFS file handles can be guessed
100173-10 7-Jan-93 48086 788 NFS jumbo patch
100383-06 26-Jan-93 58984 121 rdist can create setuid root files
100452-28 29-Jan-93 07299 1688 cmdtool may reveal passwords
100305-11 12-Feb-93 38582 500 The lp daemon can delete system files
100224-06 5-Mar-93 57647 54 mail and rmail can invoke root shells
101080-01 9-Jun-93 45221 13 expreserve can overwrite any file
100448-02 15-Dec-93 19410 5 OpenWindows 3.0 loadmodule hole
101200-02 15-Dec-93 41677 28 Security hole in modload
100377-08 23-Dec-93 05320 755 sendmail vulnerabilities
100593-03 17-Mar-94 52095 242 dump vulnerabilities
100272-07 17-Mar-94 26553 39 in.comsat vulnerabilities
101480-01 17-Mar-94 47917 44 in.talkd vulnerabilities
101481-01 17-Mar-94 46562 80 shutdown vulnerabilities
100909-02 17-Mar-94 61539 108 syslogd vulnerabilities
101482-01 17-Mar-94 61148 41 write vulnerabilities


===========
SunOS 4.1.1
===========
Patch ID Last Revised Checksum Description
-------- ------------ --------- -------------------------------------
100085-03 5-Sep-90 44177 740 Sunview selection_svc vulnerability
100184-02 14-Dec-90 06627 33 OpenWindows 2.0 vulnerability
100125-05 8-Jul-91 41964 164 telnet permits password capture
100424-01 12-Nov-91 63070 50 NFS file handles can be guessed
100448-01 10-Dec-91 29285 5 OpenWindows 3.0 loadmodule hole
100478-01 14-Feb-92 64588 58 OpenWindows 3.0 xlock vulnerability
100630-01 18-May-92 28074 39 Environment variables vulnerability
100633-01 22-May-92 33264 20 Environment variables with Sun's ARM
100296-04 18-Jun-92 42492 40 File systems exported incorrectly
100376-04 16-Jul-92 12884 100 Integer division vulnerability
100507-04 3-Sep-92 57590 61 tmpfs file system vulnerability
100372-02 8-Sep-92 22739 712 tfs fails under C2
100103-11 29-Sep-92 19847 6 Permissions incorrect on many files
100567-04 27-Oct-92 15728 11 ICMP packets can be forged
100201-06 5-Nov-92 13145 164 C2 jumbo patch
100267-09 6-Nov-92 55338 5891 Netgroup membership check fails
100482-04 16-Nov-92 06594 342 ypserv will send NIS maps to anyone
100513-02 2-Dec-92 34315 483 Console can be redirected
100173-10 7-Jan-93 48086 788 NFS jumbo patch
100383-06 26-Jan-93 58984 121 rdist can create setuid root files
100452-28 29-Jan-93 07299 1688 cmdtool may reveal passwords
100305-11 12-Feb-93 38582 500 The lp daemon can delete system files
100224-06 5-Mar-93 57647 54 mail and rmail can invoke root shells
101080-01 9-Jun-93 45221 13 expreserve can overwrite any file
100448-02 15-Dec-93 19410 5 OpenWindows 3.0 loadmodule hole
101200-02 15-Dec-93 41677 28 Security hole in modload
100377-08 23-Dec-93 05320 755 sendmail vulnerabilities
100593-03 17-Mar-94 52095 242 dump vulnerabilities
100272-07 17-Mar-94 26553 39 in.comsat vulnerabilities
101480-01 17-Mar-94 47917 44 in.talkd vulnerabilities
101481-01 17-Mar-94 46562 80 shutdown vulnerabilities
100909-02 17-Mar-94 61539 108 syslogd vulnerabilities
101482-01 17-Mar-94 61148 41 write vulnerabilities


=========
SunOS 4.1
=========
Patch ID Last Revised Checksum Description
-------- ------------ --------- -------------------------------------
100101-02 7-Aug-90 42872 34 ptrace security vulnerability
100085-03 5-Sep-90 44177 740 Sunview selection_svc vulnerability
100184-02 14-Dec-90 06627 33 OpenWindows 2.0 vulnerability
100125-05 8-Jul-91 41964 164 telnet permits password capture
100630-01 18-May-92 28074 39 Environment variables vulnerability
100376-04 16-Jul-92 12884 100 Integer division vulnerability
100103-11 29-Sep-92 19847 6 Permissions incorrect on many files
100567-04 27-Oct-92 15728 11 ICMP packets can be forged
100201-06 5-Nov-92 13145 164 C2 jumbo patch
100482-04 16-Nov-92 06594 342 ypserv will send NIS maps to anyone
100513-02 2-Dec-92 34315 483 Console can be redirected
100383-06 26-Jan-93 58984 121 rdist can create setuid root files
100452-28 29-Jan-93 07299 1688 cmdtool may reveal passwords
100305-11 12-Feb-93 38582 500 The lp daemon can delete system files
100121-09 24-Feb-93 57589 360 NFS jumbo patch
101080-01 9-Jun-93 45221 13 expreserve can overwrite any file
100448-02 15-Dec-93 19410 5 OpenWindows 3.0 loadmodule hole
101200-02 15-Dec-93 41677 28 Security hole in modload
100377-08 23-Dec-93 05320 755 sendmail vulnerabilities
100593-03 17-Mar-94 52095 242 dump vulnerabilities
100272-07 17-Mar-94 26553 39 in.comsat vulnerabilities
101480-01 17-Mar-94 47917 44 in.talkd vulnerabilities
101481-01 17-Mar-94 46562 80 shutdown vulnerabilities
100909-02 17-Mar-94 61539 108 syslogd vulnerabilities
101482-01 17-Mar-94 61148 41 write vulnerabilities


======================
SunOS 4.0.3c, 4.0.3, 4,0.2i, 4.0.2, and 4.0.1 are no longer supported
====================== (upgrade is essential for security)

----------------------------------------------------------

Appendix E: One-time Passwords

The following information was compiled by the CERT Coordination Center.

Given today's networked environments, CIAC recommends that sites concerned
about the security and integrity of their systems and networks consider moving
away from standard, reusable passwords. CIAC has seen many incidents
involving Trojan network programs (e.g., telnet and rlogin) and network packet
sniffing programs. These programs capture clear-text hostname, account name,
password triplets. Intruders can use the captured information for subsequent
access to those hosts and accounts. This is possible because 1) the password
is used over and over (hence the term "reusable"), and 2) the password passes
across the network in clear text.

Several authentication techniques have been developed that address this
problem. Among these techniques are challenge-response technologies that
provide passwords that are only used once (commonly called one-time passwords).
This document provides a list of sources for products that provide this
capability. The decision to use a product is the responsibility of each
organization, and each organization should perform its own evaluation and
selection.

I. Public Domain packages

S/KEY(TM)
The S/KEY package is publicly available (no fee) via
anonymous FTP from:

thumper.bellcore.com /pub/skey directory

There are four subdirectories:

skey UNIX source code for S/KEY.
Includes the change needed to login,
and stand-alone commands (such as "key"),
that computes the one-time password for
the user, given the secret password and
the S/KEY command.

dos DOS or DOS/WINDOWS S/KEY programs. Includes
DOS version of "key" and "termkey" which is
a TSR program.

mac One-time password calculation utility for
the Mac.

docs Documentation.


II. Commercial Products

Secure Net Key (SNK) (Do-it-yourself project)
Digital Pathways, Inc.
201 Ravendale Dr.
Mountainview, Ca. 94043-5216
USA
Phone: 415-964-0707
Fax: 415-961-7487

Products:
handheld authentication calculators (SNK004)
serial line auth interruptors (guardian)

Note: Secure Net Key (SNK) is des-based, and therefore restricted
from US export.

Secure ID (complete turnkey systems)
Security Dynamics
One Alewife Center
Cambridge, MA 02140-2312
USA
Phone: 617-547-7820
Fax: 617-354-8836

Products:
SecureID changing number authentication card
ACE server software

SecureID is time-synchronized using a 'proprietary' number
generation algorithm

WatchWord and WatchWord II
Racal-Guardata
480 Spring Park Place
Herndon, VA 22070
703-471-0892
1-800-521-6261 ext 217

Products:
Watchword authentication calculator
Encrypting modems

Alpha-numeric keypad, digital signature capability

SafeWord
Enigma Logic, Inc.
2151 Salvio #301
Concord, CA 94520
510-827-5707
Fax: 510-827-2593

Products:
DES Silver card authentication calculator
SafeWord Multisync card authentication calculator

Available for UNIX, VMS, MVS, MS-DOS, Tandem, Stratus, as well as
other OS versions. Supports one-time passwords and super
smartcards from several vendors.

______________________________________________________________________________

CIAC wishes to acknowledge the contributions of CERT Coordination Center for
their timely and thorough advisory, detection tool, diligence and support
throughout this ongoing incident. Our thanks also to Mark Graff, Sun
Microsystems; Tony Bartoletti, SPI Project Leader; and members of FIRST for
their assistance.
______________________________________________________________________________

For additional information or assistance, please contact CIAC:
Voice: 510-422-8193
FAX: 510-423-8002
STU-III: 510-423-2604
E-mail: ciac@llnl.gov

Previous CIAC Bulletins and other information are available via anonymous
FTP from irbis.llnl.gov (IP address 128.115.19.60).

CIAC has two self-subscribing mailing lists for its two types of electronic
publications: 1. Advisories (highest priority, time critical information) or
Bulletins (important computer security information) and 2. Notes (computer
security articles of general interest). Our mailing lists are managed by a
public domain software package called ListProcessor, which ignores E-mail
header subject lines. To subscribe (add yourself) to one of our mailing lists,
send E-mail to: ciac-listproc@llnl.gov with the following request as the E-mail
message body, substituting CIAC-BULLETIN or CIAC-NOTES for (service) and valid
information for the other items in parentheses:
subscribe (service) (Full_Name) (Phone_number)
______________________________________________________________________________

PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins. If you are not part of these communities, please
contact your agency's response team to report incidents. Your agency's team
will coordinate with CIAC. The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization. A list of FIRST member organizations and
their constituencies can be obtained by sending email to docserver@first.org
with an empty subject line and a message body containing the line: send
first-contacts.

This document was prepared as an account of work sponsored by an agency of the
United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for the
accuracy, completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately owned
rights. Reference herein to any specific commercial products, process, or
service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring by
the United States Government or the University of California. The views and
opinions of authors expressed herein do not necessarily state or reflect those
of the United States Government nor the University of California, and shall not
be used for advertising or product endorsement purposes.
_____________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________

ADVISORY NOTICE

Sun Announces Patches for /etc/utmp Vulnerability

March 21, 1994 1200 PST Number E-13
______________________________________________________________________________
PROBLEM: Vulnerability in SunOS /etc/utmp.
PLATFORM: SunOS 4.1.x systems (but not SunOS 4.1.3_U1 or Solaris 2.x).
DAMAGE: Manipulation of /etc/utmp can result in unauthorized root access.
SOLUTION: Retrieve and install applicable patches.
______________________________________________________________________________
______________________________________________________________________________
VULNERABILITY ASSESSMENT: CIAC considers this vulnerability serious and
advises all system administrators to install these security patches
immediately. This vulnerability is being actively exploited on the Internet.
______________________________________________________________________________

Critical Information about Sun Patches

CIAC has received information from Sun Microsystems regarding the availability
of six patches which will fix the /etc/utmp vulnerability. The following text
is from the Sun Microsystems Security Bulletin #00126:

SunOS 4.1.x systems have been found to be vulnerable to an attack
on the /etc/utmp file. The manipulation of this file, which on
SunOS 4.1.x systems is world-writable, can result in unauthorized root
access for the attacker. We are releasing today patches to several
utilities which close that security hole, identified as bug 1140162.

If the new patches are installed, no other changes--such as making
the /etc/utmp file not world-writable--are necessary to close the
security hole. We recommend that all of the patches be installed.

Solaris 2.x systems, including Solaris x86 systems, are not
susceptible to this attack. SunOS 4.1.3_U1 (Solaris 1.1.1) systems
are also not susceptible. The patches were integrated into
that system before it was released.

The table below contains patch numbers and checksums for the six patches.

Program Patch ID BSD SVR4 MD5 Digital Signature
Checksum Checksum
------- --------- --------- --------- --------------------------------
dump 100593-03 52095 242 41650 484 CDBA530226E8735FAE2BD9BCBFA47DD0
in.comsat 100272-07 26553 39 64651 78 912FF4A0CC8D16A10EECBD7BE102D45C
in.talkd 101480-01 47917 44 32598 88 5C3DFD6F90F739100CFA4AA4C97F01DF
shutdown 101481-01 46562 80 56079 159 BFC257EC795D05646FFA733D1C03855B
syslogd 100909-02 61539 108 38239 216 B5F70772384A3E58678C9C1F52D81190
write 101482-01 61148 41 48636 81 F93276529AA9FC25B35679EBF00B2D6F

The filename for each patch consists of the Patch ID followed by ".tar.Z". For
example, the filename for the dump patch is 100593-03.tar.Z. The checksums
shown in the table are from the BSD-based checksum program distributed with
the system software (on 4.1.x, /bin/sum; on Solaris 2.x, /usr/ucb/sum) and
from the SVR4 version checksum program distributed with Solaris 2.x
(/usr/bin/sum). MD5 software can be retrieved via anonymous FTP from
irbis.llnl.gov in the file /pub/util/crypto/md5.tar (MD5 checksum:
B6B90CC7C56353FC643DF25B6F730D21).

Individuals with Sun support contracts may obtain these patches from their
local Sun Answer Center or from SunSolve Online. Security patches are also
available without a support contract via anonymous FTP from ftp.uu.net (IP
address 192.48.96.9) in the directory /systems/sun/sun-dist.
______________________________________________________________________________

CIAC would like to thank Mark Graff of Sun Microsystems for the information
contained in this advisory.
______________________________________________________________________________

For additional information or assistance, please contact CIAC:
Voice: 510-422-8193
FAX: 510-423-8002
STU-III: 510-423-2604
E-mail: ciac@llnl.gov

Previous CIAC Bulletins and other information are available via anonymous FTP
from irbis.llnl.gov (IP address 128.115.19.60).
______________________________________________________________________________

CIAC has two self-subscribing mailing lists for its two types of electronic
publications: 1. Advisories (highest priority, time critical information) or
Bulletins (important computer security information) and 2. Notes (computer
security articles of general interest). Our mailing lists are managed by a
public domain software package called ListProcessor, which ignores E-mail
header subject lines. To subscribe (add yourself) to one of our mailing lists,
send E-mail to: ciac-listproc@llnl.gov with the following request as the E-mail
message body, substituting CIAC-BULLETIN or CIAC-NOTES for (service) and valid
information for the other items in parentheses:

subscribe (service) (Full_Name) (Phone_number)

You will receive an acknowledgment containing address, initial PIN, and
information on how to change either of them, cancel your subscription, or get
help. Currently, to subscribe to both you must send two separate requests. To
subscribe an address which is a distribution list, first subscribe the person
responsible for your distribution list. You will receive an acknowledgment,
containing address and initial PIN. Change the address to be the distribution
list address by sending a second E-mail request. As the body of this message,
send the following request, substituting valid information for items in
parenthesis:

set (service) address (PIN) (distribution_list_address)
______________________________________________________________________________

PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins. If you are not part of these communities, please
contact your agency's response team to report incidents. Your agency's team
will coordinate with CIAC. The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization. A list of FIRST member organizations and
their constituencies can be obtained by sending email to docserver@first.org
with an empty subject line and a message body containing the line: send
first-contacts.

This document was prepared as an account of work sponsored by an agency of the
United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for the
accuracy, completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately owned
rights. Reference herein to any specific commercial products, process, or
service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring by
the United States Government or the University of California. The views and
opinions of authors expressed herein do not necessarily state or reflect those
of the United States Government nor the University of California, and shall not
be used for advertising or product endorsement purposes.
______________________________________________________________________________

_____________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________

Advisory Notice

wuarchive ftpd Trojan Horse

April 6, 1994 1640 PST Number E-14
______________________________________________________________________________
PROBLEM: Some copies of wuarchive FTP daemon (ftpd) source have been modified
and contain a Trojan horse.
PLATFORM: UNIX machines running wuarchive ftpd version 2.2 or earlier.
DAMAGE: Root access may be obtained.
SOLUTION: Disable the wuarchive ftpd, then retrieve and install wuarchive ftpd
version 2.3
ASSESSMENT OF VULNERABILITY: Intruders have used this Trojan horse to obtain
root access to computers on the Internet.
______________________________________________________________________________

Critical Information about wuarchive ftpd Trojan Horse

CIAC has received information that some copies of of the wuarchive FTP daemon
(ftpd) versions 2.2 and 2.1f have been modified at the source code level to
contain a Trojan horse. This Trojan allows any user, local or remote, to
become root on the affected UNIX system.

CIAC strongly recommends that all sites running these or older versions of the
wuarchive ftpd retrieve and install version 2.3. It is possible that versions
previous to 2.2 and 2.1f contain the Trojan as well.

If the new version cannot be installed in a timely manner, all FTP service
should be disabled, since this Trojan affects all systems that are running the
wuarchive ftpd, whether or not the system provides anonymous ftp service.

Sites can obtain version 2.3 via anonymous FTP from ftp.uu.net, in the file
/networking/ftp.wuarchive-ftpd/wu-ftpd-2.3.tar.Z. The BSD Checksum for this
file is 24416 181, the SVR4 Checksum for this file is 30488 361, and the MD5
Digital Signature is e58adc5ce0b6eae34f3f2389e9dc9197.

______________________________________________________________________________

For additional information or assistance, please contact CIAC:
Voice: 510-422-8193
FAX: 510-423-8002
STU-III: 510-423-2604
E-mail: ciac@llnl.gov

Previous CIAC Bulletins and other information are available via anonymous FTP
from irbis.llnl.gov (IP address 128.115.19.60).
______________________________________________________________________________

CIAC has two self-subscribing mailing lists for its two types of electronic
publications: 1. Advisories (highest priority, time critical information) or
Bulletins (important computer security information) and 2. Notes (computer
security articles of general interest). Our mailing lists are managed by a
public domain software package called ListProcessor, which ignores E-mail
header subject lines. To subscribe (add yourself) to one of our mailing lists,
send E-mail to: ciac-listproc@llnl.gov with the following request as the E-mail
message body, substituting CIAC-BULLETIN or CIAC-NOTES for (service) and valid
information for the other items in parentheses:

subscribe (service) (Full_Name) (Phone_number)

You will receive an acknowledgment containing address, initial PIN, and
information on how to change either of them, cancel your subscription, or get
help. Currently, to subscribe to both you must send two separate requests.

To subscribe an address which is a distribution list, first subscribe the
person responsible for your distribution list. You will receive an
acknowledgment, containing address and initial PIN. Change the address to the
distribution list by sending a second E-mail request. As the body of this
message, send the following request, substituting valid information for items
in parenthesis:

set (service) address (PIN) (distribution_list_address)
______________________________________________________________________________

CIAC wishes to acknowledge and thank the contribution of the CERT Coordination
Center for their timely advisory on this vulnerability.
______________________________________________________________________________

PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins. If you are not part of these communities, please
contact your agency's response team to report incidents. Your agency's team
will coordinate with CIAC. The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization. A list of FIRST member organizations
and their constituencies can be obtained by sending E-mail to
first-request@first.org with an empty subject line and a message body
containing the line: send first-contacts.

This document was prepared as an account of work sponsored by an agency of the
United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for the
accuracy, completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately owned
rights. Reference herein to any specific commercial products, process, or
service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring by
the United States Government or the University of California. The views and
opinions of authors expressed herein do not necessarily state or reflect those
of the United States Government nor the University of California, and shall not
be used for advertising or product endorsement purposes.
______________________________________________________________________________

_____________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
_____________________________________________________

INFORMATION BULLETIN

FTP Daemon Vulnerabilities


April 14, 1994 1130 PDT Number E-17
______________________________________________________________________________

PROBLEM: Vulnerabilities in several implementations of the FTP daemon.
PLATFORM: Unix systems with the following implementations of the FTP
daemon: DECWRL ftpd versions before 5.93, wuarchive ftpd
versions 2.0-2.3, and BSDI ftpd version 1.1. prior to patch 5.
DAMAGE: Anyone (remote or local) can gain root access on a host
running a vulnerable daemon.
SOLUTION: Upgrade to a secure version of the FTP daemon.
______________________________________________________________________________

VULNERABILITY Details of these vulnerabilities are being actively discussed
ASSESSMENT: on several Internet mailing lists. CIAC urges affected sites
to upgrade immediately.
______________________________________________________________________________

Critical Information about FTP Daemon Vulnerabilities

CIAC has received information concerning the existence of two vulnerabilities
in FTP daemons derived from the DECWRL ftpd source code. The following FTP
daemons are known to be vulnerable:

- DECWRL ftpd versions before 5.93
- wuarchive ftpd versions 2.0-2.3
- BSDI ftpd version 1.1 prior to patch 5

The first vulnerability involves the SITE EXEC command feature of these FTP
daemons. It only affects those daemons in which the SITE EXEC functions have
been explicitly activated; they are not enabled by default. The vulnerability
allows any user, remote or local, to execute commands as root on the system
running the FTP daemon. The second vulnerability is the result of a race
condition in the daemon. It allows the creation of setuid root files on the
FTP server, permitting unauthorized access to the system.

There is no known workaround to remove both vulnerabilities; therefore, CIAC
strongly advises affected sites to upgrade to one of the versions of the
daemon listed below. If an upgrade cannot be completed in a timely manner,
FTP service should be disabled by commenting out the ftp configuration line in
/etc/inetd.conf and restarting inetd. Disabling only anonymous FTP does not
remove the vulnerabilities.


Upgrade Information
===================

Version 2.4 of wuarchive ftpd is available via anonymous FTP from
wuarchive.wustl.edu in the directory /packages/wuarchive-ftpd. A patch
to upgrade from version 2.3 to 2.4 is also available:

BSD SVR4
File Checksum Checksum MD5 Digital Signature
----------------- --------- --------- --------------------------------
wu-ftpd-2.4.tar.Z 38213 181 20337 362 cdcb237b71082fa23706429134d8c32e
patch_2.3-2.4.Z 09291 8 51092 16 5558a04d9da7cdb1113b158aff89be8f


Version 5.93 of DECWRL ftpd is available via anonymous FTP from
gatekeeper.dec.com in the directory /pub/misc/vixie:

BSD SVR4
File Checksum Checksum MD5 Digital Signature
----------------- --------- --------- --------------------------------
ftpd.tar.gz 38443 60 1710 119 ae624eb607b4ee90e318b857e6573500


For BSDI systems, patch 005 should be applied to version 1.1 of the BSD/386
software. The patch file is available via anonymous FTP from ftp.bsdi.com in
the directory /bsdi/patches-1.1:

BSD SVR4
File Checksum Checksum MD5 Digital Signature
----------------- --------- --------- --------------------------------
BU110-005 35337 272 54935 543 1f454d4d9d3e1397d1eff0432bd383cf


______________________________________________________________________________

CIAC wishes to thank the CERT Coordination Center for their response to this
problem.
______________________________________________________________________________

For additional information or assistance, please contact CIAC:
Voice: 510-422-8193
FAX: 510-423-8002
STU-III: 510-423-2604
E-mail: ciac@llnl.gov

Previous CIAC Bulletins and other information are available via anonymous
FTP from irbis.llnl.gov (IP address 128.115.19.60).

CIAC has two self-subscribing mailing lists for its two types of electronic
publications: 1. Advisories (highest priority, time critical information) or
Bulletins (important computer security information) and 2. Notes (computer
security articles of general interest). Our mailing lists are managed by a
public domain software package called ListProcessor, which ignores E-mail
header subject lines. To subscribe (add yourself) to one of our mailing lists,
send E-mail to: ciac-listproc@llnl.gov with the following request as the E-mail
message body, substituting CIAC-BULLETIN or CIAC-NOTES for [list-name] and
valid information for the other items in parentheses:
subscribe [list-name] Full_Name Phone_number
______________________________________________________________________________

PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins. If you are not part of these communities, please
contact your agency's response team to report incidents. Your agency's team
will coordinate with CIAC. The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization. A list of FIRST member organizations and
their constituencies can be obtained by sending email to docserver@first.org
with an empty subject line and a message body containing the line: send
first-contacts.

This document was prepared as an account of work sponsored by an agency of the
United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for the
accuracy, completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately owned
rights. Reference herein to any specific commercial products, process, or
service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring by
the United States Government or the University of California. The views and
opinions of authors expressed herein do not necessarily state or reflect those
of the United States Government nor the University of California, and shall not
be used for advertising or product endorsement purposes.
_____________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
_____________________________________________________

INFORMATION BULLETIN

Sun Announces Patches for automountd Vulnerability


May 5, 1994 1200 PDT Number E-18
______________________________________________________________________________

PROBLEM: Vulnerability in Solaris 2.3 "automountd".
PLATFORM: Sun: Solaris 2.3 only. No other Sun OSs are affected.
DAMAGE: The vulnerability allows a user with an unprivileged account
to get root access on a Solaris 2.3 system.
SOLUTION: Retrieve and install the indicated patch.
______________________________________________________________________________

VULNERABILITY As of the date of this bulletin, Sun has had no reports of
ASSESSMENT: this hole being exploited, but the hole is serious, and CIAC
strongly recommends that this patch be installed.
______________________________________________________________________________

Critical Information about Sun Patches

CIAC has received information from Sun Microsystems regarding the availability
of Sun patch 101329-15 which will fix the automountd vulnerability. The
following text is from the Sun Microsystems Security Bulletin #00127a, which
supersedes bulletin #00127 issued on 5/4/94.

Patch 101329-15 fixes a bug in the Solaris 2.3 version of automountd
which allows a user with an unprivileged account on a 2.3 system to
gain root access.

No reports of this vulnerability being exploited have yet come to the
attention of this office. We nevertheless recommend that all affected
customers close this very serious security hole.

The automountd fix is bundled into the Solaris 2.3 jumbo NIS+ patch.
The first version of the patch to contain the security fix was
101329-10; but we recommend the installation of the latest version
(currently 101329-15).

This bug is not found in any other SunOS version, including Solaris x86.
The fix has been integrated into the upcoming Solaris 2.4 release.

NOTE: The original version of this bulletin, issued yesterday,
referred to version -13 of the patch as the latest. Shortly after
the bulletin was issued, however, version -15 (skipping -14) was
released, superseding the earlier version on SunSolve. For that
reason--and also to correct a last-minute typographical error--we
are issuing this revised bulletin. We apologize for the error and
regret any inconvenience.

To assist those who have already installed version -13 in deciding
whether to install -15 as well, we provide here a summary of the bugs
first fixed in the newer version. None specifically relate to security.

1163847 automountd doesn't work with Apollo pathnames which start with //
1153274 machine panics with recursive mutex_enter while using automounter
1156518 Cannot mount mvs/nfs mounts using autofs under Solaris 2.2 & 2.3.

The following table contains the checksums for the NIS+ patch (#101329-15).
______________________________________________________________________________
File Name BSD Checksum SVR4 Checksum MD5 Digital Signature
101329-15.tar.Z 55492 843 46189 1685 19AA042484727A5DE9CB21199858071A
______________________________________________________________________________
The checksums shown in the table are from the BSD-based checksum program
distributed with the system software (on 4.1.x, /bin/sum; on Solaris 2.x,
/usr/ucb/sum) and from the SVR4 version checksum program distributed with
Solaris 2.x (/usr/bin/sum). MD5 software can be retrieved via anonymous FTP
from irbis.llnl.gov in the file /pub/util/crypto/md5.tar (MD5 checksum of
md5.tar: B6B90CC7C56353FC643DF25B6F730D21).

Individuals with Sun support contracts may obtain these patches from their
local Sun Answer Center or from SunSolve Online. Security patches are also
available without a support contract via anonymous FTP from ftp.uu.net (IP
address 192.48.96.9) in the directory /systems/sun/sun-dist.
______________________________________________________________________________
CIAC would like to thank Mark Graff of Sun Microsystems for the information
contained in this advisory.
______________________________________________________________________________

For additional information or assistance, please contact CIAC:
Voice: 510-422-8193
FAX: 510-423-8002
STU-III: 510-423-2604
E-mail: ciac@llnl.gov

Previous CIAC Bulletins and other information are available via anonymous
FTP from irbis.llnl.gov (IP address 128.115.19.60).

CIAC has two self-subscribing mailing lists for its two types of electronic
publications: 1. Advisories (highest priority, time critical information) or
Bulletins (important computer security information) and 2. Notes (computer
security articles of general interest). Our mailing lists are managed by a
public domain software package called ListProcessor, which ignores E-mail
header subject lines. To subscribe (add yourself) to one of our mailing
lists,
send E-mail to: ciac-listproc@llnl.gov with the following request as the E-
mail
message body, substituting CIAC-BULLETIN or CIAC-NOTES for [list-name] and
valid information for the other items in parentheses:
subscribe [list-name] Full_Name Phone_number
______________________________________________________________________________

PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins. If you are not part of these communities, please
contact your agency's response team to report incidents. Your agency's team
will coordinate with CIAC. The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization. A list of FIRST member organizations and
their constituencies can be obtained by sending email to docserver@first.org
with an empty subject line and a message body containing the line: send
first-contacts.

This document was prepared as an account of work sponsored by an agency of the
United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for the
accuracy, completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately owned
rights. Reference herein to any specific commercial products, process, or
service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring
by the United States Government or the University of California. The views and
opinions of authors expressed herein do not necessarily state or reflect those
of the United States Government nor the University of California, and shall
not be used for advertising or product endorsement purposes.

_____________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
_____________________________________________________

ADVISORY NOTICE

nVir A Virus Found on CD-ROM

May 5, 1994 1500 PDT Number E-19
______________________________________________________________________________

PROBLEM: The Macintosh nVir A virus has been found in the "README." file
on the Journal of Vacuum Science & Technology CD-ROM Vol.12 1Q94.
PLATFORM: Macintosh, all versions of the operating system. This virus
has no effect on the MS-DOS files also on the disk.
DAMAGE: The virus can easily infect your computer.
SOLUTION: Check with publisher, do not execute "README." file.
______________________________________________________________________________

VULNERABILITY This CD-ROM is included as part of the American Vacuum Society's
ASSESSMENT: (AVS) journal distribution, and is distributed to members of the
AVS. The virus is not overtly damaging, but does damage the
system and applications during infection.
______________________________________________________________________________

Critical Information about the CD-ROM distribution, and the nVir A Virus

CIAC has investigated a report of a virus in the CD-ROM distribution of a
technical journal. The Journal of Vacuum Science & Technology A&B (Second
Series Volume 12, 1994), which apparently was inadvertently infected with the
nVir A virus before production of the CD-ROM. All known copies of this CD-ROM
distribution are infected with this Macintosh virus.

The CD-ROM can be identified by the following titles printed on the disk:
A title in large bold type: "JVST A&B Vol. 12 1Q94"
A subtitle in small type: "JVST-A Vol 12(1) and 12(2) JVST-B, Vol 12(1)"

The infected file is "README." in the root directory of the CD-ROM, which is a
DOCMaker Stand-Alone document reader application. This file is the one referred
to in the instruction manual to run for viewing or printing the user manual,
however doing so will infect the system file of your Macintosh.

This disk can also be read via a PC using DOS or Windows, but those systems
will be unaffected, because the nVir A virus is specific to the Macintosh
operating system.

The nVir A virus is a virus that at first only replicates, but after a certain
amount of executions it has a small chance of saying "Don't Panic" if MacinTalk
is installed, or having the computer beep if MacinTalk is not installed. It is
not an intentionally destructive virus, but does damage the system and
applications during the infection process. Infected systems occasionally crash,
and printing is often delayed or damaged.

CIAC recommends that if you have received this CD-ROM, you immediately mark it
as containing a Macintosh computer virus, and do not run the "README." file in
the root directory. If you are using this disk on a PC system, you do not need
to worry as the PC files on this disk are not infected. If you have already run
this infected file, get a copy of an anti-virus program such as Disinfectant,
and scan your hard disk for infected files. Replace all the infected files that
you can, and repair those that you cannot replace. If your hard disk has been
infected, you must scan every floppy disk that has been in your system since
the infection occurred.

Even though the CD-ROM contains an infected file, the file can only infect your
system if it is executed. The other files on the disk can still be installed
and used without causing an infection. To install the Adobe Acrobat document
reader on your Macintosh, run the Installer program in the
JVST_94:install:mac:reader folder. To install the search utility, run the
JVST_INSTALL;1 program in the JVST_94:install:mac:wordkeep directory. You can
also view the README.DOC file, which contains the instructions for using the PC
and Windows versions of the reader, using a word processor. Only the "README."
file must be avoided.

If you must access the data in the infected "README." file, carefully copy the
file to a floppy disk and repair it using an anti-virus utility such as
Disinfectant, and then scan it again to insure it has been repaired. If the
repaired file is no longer infected, you may then run it to view the document.
Again, do not run the copy of the "README." file that is on the CD-ROM, as it
is still infected, and cannot be repaired due to the write-only nature of the
CD-ROM.

The publisher has sent a letter to all known recipients of this CD-ROM
distribution explaining this problem.

______________________________________________________________________________

CIAC wishes to thank Judy Lim, Rick Stulen and Art Pontau of Sandia National
Labs for first bringing this to our attention and for supplying us with a copy
of the CD-ROM. CIAC also wishes to thank the ASSIST team for helping us to
contact the publishers of this journal.
______________________________________________________________________________

For additional information or assistance, please contact CIAC:
Voice: 510-422-8193
FAX: 510-423-8002
STU-III: 510-423-2604
E-mail: ciac@llnl.gov

Previous CIAC Bulletins and other information are available via anonymous FTP
from irbis.llnl.gov (IP address 128.115.19.60).

CIAC has two self-subscribing mailing lists for its two types of electronic
publications: 1. Advisories (highest priority, time critical information) or
Bulletins (important computer security information) and 2. Notes (computer
security articles of general interest). Our mailing lists are managed by a
public domain software package called ListProcessor, which ignores E-mail
header subject lines. To subscribe (add yourself) to one of our mailing lists,
send E-mail to: ciac-listproc@llnl.gov with the following request as the E-
mail message body, substituting CIAC-BULLETIN or CIAC-NOTES for [list-name] and
valid information for the other items in parentheses:
subscribe [list-name] Full_Name Phone_number
______________________________________________________________________________

PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins. If you are not part of these communities, please
contact your agency's response team to report incidents. Your agency's team
will coordinate with CIAC. The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization. A list of FIRST member organizations and
their constituencies can be obtained by sending email to docserver@first.org
with an empty subject line and a message body containing the line: send
first-contacts.

This document was prepared as an account of work sponsored by an agency of the
United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for the
accuracy, completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately owned
rights. Reference herein to any specific commercial products, process, or
service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring by
the United States Government or the University of California. The views and
opinions of authors expressed herein do not necessarily state or reflect those
of the United States Government nor the University of California, and shall not
be used for advertising or product endorsement purposes.

_____________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
_____________________________________________________

INFORMATION BULLETIN

Trojan Attack on Chinon CD-ROM Drives

May 6, 1994 1200 PDT Number E-20
______________________________________________________________________________

PROBLEM: A Trojan-horse program, CD-IT.ZIP, masquerading as an improved
driver for Chinon CD-ROM drives, corrupts system files and the
hard disk.
PLATFORM: All MS-DOS and PC-DOS machines.
DAMAGE: Once in memory, the program destroys system files, requiring a
format of the infected drive to correct.
SOLUTION: Do not execute the program in CD-IT.ZIP.
______________________________________________________________________________

VULNERABILITY The program is not dangerous if not run, but can cause
ASSESSMENT: serious damage to a hard drive if it is. As of this date,
we don't know of any anti-virus software that recognizes it.
______________________________________________________________________________

Critical Information about the CD-IT.ZIP Trojan

CIAC has received information from Chinon America regarding a Trojan-horse
program masquerading as an improved driver for Chinon CD-ROM drives. The
following text is the press release from Chinon America:

TORRANCE, CALIFORNIA, U.S.A., 1994 APR 29 (NB) -- A new "Trojan
Horse" computer virus is on the Internet and is labeled with the
name of the fourth largest manufacturer of compact disc read-only
memory (CD-ROM) drives. Chinon America, Incorporated, the company
whose name has been improperly used on the rogue program, is
warning IBM and compatible personal computer (PC) users to beware
of the program known as "CD-IT.ZIP."

A Chinon CD-ROM drive user brought the program to the company's
attention after downloading it from a Baltimore, Maryland
Fidonet server. One of the clues that the virus, masquerading as
a utility program, wasn't on the up-and-up was that it purports "to
enable read/write to your CD-ROM drive," a physically impossible
task.

CD-IT is listed as authored by Joseph S. Shiner, couriered
by HDA, and copyrighted by Chinon Products. Chinon America told
Newsbytes it has no division by that name. Other clues were
obscenities in the documentation as well as a line indicating
that HDA stands for Haven't Decided a Name Yet.

David Cole, director of research and development for Chinon, told
Newsbytes that the company knows of no one who has actually been
infected by the program. Cole said the virus isn't particularly
clever or dynamic, but none of the virus software the company
tried was able to eradicate the rogue program. Chinon officials
declined to comment on what antivirus software programs were
used.

If CD-IT is actually run, it causes the computer to lock up,
forcing a reboot, and then stays in memory, corrupting critical
system files on the hard disk. Nothing but a high-level reformat
of the hard disk drive will eradicate the virus at this point, a
move that sacrifices all data on the drive. It will also corrupt
any network volumes available.

"We felt that it was our responsibility as a member of the
computing community to alert Internet users of this dangerous
virus that is being distributed with our name on it. Even though
we have nothing to do with the virus is it particularly
disturbing for us to think that many of our loyal customers could
be duped into believing that the software is ours," Cole
explained.

Chinon is encouraging anyone who might have information that
could lead to the arrest and prosecution of the parties
responsible for CD-IT to call the company at 310-533-0274.. In
addition, the company has notified the major distributors of
virus protection software, such as Symantec and McAfee Associates,
so they may update their programs to detect and eradicate CD-IT.

(Linda Rohrbough/19940429/Press Contact: Rolland Going, The
Terpin Group for Chinon, tel 310-798-7875, fax 310-798-7825;
Public Contact: Chinon, CD-IT Information, 310-533-0274)

CIAC recommends that if you find a copy of the file CD-IT.ZIP, that you do not
install it on your computer. If you have already installed and run the file,
shut down your machine immediately. Check with your anti-virus vendor to see
if they have a scanner/repair utility available. If not, boot from a clean,
locked floppy. If you can still access your hard disk, backup any important
files that were not included in your last backup, reformat the drive and
restore it from your last backup.

CIAC is currently obtaining a copy of this Trojan from Chinon, and will make
any new information about this Trojan available in a future copy of CIAC
Notes.
______________________________________________________________________________
CIAC would like to thank Chinon America for the information contained in this
advisory and Brian Lev of NASIRC for forwarding it to us.
______________________________________________________________________________

For additional information or assistance, please contact CIAC:
Voice: 510-422-8193
FAX: 510-423-8002
STU-III: 510-423-2604
E-mail: ciac@llnl.gov

Previous CIAC Bulletins and other information are available via anonymous
FTP from irbis.llnl.gov (IP address 128.115.19.60).

CIAC has two self-subscribing mailing lists for its two types of electronic
publications: 1. Advisories (highest priority, time critical information) or
Bulletins (important computer security information) and 2. Notes (computer
security articles of general interest). Our mailing lists are managed by a
public domain software package called ListProcessor, which ignores E-mail
header subject lines. To subscribe (add yourself) to one of our mailing
lists,
send E-mail to: ciac-listproc@llnl.gov with the following request as the E-
mail
message body, substituting CIAC-BULLETIN or CIAC-NOTES for [list-name] and
valid information for the other items in parentheses:
subscribe [list-name] Full_Name Phone_number
______________________________________________________________________________

PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins. If you are not part of these communities, please
contact your agency's response team to report incidents. Your agency's team
will coordinate with CIAC. The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization. A list of FIRST member organizations and
their constituencies can be obtained by sending email to docserver@first.org
with an empty subject line and a message body containing the line: send
first-contacts.

This document was prepared as an account of work sponsored by an agency of the
United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for the
accuracy, completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately owned
rights. Reference herein to any specific commercial products, process, or
service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring
by the United States Government or the University of California. The views and
opinions of authors expressed herein do not necessarily state or reflect those
of the United States Government nor the University of California, and shall
not be used for advertising or product endorsement purposes.

_____________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
_____________________________________________________

Information Bulletin

Vulnerability in HP-UX systems with HP Vue 3.0

May 18, 1994 1615 PDT Number E-23b
______________________________________________________________________________

PROBLEM: A Vulnerability exists in HP-UX systems with HP Vue 3.0.
PLATFORM: HP 9000 series 300/400/700/800 at HP-UX revision 9.x, with HP
Vue 3.0.
DAMAGE: Local users can raise their privileges to superuser (root) level.
SOLUTION: Apply appropriate patch for your system.
______________________________________________________________________________

VULNERABILITY CIAC recommends that all systems which have HP Vue 3.0 on their
ASSESSMENT: systems, whether in use or not, should install this patch.
______________________________________________________________________________

Critical Information about vulnerability in HP-UX systems with HP Vue 3.0

CIAC has received information regarding a vulnerability in HP9000 computers at
revision 9.x which contain HP Vue 3.0. This vulnerability can allow a local
user to obtain root access.

CIAC recommends that if you have Vue 3.0 on your system you apply the following
patch appropriate to your system. For an HP 9000 series 300/400 computer,
apply patch PHSS_4055; for an HP 9000 series 700/800 computer, apply patch
PHSS_4066.

Patches can be obtained in one of three methods:

1. Obtain the patch via E-mail from the HP SupportLine Mail Service. Send the
words, without quotes, "send PHSS_4055" (or "send PHSS_4066") in the TEXT
PORTION of a message addressed to support@support.mayfield.hp.com (no subject
line is required). The patch will be E-mailed back to you.

2. Download the patch from support.mayfield.hp.com. To do this, follow the
instructions in the document located on irbis.llnl.gov:
~/pub/ciac/ciacdoc/e-fy94/HPACCESS.TXT-how-to-download-HP-patches.

3. Contact your local HP Response Center. They will provide you with the patch.

The complete instructions for applying the patch are in the file
PHSS_40xx.text, supplied with the patch release. Checksums for the patch are
included with the release. After installing the patch, examine /tmp/update.log
for any relevant WARNING's or ERROR's. To accomplish this, from the shell
prompt type "tail -60 /tmp/update.log | more" and page through the screens via
the space bar, looking for WARNING or ERROR messages.

ATTENTION: This bulletin contains updated information received from
Hewlett-Packard after the electronic version was distributed. Patch PHSS_4066
supersedes PHSS_4038, and directions to download the patch have been included.
______________________________________________________________________________

CIAC would like to thank the CERT-NL for first alerting us to the existance of
this vulnerability and for technical information about this vulnerability, and
John Morris of Hewlett-Packard for patch information and availability.
______________________________________________________________________________

For additional information or assistance, please contact CIAC:
Voice: 510-422-8193
FAX: 510-423-8002
STU-III: 510-423-2604
E-mail: ciac@llnl.gov

CIAC has several self-subscribing mailing lists for electronic publications:

1. CIAC-BULLETIN for Advisories, highest priority - time critical information
and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI)
software updates, new features, distribution and availability;
4. SPI-NOTES, an unmoderated forum for discussion of problems and solutions
regarding the use of SPI products.

Our mailing lists are managed by a public domain software package called
ListProcessor, which ignores E-mail header subject lines. To subscribe (add
yourself) to one of our mailing lists, send the following request as the
E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or
SPI-NOTES for "list-name" and valid information for "LastName" "FirstName" and
"PhoneNumber" when sending

E-mail to ciac-listproc@llnl.gov:
subscribe list-name LastName, FirstName PhoneNumber
e.g.: subscribe ciac-notes O'Hara, Scarlett 404-555-1212 x36

You will receive an acknowledgment containing address, initial PIN, and
information on how to change either of them, cancel your subscription, or get
help.
______________________________________________________________________________

PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins. If you are not part of these communities, please
contact your agency's response team to report incidents. Your agency's team
will coordinate with CIAC. The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization. A list of FIRST member organizations
and their constituencies can be obtained by sending E-mail to
first-request@first.org with an empty subject line and a message body
containing the line: send first-contacts.

This document was prepared as an account of work sponsored by an agency of the
United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for the
accuracy, completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately owned
rights. Reference herein to any specific commercial products, process, or
service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring by
the United States Government or the University of California. The views and
opinions of authors expressed herein do not necessarily state or reflect those
of the United States Government nor the University of California, and shall not
be used for advertising or product endorsement purposes.
_____________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
_____________________________________________________

INFORMATION BULLETIN

Security Patch Kits for ULTRIX, DECnet-ULTRIX and OSF/1


May 18, 1994 1530 PDT Number E-24
______________________________________________________________________________

PROBLEM: Digital Equipment Corporation has identified vulnerabilities
in ULTRIX v4.3 and v4.4, DECnet-ULTRIX v4.2, and OSF/1 v1.2
through v2.0.
PLATFORM: Digital's VAX and RISC based workstations.
DAMAGE: Users may obtain unauthorized access or privilege.
SOLUTION: Upgrade software; install patches available from DEC.
______________________________________________________________________________

VULNERABILITY Similar vulnerabilities have been exploited on systems
ASSESSMENT: connected to the Internet. Digital recommends sites upgrade
older versions and/or install the appropriate fix immediately.
______________________________________________________________________________

Critical Information about Vulnerabilities
in ULTRIX, DECnet-ULTRIX and OSF/1

CIAC has been advised by the Software Security Response Team (SSRT) of
Digital Equipment Corporation of security patches for their ULTRIX,
DECnet-ULTRIX and OSF/1 products. SSRT requests that their advisory be
reprinted without change [only minor corrections were necessary-ed].

============================ Begin SSRT Advisory =============================
SOURCE: Digital Equipment Corporation - ( DSIN / DSNlink FLASH MAIL )
Software Security Response Team 17.MAY.94

PRODUCT: ULTRIX Versions 4.3, 4.3A, V4.4
DECnet-ULTRIX Version 4.2
DEC OSF/1 Versions 1.2, 1.3, 1.3A, 2.0

ADVISORY INFORMATION:

SUBJECT: Security Enhanced Kit for DECNET-ULTRIX V4.2,
ULTRIX V4.3 (VAX/RISC), ULTRIX V4.3A (RISC), ULTRIX V4.4 (VAX/RISC),
ULTRIX Worksystem Software and DEC OSF/1 V1.2 - V2.0

IMPACT: Potential security vulnerabilities exist where, under certain
circumstances, user access or privilege may be expanded.

SOLUTION: ULTRIX: Upgrade/Install ULTRIX to a minimum of V4.4 and install
the Security Enhanced Kit

DEC OSF/1: Upgrade/Install to a minimum of V1.2 and install
the Security Enhanced Kit

________________________________________________________________________________
These kits are available from Digital Equipment Corporation by contacting
your normal Digital support channel or by request via DSNlink for electronic
transfer.
________________________________________________________________________________
IMPACT:

Digital has discovered the existence of potential software security
vulnerabilities in the ULTRIX V4.3, V4.3a, V4.4 and DEC OSF/1 V1.2, V1.3,
V2.0 Operating Systems, and in DECnet-ULTRIX V4.2. These potential
vulnerabilities were discovered as a result of evaluating recent reports of
potential security vulnerabilities which were distributed on the INTERNET
and as a result of Digital's continued engineering efforts. The solutions
to these vulnerabilities have been included in the next release of ULTRIX
and DEC OSF/1.

The kits have been created to correct potential software security
vulnerabilities which, under certain circumstances may expand user access
or privilege.

Digital Equipment Corporation strongly urges Customers to upgrade to a
minimum of ULTRIX V4.4 and DEC OSF/1 V2.0 then apply the Security Enhanced
Kit.
- Please refer to the applicable Release Note information prior to
upgrading your installation.

________________________________________________________________________________
KIT PART NUMBERS and DESCRIPTIONS

CSC PATCH #

CSCPAT_4060 V1.0 ULTRIX V4.3 thru V4.4 (Includes DECnet-ULTRIX V4.2)
CSCPAT_4061 V1.0 DEC OSF/1 V1.2 thru V2.0

_______________________________________________________________
These kits will not install on versions previous to ULTRIX V4.3
or DEC OSF/1 V1.2.
_______________________________________________________________
________________________________________________________________________________
The ULTRIX Security Enhanced kit replaces the following images:


/usr/etc/comsat ULTRIX V4.3, V4.3a, V4.4
/usr/ucb/lpr " "
/usr/bin/mail " "
/usr/lib/sendmail " "
*sendmail - is a previously distributed solution.

/usr/etc/telnetd ULTRIX V4.3, V4.3a only

______________________________________
for DECnet-ULTRIX V4.2 installations:

/usr/etc/dlogind
/usr/etc/telnetd.gw

________________________________________________________________________________
The DEC OSF/1 Security Enhanced kit replaces the following images:

/usr/sbin/comsat DEC OSF/1 V1.2, V1.3 V2.0
/usr/bin/binmail
/usr/bin/lpr " "

/usr/sbin/sendmail DEC OSF/1 V1.2, V1.3 only
*sendmail - is a previously distributed solution.
/usr/bin/rdist " "
/usr/shlib/libsecurity.so DEC OSF/1 V2.0 only
________________________________________________________________________________
Digital urges you to periodically review your system management and
security procedures. Digital will continue to review and enhance the
security features of its products and work with customers to maintain
and improve the security and integrity of their systems.
________________________________________________________________________________
NOTE: For non-contract/non-warranty customers contact your local Digital
support channels for information regarding these kits.

============================ End SSRT Advisory =============================

CIAC wishes to thank Richard Boren of Digital Equipment Corporation's SSRT
for providing the advisory used in this bulletin. DEC's SSRT can be contacted
directly at 1-800-354-9000.
______________________________________________________________________________

For additional information or assistance, please contact CIAC:
Voice: 510-422-8193
FAX: 510-423-8002
STU-III: 510-423-2604
E-mail: ciac@llnl.gov

CIAC has several self-subscribing mailing lists for electronic publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical information
and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI)
software updates, new features, distribution and availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the use of
SPI products.

Our mailing lists are managed by a public domain software package called
ListProcessor, which ignores E-mail header subject lines. To subscribe (add
yourself) to one of our mailing lists, send the following request as the
E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or
SPI-NOTES for "list-name" and valid information for "LastName" "FirstName" and
"PhoneNumber" when sending

E-mail to ciac-listproc@llnl.gov:
subscribe list-name LastName, FirstName PhoneNumber
e.g., subscribe ciac-notes O'Hara, Scarlett 404-555-1212 x36

You will receive an acknowledgment containing address, initial PIN, and
information on how to change either of them, cancel your subscription, or get
help.
______________________________________________________________________________

PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins. If you are not part of these communities, please
contact your agency's response team to report incidents. Your agency's team
will coordinate with CIAC. The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization. A list of FIRST member organizations
and their constituencies can be obtained by sending E-mail to
first-request@first.org with an empty subject line and a message body
containing the line: send first-contacts.

This document was prepared as an account of work sponsored by an agency of the
United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for the
accuracy, completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately owned
rights. Reference herein to any specific commercial products, process, or
service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring by
the United States Government or the University of California. The views and
opinions of authors expressed herein do not necessarily state or reflect those
of the United States Government nor the University of California, and shall not
be used for advertising or product endorsement purposes.
_____________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
_____________________________________________________

INFORMATION BULLETIN

BSD lpr Vulnerability in SGI IRIX


May 19, 1994 1600 PDT Number E-25a
______________________________________________________________________________
Corrections to E-25 untar command. IRIX 4.0 lpr.latest.Z Sum_Checksum.
______________________________________________________________________________

PROBLEM: The optional print subsystem BSD lpr can be used to
create or overwrite any file on the system.
PLATFORM: SGI workstations running the following operating system
versions: IRIX 5.0, 5.0.1, 5.1.x, 5.2, and any 4.0.5.
DAMAGE: Any user with lpr(1) access may gain root privilege.
SOLUTION: Install new lpr spooler system available from SGI.
______________________________________________________________________________

VULNERABILITY Notices of this vulnerability along with a script to exploit
ASSESSMENT: it have been widely distributed on the Internet. CIAC and SGI
recommend sites install the appropriate fix immediately.
______________________________________________________________________________

Critical Information about BSD lpr Vulnerabilities in SGI IRIX

CIAC has learned of a vulnerability in the BSD lpr spooling system. This
optionally installed subsystem for all SGI platforms allows interoperability
with other BSD lpr systems, such as SunOS, DEC Ultrix, and Novell. Many SGI
systems replace the standard AT&T System V lp and lpsched print spooler with
the optional BSD subsystem (eoe2.sw.bsdlpr).

This vulnerability affects all SGI workstations running IRIX 5.0, 5.0.1,
5.1.x, 5.2 and 4.0.5 (all versions). A command flag allows users to create
symbolic links in the lpd spool directory. After a number of invocations, lpr
will reuse the filename in the spool directory, following the previously
established link. By allowing the creation or overwriting of any file the
link points to, any user with lpr(1) access can obtain root privilege.

SGI has produced corrected versions of the lpr software which may be obtained
from your SGI service/support provider or via anonymous FTP from ftp.sgi.com
(192.48.153.1). Transfer in BINARY mode, as follows:

for IRIX 5.*.* systems: ~ftp/sgi/IRIX5.0/lpr/lpr.latest.Z
for IRIX 4.0.5 systems: ~ftp/sgi/IRIX4.0/lpr/lpr.latest.Z

Decompress and untar these files using "zcat lpr.latest.Z | tar -xvf -" and |
checksum these files using "sum -r lpr*" and md5 to yield the following:

IRIX 5.*.* bytes sum_checksum md5_checksum
lpr.latest.Z 22331 61762 44 3a215a1f9b336cc4f76ca3e7a6b9bdcc
lpr.new 41120 22489 81 6f55d6a7620ca5c4188230a3b4dd50be
lpr.new.install 1575 63777 4 be021e98c346a3d49c27f00e43ca87ef

IRIX 4.0.5 bytes sum_checksum md5_checksum
lpr.latest.Z 87469 03015 171 d40c8c84e219045e56297cd36e6a77d5 |
lpr.new 171016 21563 335 641f6ca953c8163d9085f99114df5289
lpr.new.install 1575 63777 4 be021e98c346a3d49c27f00e43ca87ef

Note: md5 checksum utility is available via anonymous FTP from CIAC's
server irbis.llnl.gov (soon to be renamed ciac.llnl.gov) as md5.tar in
directory /pub/util/crypto.
______________________________________________________________________________

CIAC thanks Miguel J. Sanchez and Jay McCauley of Silicon Graphics Inc. and
David S. Brown of Lawrence Livermore National Laboratory for the information
provided in this bulletin.
______________________________________________________________________________

For additional information or assistance, please contact CIAC:
Voice: 510-422-8193
FAX: 510-423-8002
STU-III: 510-423-2604
E-mail: ciac@llnl.gov

CIAC has several self-subscribing mailing lists for electronic publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical information
and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI)
software updates, new features, distribution and availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the use of
SPI products.

Our mailing lists are managed by a public domain software package called
ListProcessor, which ignores E-mail header subject lines. To subscribe (add
yourself) to one of our mailing lists, send the following request as the
E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or
SPI-NOTES for "list-name" and valid information for "LastName" "FirstName" and
"PhoneNumber";

E-mail to ciac-listproc@llnl.gov:
subscribe list-name LastName, FirstName PhoneNumber
e.g., subscribe ciac-notes O'Hara, Scarlett 404-555-1212 x36

You will receive an acknowledgment containing address, initial PIN, and
information on how to change either of them, cancel your subscription, or get
help.
______________________________________________________________________________

PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins. If you are not part of these communities, please
contact your agency's response team to report incidents. Your agency's team
will coordinate with CIAC. The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization. A list of FIRST member organizations
and their constituencies can be obtained by sending E-mail to
first-request@first.org with an empty subject line and a message body
containing the line: send first-contacts.

This document was prepared as an account of work sponsored by an agency of the
United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for the
accuracy, completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately owned
rights. Reference herein to any specific commercial products, process, or
service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring by
the United States Government or the University of California. The views and
opinions of authors expressed herein do not necessarily state or reflect those
of the United States Government nor the University of California, and shall not
be used for advertising or product endorsement purposes.

_____________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
_____________________________________________________

ADVISORY NOTICE

UNIX /bin/login Vulnerability


May 23, 1994 0700 PDT Number E-26
______________________________________________________________________________

PROBLEM: A vulnerability exists in /bin/login on some UNIX platforms.
PLATFORMS: IBM AIX 3 systems, Linux, possibly other UNIX systems.
DAMAGE: Local and remote users can obtain unauthorized access to any
account, including root.
SOLUTION: Apply patches or workarounds described below.
______________________________________________________________________________

VULNERABILITY This vulnerability has been widely discussed in detail on
ASSESSMENT: Internet mailing lists and newsgroups and a simple one line
exploitation script is being distributed. CIAC strongly
advises that this vulnerability be patched IMMEDIATELY.
______________________________________________________________________________

Critical Information about the UNIX /bin/login Vulnerability

CIAC has learned of a vulnerability in the UNIX /bin/login program. This
vulnerability potentially affects all IBM AIX 3 systems, Linux systems, and
perhaps other UNIX platforms as well. Information available at the time of
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close