_____________________________________________________
                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
            _____________________________________________________

                            INFORMATION BULLETIN

      SCO Unix at, login, prwarn, sadc, and pt_chmod Patches Available

December 6, 1994 0800 PST                                         Number F-05
_____________________________________________________________________________

PROBLEM:       Security vulnerabilities exist in SCO system software.
PLATFORMS:     SCO Unix System V/386 Release 3.2 Versions 4.2, 4.1, and 4.0,
               SCO Open Desktop Lite Release 3.0,
               SCO Open Desktop Release 3.0 and 2.0,
               SCO Open Server Network System Release 3.0, and
               SCO Open Server Enterprise System Release 3.0.
DAMAGE:        Local users may gain privileged access to the system.
SOLUTION:      Install SSE's as described below.
_____________________________________________________________________________

VULNERABILITY  These vulnerabilities have been announced on the Internet.
ASSESSMENT:    Automated exploitation scripts are beginning to be distributed
               as well. CIAC urges sites to install these patches as soon as
               possible.
_____________________________________________________________________________

          Critical Information about the SCO Security Patches

CIAC has received information from the Santa Cruz Operation (SCO) regarding
patches to correct serious vulnerabilities in SCO Unix system software.
These vulnerabilities will allow local users to gain root access to the
system.  The SCO Advisory announcing these patches is reprinted in its
entirety below.  Please refer any questions to CIAC.
_____________________________________________________________________________


===========================================================================
            SCO Advisory 94:001
                             November 30th, 1994
  Patches for at(C), login(M), prwarn(C), sadc(ADM), pt_chmod
---------------------------------------------------------------------------

The Santa Cruz Operation has been informed of the following problems present
in our software.

I.   Description

     The programs at(C), login(M), prwarn(C) sadc(ADM), and pt_chmod
     may each allow unauthorized root access to the system. 

     There are four unrelated issues present, one for each program listed
     above.
  
      
II.  Impact
  
     Any user with an account on the system may obtain root access using
     any one of the programs listed.


III. Releases

     These problems exist on the following releases of SCO Products:

  SCO Unix System V/386 Release 3.2 Versions 4.2, 4.1, and 4.0
  SCO Open Desktop Lite Release 3.0
  SCO Open Desktop Release 3.0 and 2.0
  SCO Open Server Network System Release 3.0
  SCO Open Server Enterprise System Release 3.0

IV. Solution

     SCO is providing the following (S)ystem (S)ecurity (E)nhancements, SSEs,
     to address these problems. These are preliminary patches which SCO
     feels addresses the issues at hand, but these patches have not been
     fully tested and integrated and hence cannot officially be supported.
     Official patches should be available in the near future via a
     (S)upport (L)evel (S)upplement. (SLS). The README file mentioned below
     will be updated when an official Supplement is available.

     Binary    Patch
     ------    ------
     at(C)    sse001
     login(M)    sse002
     prwarn(C)    sse003
     sadc(ADM)    sse004
     pt_chmod    sse005


     These are available at the following sites:

     Anonymous ftp: ftp.sco.COM:/SSE

     UUCP downloading, and SOS access:  sosco (USA), scolon (Europe),
     in the directory /usr/spool/uucppublic/SSE. Note that access to these
     Supplements at scolon may not be available until December 2nd, 1994.

     The filename conventions are as follows:

   ssexxx.tar.Z    - compressed tar file of supplement
  ssexxx.ltr.Z    - compressed cover letter for supplement

  xxx indicates the number of the supplement, i.e. sse001.tar.Z.

     See the README file in the directories listed above for checksum
     information. Connection information is available at the end of this
     document.

     Please note that these Supplements are not generally available from
     SCO on diskette media.

If you have further questions, contact your support provider.  If you
need to contact SCO, please send electronic mail to support@sco.COM, or
contact SCO as follows. 

        USA/Canada: 6am-5pm Pacific Standard Time (PST)
        -----------
        1-800-347-4381  (voice)
        1-408-427-5443  (fax)

        Pacific Rim, Asia, and Latin American customers: 6am-5pm Pacific
        ------------------------------------------------ Standard Time
                                                         (PST)
        1-408-425-4726  (voice)
        1-408-427-5443  (fax)

        Europe, Middle East, Africa: 9am-5:30pm British Standard Time (BST)
        ----------------------------
        +44 (0)923 816344 (voice)
        +44 (0)923 817781 (fax)

Downloading Information
-----------------------

ftp to ftp.sco.com
Login name: ftp
Password: your email address

For anonymous UUCP connection:
------------------------------

For USA, Canada, Pacific Rim, Asia and Latin America customers:

Machine name:  sosco
Login name:  uusls  (fourth character is the letter "l")
No password

List of modems available for UUCP transfer from sosco.sco.com:

Standard V.32, (300-9600bps)     4@   408-425-3502
Hayes V Series 9600              2@   408-427-4470
Telebit Trailblazer                   408-429-1786


For Europe/Middle East/Africa customers there is a system located at
SCO EMEA (London):

Machine name:  scolon
Login name:  uusls
Password:  bbsuucp

List of modems available for UUCP transfer from scolon.sco.com:

Dowty Trailblazer  +44 (0)923 210911



For SCO Online Support (SOS) BBS download:
------------------------------------------

For those customers that have accounts on SOS these files can be
downloaded interactively via X, Y, Z MODEM or Kermit. Follow the
menus selections under "Toolchest" from the main SOS menu.

List of modems available for interactive transfer from sosco.sco.com:

First four are Standard V.32 (300-9600bps)      408-426-9495
Last three are Hayes 2400 compatible 

Telebit Trailblazer                             408-426-9525



For ftp via World Wide Web:
---------------------------

URL to open:  ftp://www.sco.com

These problems, except for pt_chmod, were reported to the Santa Cruz
Operation by the "[8LGM] Security Team", 8lgm@bagpuss.demon.co.uk. 

_____________________________________________________________________________

If you require additional assistance or wish to report a vulnerability,
contact CIAC at:
    Voice:   510-422-8193
    FAX:     510-423-8002
    STU-III: 510-423-2604
    E-mail:  ciac@llnl.gov

Previous CIAC notices, anti-virus software, and other information are
available on the Internet via anonymous FTP from ciac.llnl.gov (IP address
128.115.19.53).

CIAC has several self-subscribing mailing lists for electronic publications:
1.  CIAC-BULLETIN for Advisories, highest priority - time critical
    information, and Bulletins, important computer security information;
2.  CIAC-NOTES for Notes, a collection of computer security articles;
3.  SPI-ANNOUNCE for official news about Security Profile Inspector (SPI)
    software updates, new features, distribution and availability;
4.  SPI-NOTES, for discussion of problems and solutions regarding the use of
    SPI products.

Our mailing lists are managed by a public domain software package called
ListProcessor, which ignores E-mail header subject lines. To subscribe (add
yourself) to one of our mailing lists, send requests of the following form:

subscribe list-name LastName, FirstName PhoneNumber

as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES,
SPI-ANNOUNCE or SPI-NOTES for "list-name" and valid information for
"LastName" "FirstName" and "PhoneNumber."  Send to: ciac-listproc@llnl.gov
not to: ciac@llnl.gov

e.g.,
subscribe ciac-notes O'Hara, Scarlett 404-555-1212 x36
subscribe ciac-bulletin O'Hara, Scarlett 404-555-1212 x36

You will receive an acknowledgment containing address and initial PIN, and
information on how to change either of them, cancel your subscription, or get
help.
_____________________________________________________________________________

PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins. If you are not part of these communities, please
contact your agency's response team to report incidents. Your agency's team
will coordinate with CIAC. The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization. A list of FIRST member organizations
and their constituencies can be obtained by sending E-mail to
first-request@first.org with an empty subject line and a message body
containing the line: send first-contacts.

This document was prepared as an account of work sponsored by an agency of
the United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for
the accuracy, completeness, or usefulness of any information, product, or
process disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products, process,
or service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring
by the United States Government or the University of California. The views
and opinions of authors expressed herein do not necessarily state or reflect
those of the United States Government nor the University of California, and
shall not be used for advertising or product endorsement purposes.