I S S   X - F o r c e
                                      
                         The Most Wanted Alert List
                                      
       [1]News | [2]Serious Fun | [3]Mail Lists | [4]Security Library
          [5]Protoworx | [6]Alerts | [7]Submissions | [8]Feedback
                             [9]Advanced Search
                                      
   _ Alert Summaries_

ISS Security Alert Summary
August 26, 1997
Volume 1 Number 1

---

7 Reported New Vulnerabilities                  [10]Back to Alert List
 [11]- xlock
 [12]- sun-ps
 [13]- BIND
 [14]- irix-ftpd
 [15]- sun-automountd
 [16]- sun-ifconfig
 [17]- libXt

1 Reported Incident
 [18]- CERT summary


---

Date reported:          5/7/97 (original), 8/12/97 (updated)
Vulnerability:          xlock
Affected platforms:     Solaris (2.3, 2.4, 2.5, 2.5.1)
                        SunOS   (4.1.3, 4.1.4)
                        AIX     (3.2, 4.1, 4.2)
                        BSD/OS  (2.1)
                        FreeBSD (any version with xlockmore)
                        IRIX    (5.x, 6.x)
                        HP-UX   (any version with vuelock)
Risk Factor:            High

xlock is a physical security program that locks the local X display until
the user supplies their password to 'unlock' the display.  Arguments
supplied to xlock are not sufficiently checked and it is possible to
overwrite the stack.  xlock is set-user-id root, therefore it is
vulnerable to root exploitation.

References:

[19]ftp://info.cert.org/pub/cert_advisories/CA-97.13.xlock
[20]ftp://sgigate.sgi.com/security/19970502-02-PX
[21]http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-150.txt

[22]Top of Page || [23]Back to Alert List


---

Date reported:          8/12/97
Vulnerability:          sun-ps
Affected platforms:     Solaris (2.3, 2.4, 2.5, 2.5.1)
Risk Factor:            High

ps is a program that displays the current active processes on a machine.
It contains a vulnerability that does not sufficently check the arguments
passed to it, and the stack can be overwritten.  Since ps is set-user-id
root, it is possible to exploit this vulnerability and gain root
priviledges.

Reference:

[24]http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-149.txt

[25]Top of Page || [26]Back to Alert List


---

Date reported:          8/13/97
Vulnerability:          BIND
Affected platforms:     All UNIX platforms running BIND releases
                        before 8.1.1
Risk Factor:            Medium

BIND (the Berkeley Internet Name Daemon) is the Domain Name Service for
UNIX systems.  It contains a vulnerability that allows the mapping between
host name and IP addresses to be altered.  An attacker can change the
information exchanged between hosts on a network.

Reference:

[27]ftp://info.cert.org/pub/cert_advisories/CA-97.22.bind

[28]Top of Page || [29]Back to Alert List


---

Date reported:          8/15/97
Vulnerability:          irix-ftpd
Affected platforms:     IRIX (3.x, 4.x, 5.x, 6.0.x, 6.1, 6.2)
Risk Factor:            High

ftpd is a program that listens on port 21 for incoming Internet File
Transfer Protocol service requests.  It contains a race condition in its
signal handling that results in manipulation of files with root
privileges.  This vulnerability can be exploited locally as well as from
remote systems.

Reference:

[30]ftp://sgigate.sgi.com/security/19970801-01-PX

[31]Top of Page || [32]Back to Alert List


---

Date reported:          8/20/97
Vulnerability:          sun-automountd
Affected platforms:     Solaris (2.3, 2.4, 2.5, 2.5.1)
Risk Factor:            Medium

automountd is a daemon that answers file system mount and umount requests.
Local users can exploit a vulnerability by sending RPCs to the daemon to
change mount options of a file system.

Reference:

[33]http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-151.txt

[34]Top of Page || [35]Back to Alert List


---

Date reported:          8/25/97
Vulnerability:          sun-ifconfig
Affected platforms:     Solaris (2.3, 2.4, 2.5, 2.5.1)
Risk Factor:            Medium

ifconfig is used by administrator access level accounts to set up a
network interface and configure it, as well as assigning addresses to
network interfaces.  It contains a vulnerability that if exploited allows
non-root users to configure network interface parameters.

Reference:

[36]http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-152.txt

[37]Top of Page || [38]Back to Alert List


---

Date reported:          5/1/97 (original), 8/25/97 (updated)
Vulnerability:          libXt
Affected platforms:     Solaris (2.3, 2.4, 2.5, 2.5.1)
                        AIX (3.2, 4.1, 4.2)
                        HP-UX (9.x, 10.x)
Risk Factor:            High

Buffer overflow conditions have been found in X applications that are
setuid/setgid that can be exploited to gain priviledged access, in some
cases, root uid.  Exploit scripts have been written and made
publically avaliable via various newsgroups and mailing lists.

References:

[39]http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-153.txt
[40]ftp://info.cert.org/pub/cert_advisories/CA-97.11.libXt

[41]Top of Page || [42]Back to Alert List


---

Date reported:          5/26/97
Incident:               Holes being exploited
Risk Factor:            High

CERT released a summary of current holes that are being exploited on a
regular basis.  These include; IMAP exploits, increased denial-of-service
attacks, IP spoofing, IRC clients/servers running as root, IRIX buffer
overflows, and INND exploits.  For a comprehensive explaination and
prevention details, please see the reference.

Reference:

[43]ftp://info.cert.org/pub/cert_summaries/CS-97.05


Risk Factor Key:

        High    any vulnerability that provides an attacker with immediate
                access into a machine, gains superuser access, or bypasses
                a firewall.  Example:  A vulnerable Sendmail 8.6.5 version
                that allows an intruder to execute commands on mail
                server.
        Medium  any vulnerability that provides information that has a
                high potential of giving access to an intruder.  Example:
                A misconfigured TFTP or vulnerable NIS server that allows
                an intruder to get the password file that possibly can
                contain an account with a guessable password.
        Low     any vulnerability that provides information that
                potentially could lead to a compromise.  Example:  A
                finger that allows an intruder to find out who is online
                and potential accounts to attempt to crack passwords
                via bruteforce.


[44]Top of Page || [45]Back to Alert List

--------
Copyright (c) 1997 by Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this Alert Summary
electronically.  It is not to be edited in any way without express consent
of X-Force.  If you wish to reprint the whole or any part of this
Alert Summary in any other medium excluding electronic medium, please
e-mail [46]xforce@iss.net for permission.

Disclaimer

The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this information is
at the user's own risk.

Please send suggestions, updates, and comments to:
X Force [47]xforce@iss.net of Internet Security Systems, Inc.

Internet Security Systems, Inc.

Internet Security Systems, Inc., (ISS) is the pioneer and world's leading
supplier of network security assessment and monitoring tools,  providing
comprehensive software that enables organizations to proactively manage
and minimize their network security risks. ISS' SAFEsuite® product
family automatically detects, monitors, and responds to the growing number
of network security vulnerabilities and threats. The Atlanta-based
company's flagship product, Internet Scanner, is the world's leading
security auditing tool used to eliminate network security vulnerabilities
in corporations, government agencies, and financial institutions including
9 out of the top 10 U.S. banks. ISS' real time attack recognition and
response tool, RealSecure(tm), is the leading network monitoring software
used to automatically guard networks from external threats and internal
misuse. For more information, contact the company at (800) 776-2362 or
(770) 395-0150 or visit the ISS Web site at [48]http://www.iss.net.

[49]Top of Page || [50]Back to Alert List

     [51]News | [52]Serious Fun | [53]Mail Lists | [54]Security Library
        [55]Protoworx | [56]Alerts | [57]Submissions | [58]Feedback
                            [59]Advanced Search
                                      
                        [60]About the Knowledge Base
                                      
            Copyright ©1994-1998 Internet Security Systems, Inc.
          All Rights Reserved. Sales Inquiries: [61]sales@iss.net
         6600 Peachtree-Dunwoody Rd · Bldg 300 · Atlanta, GA 30328
                 Phone (678) 443-6000 · Fax (678) 443-6477
                                      
                      Read our [62]privacy guidelines.

References

   1. http://xforce.iss.net/news.php3
   2. http://xforce.iss.net/seriousfun/
   3. http://xforce.iss.net/maillists/
   4. http://xforce.iss.net/library/
   5. http://xforce.iss.net/protoworx/
   6. http://xforce.iss.net/alerts/
   7. http://xforce.iss.net/submission.php3
   8. http://xforce.iss.net/feedback.php3
   9. http://xforce.iss.net/search.php3
  10. http://xforce.iss.net/alerts/alerts.php3
  11. http://xforce.iss.net/alerts/vol-1_num-1.php3#xlock
  12. http://xforce.iss.net/alerts/vol-1_num-1.php3#sun
  13. http://xforce.iss.net/alerts/vol-1_num-1.php3#bind
  14. http://xforce.iss.net/alerts/vol-1_num-1.php3#irix
  15. http://xforce.iss.net/alerts/vol-1_num-1.php3#auto
  16. http://xforce.iss.net/alerts/vol-1_num-1.php3#ifconfig
  17. http://xforce.iss.net/alerts/vol-1_num-1.php3#libxt
  18. http://xforce.iss.net/alerts/vol-1_num-1.php3#holes
  19. ftp://info.cert.org/pub/cert_advisories/CA-97.13.xlock
  20. ftp://sgigate.sgi.com/security/19970502-02-PX
  21. http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-150.txt
  22. http://xforce.iss.net/alerts/vol-1_num-1.php3#list
  23. http://xforce.iss.net/alerts/alerts.php3
  24. http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-149.txt
  25. http://xforce.iss.net/alerts/vol-1_num-1.php3#list
  26. http://xforce.iss.net/alerts/alerts.php3
  27. ftp://info.cert.org/pub/cert_advisories/CA-97.22.bind
  28. http://xforce.iss.net/alerts/vol-1_num-1.php3#list
  29. http://xforce.iss.net/alerts/alerts.php3
  30. ftp://sgigate.sgi.com/security/19970801-01-PX
  31. http://xforce.iss.net/alerts/vol-1_num-1.php3#list
  32. http://xforce.iss.net/alerts/alerts.php3
  33. http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-151.txt
  34. http://xforce.iss.net/alerts/vol-1_num-1.php3#list
  35. http://xforce.iss.net/alerts/alerts.php3
  36. http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-152.txt
  37. http://xforce.iss.net/alerts/vol-1_num-1.php3#list
  38. http://xforce.iss.net/alerts/alerts.php3
  39. http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-153.txt
  40. ftp://info.cert.org/pub/cert_advisories/CA-97.11.libXt
  41. http://xforce.iss.net/alerts/vol-1_num-1.php3#list
  42. http://xforce.iss.net/alerts/alerts.php3
  43. ftp://info.cert.org/pub/cert_summaries/CS-97.05
  44. http://xforce.iss.net/alerts/vol-1_num-1.php3#list
  45. http://xforce.iss.net/alerts/alerts.php3
  46. mailto:x-force@iss.net
  47. mailto:x-force@iss.net
  48. http://www.iss.net/
  49. http://xforce.iss.net/alerts/vol-1_num-1.php3#list
  50. http://xforce.iss.net/alerts/alerts.php3
  51. http://xforce.iss.net/news.php3
  52. http://xforce.iss.net/seriousfun/
  53. http://xforce.iss.net/maillists/
  54. http://xforce.iss.net/library/
  55. http://xforce.iss.net/protoworx/
  56. http://xforce.iss.net/alerts/
  57. http://xforce.iss.net/submission.php3
  58. http://xforce.iss.net/feedback.php3
  59. http://xforce.iss.net/search.php3
  60. http://xforce.iss.net/about.php3
  61. http://xforce.iss.net/cgi-bin/getSGIInfo.pl
  62. http://xforce.iss.net/privacy.php3