-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===============================================================================
>>                                                      CERT-NL, 01-Mar-2000 <<
>> All CERT-NL information has been moved to http://cert.surfnet.nl.  Links  <<
>> to CERT-NL information contained in this advisory are therefore outdated. <<
>>                                                                           <<
>> CERT-NL also has stopped the CERT-CC-Mirror service.  Due to this the     <<
>> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the  <<
>> complete CERT-CC advisory texts:                     http://www.cert.org  <<
===============================================================================
===============================================================================
Security Advisory                                                       CERT-NL
===============================================================================
Author/Source : CERT-NL (Erik-Jan Bos)                      Index  :    S-93-04
Distribution  : SURFnet constituency                        Page   :          1
Classification: External                                    Version:      Final
Subject       : NeXT NetInfo "_writers" Vulnerabilities     Date   :  22-Jan-93
===============================================================================

CERT-NL has received information from CERT Coordination Center (who has
received information from NeXT Computer, Inc.) concerning
vulnerabilities in the distributed printing facility of NeXT computers
running all releases of NeXTSTEP software through NeXTSTEP Release 3.0.
For more information, please contact your authorized support center. If
you are an authorized support provider, please contact NeXT through
your normal channels.


I.   Description

     The default NetInfo "_writers" properties are configured to allow
     users to install printers and FAX modems and to export them to the
     network without requiring assistance from the system administrator.
     They also allow a user to configure other parts of the system, such as
     monitor screens, without requiring help from the system administrator.
     Vulnerabilities exist in this facility that could allow users to gain
     unauthorized privileges on the system.


II.  Impact

     In the case of the "/printers" and the "/fax_modems" directories, the
     "_writers" property can permit users to obtain unauthorized root
     access to a system.

     In the "/localconfig/screens" directory, the "_writers" property can
     potentially permit a user to deny normal login access to other users.


III. Solution

     To close the vulnerabilities, remove the "_writers" properties from
     the "/printers", "/fax_modems", and "/localconfig/screens" directories
     in all NetInfo domains on the network, and from all immediate
     subdirectories of all "/printers", "/fax_modems", and
     "/localconfig/screens" directories.  The "_writers" properties may be
     removed using any one of the following three methods:

     A. As root, use the "niutil" command-line utility.  For example, to
        remove the "_writers" property from the "/printers" directory:

          # /usr/bin/niutil -destroyprop . /printers _writers


     B. Alternatively, use the NetInfoManager application: open the
        desired domain, open the appropriate directory, select the
        "_writers" property, choose the "Delete" command [Cmd-r] from
        the "Edit" menu, and save the directory.


     C. To assist system administrators in editing their NetInfo
        domains, a shell script, "writersfix", is available via
        anonymous FTP from next.com (129.18.1.2):

          Filename                                   Size   Checksum
          --------                                   ----   --------
          pub/Misc/Utilities/WritersFix.compressed   5600   25625  6

        After transferring this file using BINARY transfer type,
        double-click on the file.  A "WritersFix" directory will be
        created in your file system, containing the script
        ("writersfix") and some documentation ("WritersFix.rtf").


     Consider removing "_writers" from other NetInfo directories as well
     (for example, "/locations"), noting the following trade-off between
     ease-of-use and security.  By removing the "_writers" properties, the
     network and the computers on the network become more secure, but a
     system administrator's assistance is required where it previously was
     not required.

     Please refer to the NeXTSTEP Network and System Administration manual
     for additional information on "_writers".  Note that the
     subdirectories of the "/users" directory have "_writers_passwd" set to
     the user whose account is described by the directory.  This is
     essential if users are to be able to change their own passwords, and
     this does not compromise system security.


- -----------------------------------------------------------------------------
The CERT Coordination Center wishes to thank Alan Marcum and Eric Larson of
NeXT Computer, Inc. for notifying us about the existence of these
vulnerabilities and for providing appropriate technical information.
- -----------------------------------------------------------------------------

CERT-NL wishes to thank CERT Coordination Center from bringing this
information to our attention.

==============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet
is the Dutch network for educational, research and related institutes. CERT-NL
is a member of the Forum of Incident Response and Security Teams (FIRST).

All CERT-NL material is available under:
  http://cert.surfnet.nl/

In case of computer or network security problems please contact your local
CERT/security-team or CERT-NL  (if your institute is NOT a SURFnet customer
please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).

   Email:     cert-nl@surfnet.nl     ATTENDED REGULARLY ALL DAYS
   Phone:     +31 302 305 305        BUSINESS HOURS ONLY
   Fax:       +31 302 305 329        BUSINESS HOURS ONLY
   Snailmail: SURFnet bv
              Attn. CERT-NL
              P.O. Box 19035
              NL - 3501 DA  UTRECHT
              The Netherlands

NOODGEVALLEN:    06 22 92 35 64      ALTIJD BEREIKBAAR
EMERGENCIES : +31 6 22 92 35 64      ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED*
PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT
TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU.
===============================================================================

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i

iQA/AwUBOL6WATSYjBqwfc9jEQKuhQCfeIxhO0uEH13vTz4tXWDXFNfAMRAAoLh9
AxjULiS5KvRNj7l8iinGggcp
=V8Qc
-----END PGP SIGNATURE-----