The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: Zardoz 'Security Digest' - Archives (1989 - 1991)
DOCUMENT: Zardoz 'Security Digest' V1 #31 1989-08-28 (1 file, 2082 bytes)
SOURCE: http://securitydigest.org/exec/display?f=zardoz/archive/131.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT


Security Digest Volume 1 Issue 31

subject(s):

            [ John Pettitt <jpp@specialix.co.uk: Security problem with Xenix
            Sun Boot PROM - Password protection
            Two security problems with Ultrix 3.0
            Security Digest V1 #30
            Re:  Two security problems with Ultrix 3.0
            Re: Two security problems with Ultrix 3.0

------------------------------------------------------------------------

Date: Mon, 28 Aug 1989 19:18:17 EDT
From: uunet!pyrite.rutgers.edu!hobbit
Subject: [ John Pettitt <jpp@specialix.co.uk: Security problem with Xenix

This one's more appropriate for your list, I'd think...   _H*
[ Yep - neil ]

 Date: 11 Aug 89 12:41:08 BST (Fri)
 From: John Pettitt <jpp@specialix.co.uk>
 Subject: Security problem with Xenix (another one :-)
 To: misc-security@ukc.ac.uk

There is a scurity problem with sco xenix 2.3.x that will allow
remote users to get a shell via a uucp connection.   No special
commands are needed in /usr/lib/uucp/Permissions for this
to happen.

The hole can be fixed by:

chmod -w /usr/lib/uucp/Permissions

It is very important that uucp control files are not writable
by anybody (esp owner !).

SCO have been informed of the problem.

This bug, together with an IFS attack could get you a root shell !
With little trouble it could even make the basis for a uucp virus.

BTW the old, non BNU, uucp on Xenix is so full of holes a virus would
be trivial.

------------------------------------------------------------------------

Date: Mon, 4 Sep 89 11:05:11 +0200
From: uunet!relay.EU.net!cgch!wwtz (Wolfgang Wetz)
Subject: Sun Boot PROM - Password protection

Boot PROM revision 2.7.1 (and higher) should accept passwords
to prevent changes to the PROM itself.
[ I assume that you mean changes to the EEPROM - neil ]

While this works on one of our 3/60s with PROM revision 2.8.3 it
does not for our 3/80s which have PROM revision 2.9.2.

On the 3/80s: powercycling enables changes to the PROM again! :-(
              even when location 492 is set to '1'

According to Sun, this should be fixed in PROM Revision 3.0;
which should be available very soon.

------------------------------------------------------------------------

Date: Thu, 24 Aug 89 17:02:25 EDT
From: uunet!unclejack.crd.ge.com!barnett
Subject: Two security problems with Ultrix 3.0

I have noticed two security problems with Ultrix 3.0

1) Anyone can execute a /etc/mount command. You just need to own the mount point.

    Therefore, you can type

    mkdir /tmp/mnt
    mount /tmp/mnt machine:/partition
any mount any NFS partition that is exported

We fixed this problem by typing
    chmod 700 /bin/*mount

2) name service and remote login

    I Think this is a security hole, but I am not sure. I do not have sources
    and am unable to verify if the hole exists.

    When rlogin/telnet checks to see if someone have permission to log in without
    a password, it uses the x.x.x.x.in-addr.arpa name server.

    What that means, if I am the Name Server administrator for the
    my-network.in-addr.arpa domain,  I can add an entry saying my name is
    decwrl.dec.com or any other name.

    If I were to rlogin onto decwrl.dec.com, it asks me what my name is
    and I can lie about it It would then believe me.

    I think the fix is to get the berkeley version of rlogin/rlogind/telnetd
    and telnet. The ultrix versions have  the following string in the executable:

        %d.%d.%d.%d.in-addr.arpa

------------------------------------------------------------------------

Date: Sun, 27 Aug 89 11:48:07 EDT
From: ll-xn!bu-cs!bzs
Subject: Security Digest V1 #30

>I intend to write a setuid-root C program, which makes the following
>checks:
>       1) The user invoking must own the file that is being given away
>       2) The user invoking must own the directory containing the file
>       3) Files may only be given to user IDs greater than 100
>       4) Any setuid/setgid bits will be stripped.

You also want to consider what group id ends up on the file, probably
the recipient's default group id from the passwd file.

------------------------------------------------------------------------

Date: Wed, 30 Aug 89 01:20:25 EDT
From: Philip Prindeville <uunet!wellfleet.com!pprindev>
Subject: Re:  Two security problems with Ultrix 3.0

Making mount not executable by world is a non-solution.  How do
people just find out what filesystems are mounted, etc?

------------------------------------------------------------------------

Date: Wed, 30 Aug 89 10:55:22 MDT
From: uunet!nike.cair.du.edu!wedgingt (Will Edgington)
Subject: Re: Two security problems with Ultrix 3.0

>Making mount not executable by world is a non-solution.  How do
>people just find out what filesystems are mounted, etc?

By using 'df' or 'df -i'.  Mount does *not* need world execute
permissions for any reason.
[ Or try 'cat /etc/mtab' - neil ]

------------------------------------------------------------------------

        End of Security Digest Volume 1 Issue 31
        **********************

END OF DOCUMENT