The 'Security Digest' Archives (TM)

Archive: About | Browse | Search | Contributions | Feedback
Site: Help | Index | Search | Contact | Notices | Changes

ARCHIVE: Zardoz 'Security Digest' - Archives (1989 - 1991)
DOCUMENT: Zardoz 'Security Digest' V3 #15 1991-11-21 (1 file, 4441 bytes)
SOURCE: http://securitydigest.org/exec/display?f=zardoz/archive/315.txt&t=text/plain
NOTICE: securitydigest.org recognises the rights of all third-party works.

START OF DOCUMENT


Date: Thu Nov 21 12:03:19 PST 1991
Subject: Security Digest V3 #15

Security Digest Volume 3 Issue 15

subject(s):

            undesirable ftpd behavior
            errata for "Practical Unix Security"
            CERT Advisory - AIX TFTP Daemon Vulnerability
            CERT Advisory - /usr/ucb/rdist Vulnerability

The unix security mailing list is by invitation only and often
contains sensitive material which IS NOT INTENDED FOR PUBLIC
DISSEMINATION.  PLEASE DO NOT PUT ANY SECURITY LIST CONTENTS IN
LOCATIONS ACCESSABLE TO NON-MEMBERS.

PLEASE SEND NEW SECURITY HOLES TO:              holes@uninet.cpd.com
PLEASE POST NORMAL MESSAGES TO:              security@uninet.cpd.com
PLEASE SEND EMERGENCY ALERTS TO:   security-emergency@uninet.cpd.com
PLEASE SEND REQUESTS TO:             security-request@uninet.cpd.com

Postings that describe security holes/fixes have a * in their subject.


------------------------------------------------------------------------

Date: Wed, 02 Oct 91 08:11:00 EDT
From: Thomas Narten <narten@cs.albany.edu>
Subject: undesirable ftpd behavior

I don't believe I have seen this discussed here before, if so, please
ignore this message.

Sun's (and old Berkeley versions) of ftpd do not tinker with umask.
Result: ftp's "put" command may create files with world write
permissions.

On our SunOS 4.1 system, ftpd is started by inetd, which is started at
boot time in the /etc/rc file.  The problem is that because ftpd
doesn't set the umask, it inherits it from init. On our machines, the
result is that ftpd creates new files with world read and write
permissions.  The simple fix is to add an explicit umask() call in
ftpd.

The latest version of ftpd on ucbarpa.berkeley.edu (5.1) appears to
have fixed this problem.  However, the ftpd distributed with SunOS
4.1.1 does have the problem.  Older versions of Berkeley ftpd (we were
running version 4.1) also have the problem. No doubt, many other
vendor's ftpds will display this feature.

Thomas Narten

------------------------------------------------------------------------

Date: Sun, 6 Oct 91 18:22:05 PDT
From: irving@happy-man.com
Subject: errata for "Practical Unix Security"

>  [ A highly recomended book. - neil ]

Neil, I'd be happy to put together a group order that would let me
re-sell them at a discount of close to 20%, postage included.  I
once made a similar offer to the Perl newsgroup and saved quite a
few people $5 and some inconvenience.  If you think it would fly
here, I'll come up with an exact price.

 Irving_Wolfe@happy-man.com      Happy Man Corp. 206/463-9399 x101
 4410 SW Pt. Robinson Rd., Vashon Island, WA  98070-7399  fax x108

------------------------------------------------------------------------

Date: Thu, 17 Oct 91 16:42:51 EDT
From: CERT Advisory <cert-advisory-request@cert.sei.cmu.edu>
Subject: CERT Advisory - AIX TFTP Daemon Vulnerability

CA-91:19                        CERT Advisory
                              October 17, 1991
                        AIX TFTP Daemon Vulnerability

The Computer Emergency Response Team/Coordination Center (CERT/CC) has
received information concerning a vulnerability in the TFTP daemon in
all versions of AIX for IBM RS/6000 machines.

IBM is aware of this problem and a fix is available as apar number "ix22628".
This patch is available for all AIX releases from "GOLD" to the current
release.

NOTE: THIS IS AN UPDATED PATCH FROM ONE RECENTLY MADE AVAILABLE and fixes
a security hole in the original patch.  The SCCS id of the correct patch
is tftpd.c 1.13.1.3 (*not* 1.13.1.2 or earlier versions).  This can be
checked using the following "what" command.

    % what /etc/tftpd
    /etc/tftpd:
       56      1.13.1.3  tftpd.c, tcpip, tcpip312 10/10/91 09:01:48
       tftpsubs.c      1.2  com/sockcmd/tftpd,3.1.2,9048312 10/8/89 17:40:55

IBM customers may call IBM Support (800-237-5511) and ask that the fix
be shipped to them.  The fix will appear in the upcoming 2009 update
and the next release of AIX.

I.   Description

     Previous versions of tftpd did not provide a method for restricting
     TFTP access.

II.  Impact

     If TFTP is enabled at your site, anyone on the Internet can retrieve
     copies of your site's world-readable files, such as /etc/passwd.

III. Solution

     A. Sites that do not need to allow tftp access should disable it.
        This can be done by editing /etc/inetd.conf and deleting or
        commenting out the tftpd line:

        #tftp     dgram     udp    wait    nobody  /etc/tftpd     tftpd -n

        and then, as root, restarting inetd with the "refresh" command.

            # refresh -s inetd

        For more details on starting/stopping tftp, refer to documentation
        for the System Resource Controller (SRC) or the System Management
        Interface Tool (SMIT).

     B. Sites that must run tftpd (for example, to support X terminals)
        should obtain and install the above patch AND create a
        /etc/tftpaccess.ctl file to restrict the files that are accessible.
        The /etc/tftpaccess.ctl file should be writable only by root.
        Although the new /etc/tftpaccess.ctl mechanism provides a very general
        capability, the CERT/CC strongly recommends that sites keep this
        control file simple.  For example, the following tftpaccess.ctl file
        is all that is necessary to support IBM X terminals:

        # /etc/tftpaccess.ctl
        # By default, all files are restricted if /etc/tftpaccess.ctl exists.
        # Allow access to X terminal files.
        allow:/usr/lpp/x_st_mgr/bin

        NOTE: Be CERTAIN to create the /etc/tftpaccess.ctl file.
        If it does not exist then all world-readable files are accessible
        as in the current version of tftpd.

        Installation Instructions:

        1.  Create an appropriate /etc/tftpaccess.ctl file.

        2.  From the directory containing the new tftpd module, issue
            the following commands as root.

            # chmod 644 /etc/tftpaccess.ctl
            # chown root.system /etc/tftpaccess.ctl
            # mv /etc/tftpd /etc/tftpd.old
            # cp tftpd /etc
            # chmod 755 /etc/tftpd
            # chown root.system /etc/tftpd
            # refresh -s inetd

The CERT/CC wishes to thank Karl Swartz of the Stanford Linear Accelerator
Center for bringing this vulnerability to our attention.

If you believe that your system has been compromised, contact CERT/CC via
telephone or e-mail.

Computer Emergency Response Team/Coordination Center (CERT/CC)
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890

Internet E-mail: cert@cert.sei.cmu.edu
Telephone: 412-268-7090 24-hour hotline:
           CERT/CC personnel answer 7:30a.m.-6:00p.m. EST/EDT,
           on call for emergencies during other hours.

Past advisories and other computer security related information are available
for anonymous ftp from the cert.sei.cmu.edu (192.88.209.5) system.

------------------------------------------------------------------------

Date: Tue, 22 Oct 91 13:05:02 EDT
From: CERT Advisory <cert-advisory-request@cert.sei.cmu.edu>
Subject: CERT Advisory - /usr/ucb/rdist Vulnerability

CA-91:20                        CERT Advisory
                              October 22, 1991
                        /usr/ucb/rdist Vulnerability

The Computer Emergency Response Team/Coordination Center (CERT/CC) has
received information concerning a vulnerability in /usr/ucb/rdist (the
location of rdist may vary depending on the operating system).  This
vulnerability is present in possibly all versions of rdist.  Vendors
responding with patches are listed below.  Additionally, some vendors
who do not include rdist in their operating systems are identified.
Operating systems from vendors not listed in either of the two categories
below will probably be affected and the CERT/CC has proposed a workaround
for those systems.

VENDORS THAT DO NOT SHIP rdist
(Note: Even though these vendors do not ship rdist, it may have been
       added later (for example, by the system administrator).  It is
       also possible that vendors porting one of these operating systems
       may have added rdist.  In both cases corrective action must be taken.)

  Amdahl
  AT&T System V
  Data General DG/UX for AViiON Systems


VENDORS PROVIDING PATCHES

  Cray Research, Inc.   UNICOS 6.0/6.E/6.1   Field Alert #132   SPR 47600

     For further information contact the Support Center at 1-800-950-CRAY or
     612-683-5600 or e-mail support@crayamid.cray.com.

  NeXT Computer, Inc.  NeXTstep Release 2.x

     A new version of rdist may be obtained from your
     authorized NeXT Support Center.  If you are an authorized
     support center, please contact NeXT through your normal
     channels.  NeXT also plans to make this new version of
     rdist available on the public NeXT FTP archives.

  Silicon Graphics   IRIX 3.3.x/4.0 (fixed in 4.0.1)

     Patches may be obtained via anonymous ftp from sgi.com in the
     sgi/rdist directory.

  Sun Microsystems, Inc.   SunOS 4.0.3/4.1/4.1.1   Patch ID 100383-02

     Patches may be obtained via anonymous ftp from ftp.uu.net or from local
     Sun Answer Centers worldwide.


The CERT/CC is hopeful that other patches will be forthcoming.  We will
be maintaining a status file, rdist-patch-status, on the cert.sei.cmu.edu
system.  We will add patch availability information to this file as
it becomes known.  The file is available via anonymous ftp to
cert.sei.cmu.edu and is found in pub/cert_advisories/rdist-patch-status.

All trademarks are the property of their respective holders.

I.   Description

     A security vulnerability exists in /usr/ucb/rdist that
     can be used to gain unauthorized privileges.  Under some
     circumstances /usr/ucb/rdist can be used to create setuid
     root programs.

II.  Impact

     Any user logged into the system can gain root access.

III. Solution

     A.  If available, install the appropriate patch provided by
         your operating system vendor.

     B.  If no patch is available, restrict the use of /usr/ucb/rdist
         by changing the permissions on the file.

         # chmod 711 /usr/ucb/rdist

The CERT/CC wishes to thank Casper Dik of the University of Amsterdam,
The Netherlands, for bringing this vulnerability to our attention.
We would also like to thank the vendors who have responded to this problem.

If you believe that your system has been compromised, contact CERT/CC via
telephone or e-mail.

Computer Emergency Response Team/Coordination Center (CERT/CC)
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890

Internet E-mail: cert@cert.sei.cmu.edu
Telephone: 412-268-7090 24-hour hotline:
           CERT/CC personnel answer 7:30a.m.-6:00p.m. EST(GMT-5)/EDT(GMT-4),
           on call for emergencies during other hours.

Past advisories and other computer security related information are available
for anonymous ftp from the cert.sei.cmu.edu (192.88.209.5) system.

------------------------------------------------------------------------

        End of Security Digest Volume 3 Issue 15
        **********************

END OF DOCUMENT