NASIRC BULLETIN # 94-09 March 24, 1994 Selected Vulnerabilities on SunOS and Solaris Systems =========================================================== __ __ __ ___ ___ ____ ____ /_/\ /_/| /_/ / _/\ /_/| / __/ \ / __/\ | |\ \| || / \ \ | /\/ | || | /\ \/ | | \/ | ||\ \ || / /\ \ \ \ \ | || |_\/ /\ | | | || \ \|| / /--\ \ \ /\_\\ | || | |\ \ \ | \_/\ |_|/ \_|//_/ \_\/ \/__/ |_|/ |_| \_\/ \___\/ NASA Automated Systems Incident Response Capability =========================================================== NASIRC recently received information on a set of vulnerabilities that involve the "RDIST" (/usr/ucb/rdist) and "UTMP" (/etc/utmp) files on certain Sun Microsystems, Inc. platforms. Information on each file's vulnerability is detailed below. NOTE: All Sun Microsystems, Inc. patches referred to in this bulletin may be obtained by NASA sites via anonymous FTP from nasirc.nasa.gov in the directory /toolkits/Sun_Patches; non-NASA sites may obtain the patches from their local Sun Answer Center, or direct via anonymous FTP from ftp.uu.net under the /systems/sun/sun-dist directory. (It is recommended that non-U.S. sites obtain the patches from ftp.eu.net under /sun/fixes). THE RDIST PROBLEM: Under certain conditions, unauthorized users can gain root access by using /usr/ucb/rdist to create a program which allows them to setuid to root. This vulnerability exists in Sun Microsystems' SunOS version 4.1.1, 4.1.2, 4.1.3, and 4.1.3c on all Sun-3 and Sun-4 architectures. SunOS 4.1.3_U1, Solaris 2.x, and Solbourne's 4.1B and 4.1C apparently do NOT have this problem. The CERT Coordination Center reports that this vulnerability is being actively exploited as part of the network "sniffer" attacks. FIXING THE RDIST PROBLEM: If rdist is not being used, change the file permissions to allow only root to access the file by issuing the command: chmod 700 /usr/ucb/rdist You should also install the appropriate Sun Microsystems, Inc. patch; the current rdist patch is #100383-06. THE UTMP PROBLEM: If the /etc/utmp file is writable by users other than root, anyone with access to a user account could gain root access to the system. This vulnerability exists in Sun Microsystems, Inc.'s SunOS 4.1.X and Solaris 1.1.1; Solbourne Computer, Inc. and other Sparc products that use SunOS 4.1.X or Solaris 1.1.1 are also affected. Systems running Solaris 2.x are NOT affected by this problem. Other systems that are not subject to this vulnerability AS SHIPPED BY THE VENDOR include: Convex Computer Corp.; Data General Corp.; Digital Equipment Corp.; Hewlett-Packard Company; IBM; Intergraph; Motorola, Inc.; NeXT, Inc.; Pyramid Technology Corp.; Sequent Computer Systems; and Sony Corp. If your operating system is not explicitly mentioned here and you find that /etc/utmp is writable by someone other than root, NASIRC recom- mends that you contact your vendor. FIXING THE UTMP PROBLEM: Any system on which /etc/utmp is writable only by the root account is NOT affected by this problem. Otherwise, you should either change the utmp file permissions or apply a patch to the programs that trust it. To change the access permissions for the /etc/utmp file, first issue the command "chown root /etc/utmp", then "chmod 644 /etc/utmp". To patch the programs that trust the /etc/utmp file, please refer to the following list of Sun Microsystems, Inc. patches: Program Patch ID Patch File Name ------- --------- --------------- in.comsat 100272-07 100272-07.tar.Z dump 100593-03 100593-03.tar.Z syslogd 100909-02 100909-02.tar.Z in.talkd 101480-01 101480-01.tar.Z shutdown 101481-01 101481-01.tar.Z write 101482-01 101482-01.tar.Z NASIRC will continue to monitor the situation and will post additional information as appropriate. If you have any questions on this subject, feel free to contact us at any of the venues listed below. (NOTE: If you have any questions concerning any of the Sun patches mentioned in this bulletin, please contact Sun Microsystems directly.) =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= NASIRC ACKNOWLEDGES: The CERT Coordination Center, the Department of Energy Computer Incident Advisory Capability (CIAC), and Sun Microsystems, Inc. for forwarding this information in a timely manner. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= =============================================================== For further assistance, please contact the NASIRC Helpdesk: Phone: 1-800-7-NASIRC Fax: 1-301-441-1853 Internet Email: nasirc@nasa.gov 24 Hour/Emergency Pager: 1-800-759-7243/Pin:2023056 STU III: 1-301-982-5480 =============================================================== This bulletin may be forwarded without restriction to sites and system administrators within the NASA community. The NASIRC online archive system is available via anonymous ftp. Just ftp to nasirc.nasa.gov and login as anonymous. You will be required to enter your valid e-mail address. Once there you can access the following information: /toolkits ! contains automated toolkit software /bulletins ! contains NASIRC bulletins Information maintained in these directories is updated on a con- tinuous basis with relevant software and information. Contact the NASIRC Helpdesk for more information or assistance with tool kits or security measures. ----------------- PLEASE NOTE: Users outside of the NASA community may receive NASIRC bulletins. If you are not part of the NASA community, please contact your agency's response team to report incidents. Your agency's team will coordinate with NASIRC, who will ensure the proper internal NASA team(s) are notified. NASIRC is a member of the Forum of Incident Response and Security Teams (FIRST), a world-wide organiza- tion which provides for coordination between incident response teams in handling computer-security-related issues. You can obtain a list of FIRST member organizations and their constituencies by sending email to docserver@first.org with an empty "subject" line and a message body containing the line "send first-contacts".