informis
/
textfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
textfiles/magazines/MODERNZ/modern67.vul

462 lines
21 KiB
Plaintext
Raw Permalink Blame History

<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
/* *\
/ * * \
/ * * \
/ * * \
/ * System Vulnerabilities * \
| * * |
| * * |
| * * |
| * Another Modernz Presentation * |
| * * |
\ * by * /
\ * Multiphage * /
\ * * /
\ * written 12-29-92 * /
\ * */
*******************************************************************************
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
*******************************************************************************
The Modernz can be contacted at:
MATRIX BBS
WOK-NOW!
World of Kaos NOW!
World of Knowledge NOW!
St. Dismis Institute
- Sysops: Wintermute
Digital-demon
(908) 905-6691
(908) WOK-NOW!
(908) 458-xxxx
1200/2400/4800/9600
14400/19200/38400
Home of Modernz Text Philez
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><
<*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*>
<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
TANSTAAFL
Pheonix Modernz
The Church of Rodney
- Sysop: Tal Meta
(908) 830-TANJ
(908) 830-8265
Home of TANJ Text Philez
<*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*>
CyberChat
Sysop: Hegz
(908)506-6651
(908)506-7637
300/1200/2400/4800/9600
14400/19200/38400
Modernz Site
TLS HQ
<><><><><><><><><><><><><><<><<><><><><><><><><><><><><><><><><><><><><><><><><
BlitzKreig BBS
Home of TAP
(502)499-8933
<*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*>
===========================================================================
Altered System Binaries Incident
---------------------------------------------------------------------------
Information regarding a series of significant intrusion incidents on
the Internet. Systems administrators should be aware that many
systems on the Internet have been compromised due to this activity.
To identify whether your systems have been affected by the
activity we recommend that all system administrators check for the
signs of intrusion detailed in this advisory.
This advisory describes the activities that have been identified as
part of this particular incident. This does not address the
possibility that systems may have been compromised due to other,
unrelated intrusion activity.
---------------------------------------------------------------------------
I. Description
The intruders gain initial access to a host by discovering a
password for a user account on the system, exploiting a "+" in
the "/etc/hosts.equiv" file, or any ".rhosts" files on the
system. The intruder then connects to the system using rsh and
attempts to become root on the compromised system. An alias of
"decode" may used to gain root privileges.
II. Impact
Having gained root access on a system, the intruders may make
unauthorized changes to system binaries that can capture account
information for both local and remote systems. In addition, the
intruder adds "+ +" to any ".rhosts" files to which the intruder
has access.
III. Solution
A. Check your systems for signs of intrusion due to this incident.
1. Check the login, telnet, and uucpd binaries (for example,
"/bin/login", "/usr/ucb/telnet", and "/usr/etc/in.uucpd" on
Sun systems) against copies from distribution media. Note that
a check for creation or modification times and sizes is
not sufficient to assure that the files have not been modified.
The CERT/CC suggests that you compare the output of the
"sum(1)" or "cmp(1)" command on both the distribution and
installed versions of the binaries.
2. If the check from (A.1) indicates that your binaries have been
modified, check for the presence of a password
log file. Since the name of the logfile is often changed,
the name of the file should be obtained using the
"strings(1)" command on the Trojan login, uucpd, or telnet
binary. Examples of filenames used on other systems are:
"/usr/spool/. " (dot space)
"/var/spool/secretmail/.l"
"/var/spool/secretmail/.log"
"/var/spool/secretmail/.tty"
"/var/spool/secretmail/.lock"
"/usr/tmp/.log"
"/usr/spool/uucp/.sys"
"/usr/spool/uucppublic/.hushlogin"
"/usr/uucp/.sys"
"/mnt2/lost+found/.tmp/.log"
"/usr/spool/mqueue/.AFG001"
Verify that the contents of files found using the "strings(1)"
command do not contain valid username/password combinations.
3. Check for the presence of "+" in the "/etc/hosts.equiv"
file.
NOTE that Sun Microsystems installs the SunOS
operating system with a default "+" in the /etc/hosts.equiv
file for easy network access. This should be removed
unless required in your operating environment and protected
by a firewall network configuration. Leaving the "+"
intact will allow any non-root user on the Internet to
login to the system without a password.
4. Check the home directory for each entry in the "/etc/passwd"
file for the presence of a ".rhosts" file containing
"+ +" (plus space plus).
5. Assure that your "/etc/fstab", "/etc/inetd.conf", and
"/etc/exports" files have not been modified.
B. Take the following steps to secure your systems.
1. Save copies of the identified files to removable media and
remove any password log files as found in (A.2) above.
2. Replace any modified binaries with copies from
distribution media.
3. Remove the "+" entry from the "/etc/hosts.equiv"
file and the "+ +" (plus space plus) entry from any
".rhosts" files.
4. Change ownership of the "/etc" directory to userid "root"
if it is owned by "bin" (as distributed by Sun).
5. Change every password on the system and assure that the new
passwords are robust using a package such as Crack or Cops
(available via anonymous ftp from cert.org).
6. Inspect and restore any changes made to your "/etc/fstab",
"/etc/exports", or "/etc/inetd.conf" files. If any
modifications are found in these files, you will need to
unmount file systems and restart daemons once the files
have been restored. Alternatively the system could be
rebooted.
7. Remove the "decode" alias from your global mail aliases
file ("/etc/aliases" on Sun systems, "/usr/lib/aliases" on
other UNIX systems).
---------------------------------------------------------------------------
===========================================================================
Multiple SunOS Vulnerabilities Patched
---------------------------------------------------------------------------
Information concerning several vulnerabilities in the Sun Microsystems,
Inc. (Sun) operating system (SunOS). These vulnerabilities affect
all architectures and supported versions of SunOS including 4.1, 4.1.1,
and 4.1.2 on sun3, sun3x, sun4, sun4c, and sun4m. The patches have
been released as upgrades to three existing patch files.
Since application of these patches involves rebuilding your system kernel
file (/vmunix), it is recommended that you apply all patches simultaneously.
Use the procedure described below to apply the patches and rebuild the kernel.
Sun has provided patches for these vulnerabilities as updates to
Patch IDs 100173, 100376, and 100567. They are available through your local
Sun Answer Centers worldwide as well as through anonymous ftp from the
ftp.uu.net (137.39.1.9) system (in the /systems/sun/sun-dist directory).
Fix Patch ID Filename Checksum
NFS Jumbo 100173-08 100173-08.tar.Z 32716 562
Integer mul/div 100376-04 100376-04.tar.Z 12884 100
ICMP redirects 100567-02 100567-02.tar.Z 23118 13
Please note that Sun Microsystems sometimes updates patch files. If you
find that the checksum is different please contact Sun Microsystems or CERT
for verification.
---------------------------------------------------------------------------
NFS jumbo patch upgrade, SunOS 4.1, 4.1.1, 4.1.2, all architectures
I. Description
The upgrade to the NFS Jumbo patch addresses a vulnerability that
allows an intruder to become root using NFS. This vulnerability
affects all architectures and supported versions of SunOS.
II. Impact
A remote user may exploit this vulnerability to gain root access.
III. Solution
Extract the new files to be installed in the kernel.
Install the patch files in /sys/`arch -k`/OBJ as described in the
README file included in the patch file. Be sure to make a backup
of each of the files you are replacing before moving the patched
file to the /sys/`arch -k`/OBJ directory.
Config, make, and install the new kernel to include all patches
described in this advisory appropriate to your system. Reboot
each host using the appropriate kernel. Refer to the Systems and
Network Administration manual for instructions on building and
configuring a new custom kernel.
Integer mul/div patch upgrade, SunOS 4.1, 4.1.1, 4.1.2, SPARC architectures
I. Description
The integer mul/div patch upgrade addresses an additional problem with
the integer multiplication emulation code on SPARC architectures that
allows an intruder to become root. This vulnerability affects SPARC
architectures (sun4, sun4c, and sun4m) for all supported versions of
SunOS (4.1, 4.1.1, and 4.1.2).
II. Impact
A local user may exploit a bug in the emulation routines to gain
root access or crash the system.
III. Solution
Extract the new files to be installed in the kernel. Note that
this patch applies only to SPARC architectures.
Install the patch files in /sys/`arch -k`/OBJ as described in the
README file included in the patch file. Be sure to make a backup
of each of the files you are replacing before moving the patched
file to the /sys/`arch -k`/OBJ directory.
Config, make, and install the new kernel to include all patches
described in this advisory appropriate to your system. Reboot
each host using the appropriate kernel. Refer to the Systems and
Network Administration manual for instructions on building and
configuring a new custom kernel.
ICMP redirects patch upgrade, SunOS 4.1, 4.1.1, 4.1.2, all architectures
I. Description
The ICMP redirects patch addresses a denial of service vulnerability
with SunOS that allows an intruder to close existing network
connections to and from a Sun system. This vulnerability affects all
Sun architectures and supported versions of SunOS.
II. Impact
A remote user may deny network services on a Sun system.
III. Solution
Extract the new file to be installed in the kernel (the patch is
the same for all supported versions of SunOS).
Install the patch files in /sys/`arch -k`/OBJ as described in the
README file included in the patch file. Be sure to make a backup
of each of the files you are replacing before moving the patched
file to the /sys/`arch -k`/OBJ directory.
Config, make, and install the new kernel to include all patches
described in this advisory appropriate to your system. Reboot
each host using the appropriate kernel. Refer to the Systems and
Network Administration manual for instructions on building and
configuring a new custom kernel.
---------------------------------------------------------------------------
===========================================================================
VMS Monitor Vulnerability
---------------------------------------------------------------------------
Information concerning a potential vulnerability with Digital Equipment
Corporation's VMS Monitor. This vulnerability is present in V5.0 through
V5.4-2 but has been corrected in V5.4-3 through V5.5-1. The Software
Security Response Team at Digital has provided the following information
concerning this vulnerability.
NOTE: Digital suggests that customers who are unable to upgrade their
systems implement the workaround described below.
For additional information, please contact your local Digital Equipment
Corporation customer service representative.
Beginning of Text provided by Digital Equipment Corporation
==============================================================================
SSRT-0200 PROBLEM: Potential Security Vulnerability Identified in Monitor
SOURCE: Digital Equipment Corporation
AUTHOR: Software Security Response Team - U.S.
Colorado Springs USA
PRODUCT: VMS
Symptoms Identified On: VMS, Versions 5.0, 5.0-1, 5.0-2, 5.1, 5.1-B,
5.1-1, 5.1-2, 5.2, 5.2-1, 5.3,
5.3-1, 5.3-2, 5.4, 5.4-1, 5.4-2
*******************************************************
SOLUTION: This problem is not present in VMS V5.4-3
(released in October 1991) through V5.5-1
(released in July, 1992.)
*******************************************************
Copyright (c) Digital Equipment Corporation, 1992 All Rights Reserved.
Published Rights Reserved Under The Copyright Laws Of The United States.
-------------------------------------------------------------------------------
PROBLEM/IMPACT:
-------------------------------------------------------------------------------
Unauthorized privileges may be expanded to authorized users of a system
under certain conditions, via the Monitor utility. Should a system be
compromised through unauthorized access, there is a risk of potential
damage to a system environment. This problem will not permit unauthorized
access entry, as individuals attempting to gain unauthorized access will
continue to be denied through the standard VMS security mechanisms.
-------------------------------------------------------------------------------
SOLUTION:
-------------------------------------------------------------------------------
This potential vulnerability does not exist in VMS V5.4-3
(released in October 1991) and later versions of VMS through V5.5-1.
Digital strongly recommends that you upgrade to a minimum of VMS V5.4-3,
and further, to the latest release of VMS V5.5-1. (released in July, 1992)
------------------------------------------------------------------------------
INFORMATION:
-------------------------------------------------------------------------------
If you cannot upgrade at this time Digital recommends that you
implement a workaround (examples attached below) to avoid any potential
vulnerability.
As always, Digital recommends that you periodically review your system
management and security procedures. Digital will continue to review and
enhance the security features of its products and work with customers to
maintain and improve the security and integrity of their systems.
-------------------------------------------------------------------------------
WORKAROUND
-------------------------------------------------------------------------------
A suggested workaround would be to remove the installed image
SYS$SHARE:SPISHR.EXE via VMS INSTALL and/or restrict the use of
the MONITOR utility to "privileged" system administrators.
Below are the examples of doing both;
[1] To disable the MONITOR utility the image SYS$SHARE:SPISHR.EXE should be
deinstalled.
From a privileged account;
For cluster configurations;
---------------------------
$ MC SYSMAN
SYSMAN> SET ENVIRONMENT/CLUSTER
SYSMAN> DO INSTALL REMOVE SYS$SHARE:SPISHR.EXE
SYSMAN> DO RENAME SYS$SHARE:SPISHR.EXE SPISHR.HOLD
SYSMAN> EXIT
For non-VAXcluster configurations;
---------------------------------
$INSTALL
INSTALL>REMOVE SYS$SHARE:SPISHR.EXE
INSTALL>EXIT
$RENAME SYS$SHARE:SPISHR.EXE SPISHR.HOLD
[2] If you wish to restrict access to the MONITOR command so that only a
limited number of authorized (or privileged) persons are granted access
to the utility, one method might be to issue the following
example commands;
From a privileged account;
For cluster configurations;
---------------------------
$ MC SYSMAN
SYSMAN> SET ENVIRONMENT/CLUSTER
SYSMAN> DO INSTALL REMOVE SYS$SHARE:SPISHR.EXE
SYSMAN> DO SET FILE/ACL=(ID=*,ACCESS=NONE) SYS$SHARE:SPISHR.EXE
SYSMAN> DO SET FILE/ACL=(ID=SYSTEM,ACCESS=READ+EXECUTE) SYS$SHARE:SPISHR.EXE
SYSMAN> DO INSTALL ADD SYS$SHARE:SPISHR.EXE/OPEN/HEADER/SHARE/PROTECT
SYSMAN> EXIT
$
THIS WILL IMPACT the MONITOR UTILITY FOR REMOTE MONITORING.
LOCAL MONITORING WILL CONTINUE TO WORK FOR PERSONS HOLDING THE ID's
GRANTED ACL ACCESS.
see additional note(s) below
For non-VAXcluster configurations;
----------------------------------
$ INSTALL
INSTALL>REMOVE SYS$SHARE:SPISHR.EXE
INSTALL>EXIT
$ SET FILE /ACL=(ID=*,ACCESS=NONE) SYS$SHARE:SPISHR.EXE
$ SET FILE /ACL=(ID=SYSTEM,ACCESS=READ+EXECUTE) SYS$SHARE:SPISHR.EXE
$ INSTALL
INSTALL>ADD SYS$SHARE:SPISHR.EXE/OPEN/HEADER/SHARE/PROTECT
INSTALL>EXIT
$
IN THE ABOVE EXAMPLES, THE "SET FILE /ACL" LINE SHOULD BE REPEATED FOR
ALL ACCOUNTS THAT ARE REQUIRED/ALLOWED TO USE THE DCL MONITOR COMMAND.
NOTE: The ID -SYSTEM- is an example, and should be
substituted as necessary with valid user ID's that are
associated with accounts you wish to grant access to.
===========================================================================
End of Text provided by Digital Equipment Corporation
---------------------------------------------------------------------------
Reference in New Issue View Git Blame Copy Permalink