[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CIAC Bulletin F-09
[Note: Document reformated for mailing by [email protected].
If in doubt contact CIAC for original:
ciac.llnl.gov:/pub/ciac/bulletin/f-fy95/f-09.ciac.(doc).]
________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
_________________________________________________________
INFORMATION BULLETIN
Unix /bin/mail Vulnerabilities
January 27, 1995 1030 PST Number F-09
_________________________________________________________
PROBLEM: The Unix /bin/mail utility contains security
vulnerabilities.
PLATFORMS: DEC OSF/1 1.2, 1.3, and 2.0
DEC Ultrix 4.3, 4.3A, and 4.4
SCO Unix System V/386 Release 3.2 OS Version
4.2
SCO Open Desktop Lite Release 3.0
SCO Open Desktop Release 3.0
SCO Open Server Enterprise System Release 3.0
SCO Open Server Network System Release 3.0
Solbourne OS4.1x
SunOS 4.x
DAMAGE: Local users may gain privileged (root) access.
SOLUTION: Apply appropriate vendor patch as described
below.
_________________________________________________________
VULNERABILITY
ASSESSMENT The vulnerabilities in the /bin/mail program
have been openly discussed in several Internet
forums, and automated scripts exploiting the
vulnerabilities have been widely distributed.
These tools have been used in many recent
attacks. CIAC recommends sites install these
patches as soon as possible.
_________________________________________________________
Critical Information about Unix /bin/mail Vulnerabilities
The /bin/mail utility on several Unix versions based on BSD
4.3 Unix contain a security vulnerability. The
vulnerability is the result of race conditions that exist
during the delivery of messages to local users. These race
conditions will allow intruders to create or modify files
on the system, resulting in privileged access to the
system.
Below is a summary of systems known to be either vulnerable
or not vulnerable. If your vendor's name is not listed,
please contact the vendor or CIAC for more information.
Vendor or Source Status
---------------- ------------
Apple Computer, Inc. Not vulnerable
Berkeley SW Design, Inc. (BSDI) Not vulnerable
Cray Research, Inc. Not vulnerable
Data General Corp. Not vulnerable
Digital Equipment Corp. Vulnerable
FreeBSD Not vulnerable
Harris Not vulnerable
IBM Not vulnerable
NetBSD Not vulnerable
NeXT, Inc. Not vulnerable
Pyramid Not vulnerable
The Santa Cruz Operation (SCO) Vulnerable
Solbourne (Grumman) Vulnerable
Sun Microsystems, Inc. SunOS 4.x vulnerable
Solaris 2.x not
vulnerable
Patch Information
-----------------
DEC The /bin/mail patch is a part of a
comprehensive Security Enhanced Kit that
addresses other security problems as well. This
kit was released on May 17, 1994 and was
described in DEC Security Advisory #0505 and
CIAC Notes 94-03.
OSF/1 users should upgrade to a minimum of
version 2.0 and install Security Enhanced Kit
CSCPAT_4061 v1.0. Ultrix users should upgrade
to at least version 4.4 and install Security
Enhanced Kit CSCPAT_4060 v1.0.
Both kits are available from your Digital
support channel or electronically by request
via DSNlink.
SCO Vulnerabilities in SCO's /bin/mail utility are
removed by applying SCO's Support Level
Supplement (SLS) uod392a. It is available via
anonymous FTP from ftp.sco.com in the /SLS
directory:
Description Filename MD5 Checksum
----------- ------------ --------------------------------
Disk image uod392a.Z 2c26669d89f61174f751774115f367a5
Cover letter uod392a.ltr.Z 52db39424d5d23576e065af2b80aee49
Solbourne Grumman System Support Corporation now performs
all Solbourne software and hardware support.
Please contact them for further information:
E-mail: [email protected]
Phone: 1-800-447-2861
FTP: ftp.nts.gssc.com
Sun Sun has made patches available to remove
vulnerabilities in /bin/mail. These patches
address all vulnerabilities CIAC has seen
exploited to date, and CIAC recommends they be
installed. However, the patches will be updated
again in the near future to remove additional
vulnerabilities that have recently come to
light. CIAC will announce the availability of
the new patches when they are released.
The patches may be obtained from your local Sun
Answer Center or through anonymous FTP from
sunsolve1.sun.com in the /pub/patches
directory:
SunOS Filename MD5 Checksum
------- --------------- --------------------------------
4.1.x 100224-13.tar.Z 90a507017a1a40c4622b3f1f00ce5d2d
4.1.3U1 101436-08.tar.Z 0e64560edc61eb4b3da81a932e8b11e1
Alternative Solution
--------------------
For those sites unable to obtain a vendor patch From owner-cypherpunks Fri Jan 27 13:19:28 1995
Return-Path: <owner-cypherpunks>
Received: by toad.com id AA15273; Fri, 27 Jan 95 13:19:28 PST
Received: from gateway.informix.com by toad.com id AA15259; Fri, 27 Jan 95 13:19:22 PST
Received: from informix.com (infmx.informix.com) by gateway.informix.com (4.1/SMI-4.1)
id AA10439; Fri, 27 Jan 95 13:19:16 PST
Received: from carbon.informix.com by informix.com (4.1/SMI-4.1)
id AA02110; Fri, 27 Jan 95 13:19:08 PST
Received: by carbon.informix.com (5.0/SMI-SVR4)
id AA00461; Fri, 27 Jan 1995 13:19:01 +0800
Date: Fri, 27 Jan 1995 13:19:01 +0800
From: [email protected]
Message-Id: <[email protected]>
Subject: Oops, Correction: one big error in "Even more unix holy war."
Apparently-To: [email protected]
Apparently-To: [email protected]
Apparently-To: [email protected]
Apparently-To: [email protected]
Content-Length: 2646
Sender: [email protected]
Precedence: bulk
I wrote:
> The great strength is of course symbolic debugging -- you can
> single step your compiled code, and see it displayed symbolicly,
> with the symbols and statements of your source code,
> and with the contents memory displayed in terms of your
> source code variables.
On this I was of course totally wrong:
Unix has symbolic debugging equal to DOS/Windows.
I was under the false impression that it only had
C code interpretation.
This is an error -- what I said was true for C++, but
then in Windows we too are forced to primarily use
interpretation to debug C++. C++ symbolic debuggers
are not up to acceptable capabilities in either system.
Sorry.
But my statement concerning internationalization and
resource files was correct.
Unix has no equivalent of App Studio, etc. I have made
a little tour of people in my company who work on both
unix and Windows. I (fortunately) work primarily on
Windows, as you may have guessed.
The company I presently work for is making a tool they
call Window Painter. This is in some respects similar
to App Studio. It works with their unix database
language.
But it is no App Studio, as the unix folk who are
working on it freely admit, those few of them that
have used App Studio.
Most of my correspondents had replies along the lines
of "Huh -- internationalization -- what source code
tools could possibly help you with internationalization."
Others listed irregular bands of random unix tools which
are essentially irrelevant to the problem of
internationalization.
Most international unix programs have string files
that the compiled program refers to a string by a number, and
a font size by a number, and the position of the button
on screen by a number -- site customizable information,
Xdefaults, *.cfg
This is functionally equivalent to the Windows Resource
file, in that in principle one can keep translatable elements
separate from source code. But is certainly not equivalent
in ease of use. One can do the job, but in essense one
does it by hand.
Resource files, and dialog box editing tools such as App Studio,
provide a clean separation between visual user interface
elements that typically require translation, and functiona
code that does not.
---------------------------------------------------------------------
|
We have the right to defend ourselves | http://www.catalog.com/jamesd/
and our property, because of the kind |
of animals that we are. True law | James A. Donald
derives from this right, not from the |
arbitrary power of the omnipotent state. | [email protected]