June 11, 1996
Summary: Silicon Graphics has discovered a security
vulnerability within the IRIX 5.3, 6.1 and 6.2 permissions
tool. Versions 5.2, 6.0, and 6.0.1 are not vulnerable.
Impact: Under certain conditions, a user may use the
permissions tool to modify the permissions of restricted
files. Root access is possible as a result.
Solution: inst-able patches are available. See the
full advisory for details
Summary: Rpc.statd (statd on some systems) can be
used to remove any file that the root user can remove
or to create any file that the root user can create
because it uses no validation for the update
information it receives from the remote rpc.lockd.
Please read the full advisory for more detailed information.
Updates to the advisory may be found here
Summary: There is a serious security problem with the
way PCNFSD creates subdirectories for printing, in
which it can be tricked into following a symbolic
link to change the permissions on an arbitrary
file. As well, pcnfsd calls system(3) with arguments
supplied in part through an rpc call, allowing offsite
execution of arbitrary commands on the server as root.
Please read the full advisory for more detailed information.
Updates to the advisory may be found here
Source: Roger Espel Llima
A patch is available via Web from www.eleves.ens.fr
Summary: Following up to an IBM Bulletin, CIAC notes
that certain sample CGI scrips that call a shell allow
remote arbitrary execution of commands on the http server
as the user the system runs its http daemon.
Please read the full advisory for more information.
A CERT Advisory has also been released.
Updates may be found here.
A new CIAC/IBM advisory updating the prior one was released April 16, 1996.
Summary: There is a serious security problem with the
Netscape Navigator 2.0 Java implementation, allowing an
applet to connect to any of the IP addresses associated with
the name of the computer from which it came.
In the specific case of Netscape, the problem has been
addressed by patches. Until you install the patch, disable
Java using the "Security Preferences" dialog box.
Updates to the advisory may be found here
Summary: Any CGI program built using the sample code
distributed with NCSA HTTPD Version 1.5A-Export and earlier
or Apache HTTPD Version 1.0.3 and earlier that accepts input
from the user and passes that input as arguments to a shell
command may be tricked into executing any arbitrary
command.
The alert lists several suggested actions.
Summary: Intruders have been exploiting reliance of some
authenticating services on DNS by feeding them corrupt DNS
information. Services that do not check the validity of
this information may allow an intruder unauthorized access
on the basis of the corrupt information.
In the specific case of sendmail, the problem has already
been addressed by patches.
Updates to the advisory may be found here
Summary: The Kerberos Version 4 server is using a weak random
number generator to produce session keys. On a computer of
average speed, the session key for a ticket can be broken in
a maximum of 2-4 minutes, and sometimes in much less time.
This means that usable session keys can be manufactured
without a user first being authorized by Kerberos.
Please read the advisory for more information.
Updates to the advisory may be found here
SSH 1.2.13 is a major security and bug-fix release. Users
of prior versions are advised to upgrade. The complete
release announcement is available here.
Summary: When a connection is established between two UDP
services, each of which produces output, these two services
can produce a very high number of packets that can lead to a
denial of service on the machine(s) where the services are
offered. Anyone with network connectivity can launch an
attack; no account access is needed.
Recommendations:
Summary: There is a security hole in Red Hat 2.1, in that it
installs the game abuse, /usr/lib/games/abuse/abuse.console
suid root. The abuse.console program loads its files without
absolute pathnames, assuming the user is running abuse from
the /usr/lib/games/abuse directory. One of these files in the
undrv program, which abuse executes as root. If the user is
not in the abuse directory when running this, an arbitrary
program can be substituted for undrv, allowing the user to
execute arbitrary commands as root.
Fix: As root:
chmod u-s /usr/lib/games/abuse/abuse.console
Summary: Sendmail (prior to Sendmail 8.6.10) contains a
vulnerability in the EXPN and VRFY commands that allows
local and remote users to execute privilged commands
Affected Versions: All versions of "sendmail" prior to
Version 8.6.10, including Sendmail 5.67+IDA-1.5 and most
vendor versions.
The advisory contains information about upgrades, patches, and interrum solutions.
Summary: bind() does not properly check to make sure there
is not a socket already bound to INADDR_ANY on the same port
when binding to a specific address.
Impact: Packets from a variety of network services may be
stolen or the services spoofed.
A patch for Linux 1.3.57 is provided in the announcement.
A CERT Advisory on the subject has been released, as well (2/15/96)
Summary: Silicon Graphics has discovered a security
vulnerability within the optional "ATT Packaging Utility"
(eoe2.sw.oampkg) subsystem available for the IRIX
operating system. ALL SGI systems running IRIX 5.2, 5.3,
6.0, 6.0.1, 6.1. may be vulnerable.
Impact: For those systems that have the subsystem installed,
both local and remote users may be able to overwrite files
and/or become root on a targeted SGI system.
Solution:
1) Become the root user on your system.
% /bin/su
Password:
#
2) Change the permissions on the following programs.
# /sbin/chmod 755 /usr/pkg/bin/pkgadjust
# /sbin/chmod 755 /usr/pkg/bin/abspath
3) Return to the previous user state.
# exit
Summary: splitvt versions lower than 1.6.3 are known to
have a security hole allowing a user to gain ROOT access
on some systems!
If you have a version lower than 1.6.3 _please_ remove the
set-uid bit on your current version, and upgrade to the
newer version as soon as possible.
("splitvt -version" will tell you what version you are running)
The latest version of splitvt can be obtained here.
Summary: The protocol used when clients communicate with a
server only checks to see if the connection is authentic
using secure RPC. The protocol does not check to see if
the client is authorized to modify the NIS data or if the
given NIS map exists. Even after an unsuccessful attempt
to update the NIS information, the rpc.ypupdated server
invokes the make(1) program to propagate possible changes.
The invocation of make is implemented in an insecure
fashion which allows the requesting client to pass
malicious arguments to the call resulting in the execution
of arbitrary commands on NIS master and slave servers.
Summary: There is a problem with the default configuration
of the Washington University FTP Server version 2.4 in
major Linux distributions, including but not limited to
Slackware 2.0, 2.1, 2.2, 2.3, Yggdrasil Plug&Play Fall'94,
and the Debian Distribution. By exploiting this problem,
any user who is able to log into a system having the
vulnerable configuration via FTP using their login, and not
the anonymous login, may gain root access.
From this public domain source release, you can build a
fully functional IP-layer encryption package which supports
DES and Triple-DES for SunOS 4.1.3.
Bug Synopsis:
When ypupdated recieves requests to update yp maps on a host
machine it forks and executes a copy of the bourne shell.
Through the bourne shell meta characters may be passed into
the arguments causing a security breach.
Further information may be found on Bugtraq
Summary: SGI ships their systems with several passwordless
accounts, which, if left unpassworded can be abused
by intruders.
Netscape acknowledges that their current line generates
the keys using a predictable algorhythm that does not
have the ability to generate keys for the whole
breadth of the keyspace. New releases are
in the works.
Here is the article by Ian Goldberg, discussing
how he and David Wagner discovered the weakness, and
discussing how the weakness occurs.
The Clinton Administration is revising parts of the ill
fated Clipper initiative. The key action was a two day long
meeting on key escrow and export regulations that took
place September 6 and 7, 1995. Pat Farrell has put
put together a superb page on the meeting and related
topics
"There is a vulnerability in older versions of ghostscript
(gs) that enables users to execute commands and thus modify
files. This problem involves the -dSAFER option and is
present in all versions of ghostscript from 2.6 through
3.22 beta."
CERT updates can be found here.
And then, in 1/10 the time by the Cypherpunks "brute" key cracking ring
Amateur code breaker that is; Damien Doligez (PhD, Computer
Science) was the first to announce, second to crack Hal
Finney's SSL challenge. Read his summary and links to related
information, including a "virtual press conference" Q & A
session.
Then, the Cypherpunk ring cracked the second challenge in only
114456 seconds (31h 47m 36s)
There is also a CERT advisory now and a CERT update.
Sun has issued a Bulletin on the matter. [ Sept. 14 ]
Don't see an important reference in any category? Have a useful suggestion? Compliments? Then, send mail to the index maintainer by clicking here.
Return to Top of Security Index