Network Security
,-
~N~WAN NEWS
--~
Vulnerability in IibXt CERT Advisory CA-97.1 1 reports that there have been public mailing lists about buffer overflows in the Xt library of the X Windowing Systems made freely available in The Open Group. During these discussions, exploitation scripts were made available for some platforms. The specific problem is a buffer overflow condition in the the file and Xt library xc/lib/Xt/Error.c. This makes it possible for a user to execute instructions as a arbitrary privileged user using a program built by this distribution with setuid or setgid bits set. However, in this case a root compromise was only possible when programs built from this distribution (e.g. xterm) were setuid root. The Open Group has extensively reviewed the source code for the entire distribution to address the potential for further buffer overflow condition. Where this problem exists on X applications built with the setuid and setgid bits set they may be vulnerable to buffer overflow conditions. These conditions can make it possible for a local user to execute arbitrary instructions as a privileged user without authorization. Access to an account on the system is necessary for exploitation. Sites that have downloaded the X code from the X sauce Consortium should be able to identify such programs by looking in the directory hierarchy defined by the ‘ProjectRoot’ constant the in described xc/config/cf/site.def file in the source code distribution. The default is /usr/Xl 1R6.3. Some third
2
May 7997
party vendors ~ derivatives of the System. provided patches include:
distribute X Window Vendors who have information and for this vulerability
the xlock program to read the shadow password file. for further information, contact CERT on: + I 4 1.2268 7090; fax: + I 412 268 6989; E-mail: cert@cerf, org.
Berkeley Software Design Digital Equipment Corp. FreeBSD Hewlett-Packard IBM NEC Corp. NeXT Software The Open Group The Santa Cruz Operation Sun Microsystems If you have downloaded and installed your own distributions directly from the source code, CERT advises the installation of the latest version, Xl 1 Release 6.3. This source code can be obtained from: ftp://ftp.x.org/pub/R6.3/tars/xc-1 .tar.gz ftp://ftp.x.org/pub/R6.3/tars/xc-2 .tar.gz ftp://ftp.x.org/pub/R6.3/tars/xc-3 .tar.gz CERT final resort, As a recommends removing the setuid or setgid bits from the executable files in your distribution of X. However, this may have an adverse effect on some system operations, For instance, on some systems the xlock program needs to have the setuid bit enabled so that the shadow password file can be read to unlock the screen. By removing the setuid bit from this program, you remove the ability of
Natural language Service libraries vulnerability According to a CERT advisory (CA-97.10) reports have been received of a buffer overflow condition that affects some libraries using the Natural Language Service (NLS) on Unix systems If this vulnerability is exploited any local user can execute arbitrary programs as a privileged user. It is also possible with some old libraries that this vulnerability can be exploited by remote users. The vulnerability can occur with libraries that have NLSPATH on some systems and PATH-LOCALE on others. To prevent the occurrence of this problem install a vendor patch as soon as it becomes available as there are as yet no workarounds available. Vendors who have provided CERT with information on this vulnerability include the following: l
Berkeley Software Design
l
Cray Research
l
Data General Corp.
l
Hewlett-Packard
l
IBM Corp.
l
Linux Systems
l
NEC Corp.
l
NeXT/Apple
l
The Santa Cruz Operation
01997
Elsevier
Science
Ltd
May 7997
Network Security
0
Solbourne
0
Sun Microsystems
The following table shows the BSD checksums (SunOS 4.1.x: /bin/sum; SunOS 5.x: /usr/ucb/sum). SVR4 checksums (SunOS5.x: /usr/bin/sum), SVR4 checksums (SunOS 5.x: /usr/bin/sum) and the MD5 digital signatures for the compressed tar files.
for further information, contact CERT on: + I 412 268 7090; fax: + 1 4 12 268 6989; E-mail:
[email protected].
Vulnerabilities in pluggable authentication module According to Sun Microsystems Security Bulletin #00139 vulnerabilities exist in certain versions of SunOS. The vulnernable versions are: 5.5.1, 5.5.1-x86, 5.5, 5.5-x86, 5.4, 5.4-x86 and 5.3; those that are not vulnerable are 4.1.4 and 4.1.3_Ul, Because of insufficient bounds checking on arguments in PAM and Unix-scheme, it is possible to overwrite the internal stack space of the passwd program and this vulnerability can be used to gain root access on attacked systems. Under SunOS 5.5.1 and 5.5, yppasswd and nispasswd are hard links to the passwd program and therefore are also vulnerable. Under SunOS 5.4 and 5.3, passwd, yppasswd and nispasswd are separate programs but they dynamically link Unix-scheme and are affected. This vulnerability installation of patches: OS version SunOS 55.1 SunOS 5.51 _x86 SunOS 5.5 SunOS 5.5-x86 SunOS 5.4 SunOS 5.4-x86 SunOS 5.3
01997
Elsevier
is fixed by the the following
Patch ID 104433-03 104434-02 103178-03 103 179-03 101945-49 (soon to be released) 101946-43 (soon to be released) 101318-87 (soon to be released)
Science
Ltd
File name
BSD checksum SVR4 checksum MD5 dlgltal signature
104433-03.tar.z 38148 225
11004449
80C625D86DBFAO6C107956EEUBD8126A
104434-02.tar.z 22283 142
516.56284
4079E48BBBBA929FPPEFE4D388778023
103178-03.tar.z 11476 212
51066 423
74547F3FDF850FAAF6802176CF146AA4
103179-03.tar.z 55629 192
1250384
CA1 1DO5845116F62FCC8DDCC6EDBC28
If you have a support contract you can obtain patches listed in this bulletin from: Sunsolve Online, Local Sun answer centres worldwide and SunlTEs worldwide. These patches are also available at http://sunsolve.sun.com. If you do not have a support contract it is possible to obtain security patches, ‘recommended’ patches and patch lists via SunSolve Online.
for
further information, contact: Sun Security Coorcfinatoc E-mail: security-alert@sun,com.
Java applets that steal computer cycles It is not always obvious what is happening with your machine while you are accessing the Internet. While a computer is connected to the Web, information can be snatched from the PC: a clever hacker could even steal your processing power. This technique, dubbed ‘MIPS-sucking’ by Computerworld, involves applets that download to a machine browsing the Web, use its processor power to perform functions and then send the results back to the host. It isn’t too difficult MIPS-sucking Java
to write a applet. An
Andersen Consulting team wrote an experimental in-house applet that performed multiplication tasks on any machine connected to an intranet site to test how well such an applet would work. ‘About 40% of a CPU could be grabbed in a way (users) didn’t even notice”, said Bruce Krulwich, a senior research scientist at AgentSoft Ltd. The Andersen applet stopped sending results as soon as a user left the intranet site. But it is possible to over-ride an applet’s ‘stop’ mechanism and keep it running after the user leaves a site, said Gary McGraw, co-author of Java Security: Hostile Applets, Holes and Antidotes. McGraw has written a demonstration applet that runs as long as a user’s browser runs, no matter where the user clicks after visiting its page. Hackers could find this a useful tool to grab enough power to crack encryption codes.
High profile Web sites warrant high security The spate of vandalism of high-profile Web sites continues in the States. According to a report in Computerworld, vandals who broke in to the National Collegiate Athletic Association’s (NCAA) Web site timed their attack to coincide with the announcement
3