=============================================================================== Security Advisory CERT-NL =============================================================================== Author/Source : CERT-NL (Erik-Jan Bos) Index : S-93-04 Distribution : SURFnet constituency Page : 1 Classification: External Version: Final Subject : NeXT NetInfo "_writers" Vulnerabilities Date : 22-Jan-93 =============================================================================== CERT-NL has received information from CERT Coordination Center (who has received information from NeXT Computer, Inc.) concerning vulnerabilities in the distributed printing facility of NeXT computers running all releases of NeXTSTEP software through NeXTSTEP Release 3.0. For more information, please contact your authorized support center. If you are an authorized support provider, please contact NeXT through your normal channels. I. Description The default NetInfo "_writers" properties are configured to allow users to install printers and FAX modems and to export them to the network without requiring assistance from the system administrator. They also allow a user to configure other parts of the system, such as monitor screens, without requiring help from the system administrator. Vulnerabilities exist in this facility that could allow users to gain unauthorized privileges on the system. II. Impact In the case of the "/printers" and the "/fax_modems" directories, the "_writers" property can permit users to obtain unauthorized root access to a system. In the "/localconfig/screens" directory, the "_writers" property can potentially permit a user to deny normal login access to other users. III. Solution To close the vulnerabilities, remove the "_writers" properties from the "/printers", "/fax_modems", and "/localconfig/screens" directories in all NetInfo domains on the network, and from all immediate subdirectories of all "/printers", "/fax_modems", and "/localconfig/screens" directories. The "_writers" properties may be removed using any one of the following three methods: A. As root, use the "niutil" command-line utility. For example, to remove the "_writers" property from the "/printers" directory: # /usr/bin/niutil -destroyprop . /printers _writers B. Alternatively, use the NetInfoManager application: open the desired domain, open the appropriate directory, select the "_writers" property, choose the "Delete" command [Cmd-r] from the "Edit" menu, and save the directory. C. To assist system administrators in editing their NetInfo domains, a shell script, "writersfix", is available via anonymous FTP from next.com (129.18.1.2): Filename Size Checksum -------- ---- -------- pub/Misc/Utilities/WritersFix.compressed 5600 25625 6 After transferring this file using BINARY transfer type, double-click on the file. A "WritersFix" directory will be created in your file system, containing the script ("writersfix") and some documentation ("WritersFix.rtf"). Consider removing "_writers" from other NetInfo directories as well (for example, "/locations"), noting the following trade-off between ease-of-use and security. By removing the "_writers" properties, the network and the computers on the network become more secure, but a system administrator's assistance is required where it previously was not required. Please refer to the NeXTSTEP Network and System Administration manual for additional information on "_writers". Note that the subdirectories of the "/users" directory have "_writers_passwd" set to the user whose account is described by the directory. This is essential if users are to be able to change their own passwords, and this does not compromise system security. ----------------------------------------------------------------------------- The CERT Coordination Center wishes to thank Alan Marcum and Eric Larson of NeXT Computer, Inc. for notifying us about the existence of these vulnerabilities and for providing appropriate technical information. ----------------------------------------------------------------------------- CERT-NL wishes to thank CERT Coordination Center from bringing this information to our attention. ============================================================================== CERT-NL is the Computer Emergency Response Team, located in The Netherlands. CERT-NL is a Full Member of the Forum of Incident Response and Security Teams (FIRST). The constituency of CERT-NL are the SURFnet connected institutions. Past CERT-NL Security Bulletins and other CERT-NL related material can be found on the anonymous FTP server of SURFnet bv: "ftp.nic.surfnet.nl" [192.87.46.3], in the directory "netman/cert-nl". This information is also available using email. Send an email saying "help" to "mailserv@nic.surfnet.nl". In case of computer or network security problems please contact CERT-NL or the CERT of your own constituency. Please be aware of the fact that we are are one hour ahead of Universal Time Coordinated (i.e. UTC+0100). Email: cert-nl@surfnet.nl Phone: +31 30 310290 Fax: +31 30 340903 Snailmail: SURFnet bv Attn. CERT-NL P.O. Box 19035 NL - 3501 DA UTRECHT The Netherlands A 7*24h phonenumber is available to SURFnet SSC's and FIRST members on request ==============================================================================