I S S X - F o r c e The Most Wanted Alert List [1]News | [2]Serious Fun | [3]Mail Lists | [4]Security Library [5]Protoworx | [6]Alerts | [7]Submissions | [8]Feedback [9]Advanced Search _ Alert Summaries_ ISS Security Alert Summary November 5, 1997 Volume 1 Number 6 _X-Force Vulnerability and Threat Database:_ [10]http://www.iss.net/xforce To receive these Alert Summaries, subscribe to the ISS Alert mailing list by sending an e-mail to [11]majordomo@iss.net and within the body of the message type: 'subscribe alert'. ___ Index 12 Reported New Vulnerabilities [12]Back to Alert List [13]- HP-cde [14]- FreeBSD-open [15]- IBM-portmir [16]- IBM-piodmgrsu [17]- IBM-nslookup [18]- IBM-ftp [19]- Sun-niscache [20]- Sun-ftpd/rlogind [21]- Sun-sysdef [22]- IBM-libDtSvc [23]- bsd-tel-tgetent [24]- linux-lpd 1 Vulnerability Update [25]- Sun-rlogin [26]Top of Page || [27]Back to Alert List Comparative Network Security Scanner Review Risk Factor Key __ Date Reported: 10/29/97 Vulnerability: HP-cde Affected Platforms: HP-UX (10.10, 10.20, 10.30) Risk Factor: High Hewlett Packard's Common Desktop Environment is a windowing system that contains session and window management tools, network services, and other common desktop tools. Several setuid and setgid programs have buffer overflow conditions that can be exploited to gain unauthorized privileges. HP has release patches that correct these problems. References: HP Security Bulletin #00072 - [28]http://us-support.external.hp.com/ [29]http://ciac.llnl.gov/ciac/bulletins/i-009.shtml [30]Top of Page || [31]Back to Alert List ___ Date Reported: 10/29/97 Vulnerability: FreeBSD-open Affected Platforms: FreeBSD (2.1.x, 2.2.x) FreeBSD-stable FreeBSD-current Risk Factor: High A problem exists in in the way that FreeBSD's open() system call obtains the right to execute io instructions. This would allow any local user to exploit this problem to execute unauthorized io instructions. The problem in open() has been corrected in FreeBSD-current 1997/10/24. Reference: [32]ftp://freebsd.org/pub/CERT/advisories/FreeBSD-SA-97%3A05.open.asc [33]Top of Page || [34]Back to Alert List ___ Date Reported: 10/29/97 Vulnerability: IBM-portmir Affected Platforms: AIX (4.2.1) Risk Factor: High Multiple vulnerabilities in AIX's portmir command exist that allow local users to obtain unauthorized root privileges. Reference: [35]http://www.ers.ibm.com/tech-info/advisories/sva/1997/ERS-SVA-E01-1997:006.1 .txt [36]http://ciac.llnl.gov/ciac/bulletins/i-011.shtml [37]Top of Page || [38]Back to Alert List ___ Date Reported: 10/29/97 Vulnerability: IBM-piodmgrsu Affected Platforms: AIX (4.1, 4.2) Risk Factor: Medium Piodmgrsu is a program that performs various operations on the printer backend's alternate ODM database. It contains a vulnerability in the way that is passes environment variables to child processes that allows local users to obtain access to the printq group. Reference: [39]http://www.ers.ibm.com/tech-info/advisories/sva/1997/ERS-SVA-E01-1997:007.1 .txt [40]http://ciac.llnl.gov/ciac/bulletins/i-010.shtml [41]Top of Page || [42]Back to Alert List ___ Date Reported: 10/29/97 Vulnerability: IBM-nslookup Affected Platforms: AIX (4.1, 4.2) Risk Factor: High Nslookup is a program that is used to query Internet domain name servers and return various information about hosts. It contains a vulnerability that allows local users to obtain unauthorized root access. Reference: [43]http://www.ers.ibm.com/tech-info/advisories/sva/1997/ERS-SVA-E01-1997:008.1 .txt [44]http://ciac.llnl.gov/ciac/bulletins/i-010.shtml [45]Top of Page || [46]Back to Alert List ___ Date Reported: 10/29/97 Vulnerability: IBM-ftp Affected Platforms: AIX (3.2, 4.1, 4.2) Risk Factor: High The File Transfer Protocol (ftp) client contains a vulnerability in that it can be tricked into executing arbitrary commands. Remote servers can name a file preceded by the | symbol, and the local ftp client will execute that file as a shell script on the local machine. It is possible that root access could be acquired using this trick. Reference: [47]http://www.ers.ibm.com/tech-info/advisories/sva/1997/ERS-SVA-E01-1997:009.1 .txt [48]Top of Page || [49]Back to Alert List ___ Date Reported: 10/28/97 Vulnerability: Sun-niscache Affected Platforms: Solaris (2.4, 2.5, 2.5.1) Risk Factor: High The program nis_cachemgr is used by NIS+ to cache location information of NIS+ servers. This would allow an attacker to potentially add directory objects to the shared cache and specify rogue NIS+ servers that they control. References: [50]http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-155.txt [51]http://ciac.llnl.gov/ciac/bulletins/i-007.shtml [52]Top of Page || [53]Back to Alert List ___ Date Reported: 10/28/97 Vulnerability: Sun-ftpd/rlogind Affected Platforms: Solaris (2.3, 2.4, 2.5, 2.5.1) SunOS (4.1.3, 4.1.4) Risk Factor: High A vulnerability exists in the Internet File Transfer Protocol server process (in.ftpd) and the rlogin server process (in.rlogind). The attacker can execute arbitrary commands on the host by connecting from the ftp server's data port to the rlogin server on a trusted host. References: [54]http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-156.txt [55]http://ciac.llnl.gov/ciac/bulletins/i-007.shtml [56]Top of Page || [57]Back to Alert List ___ Date Reported: 10/28/97 Vulnerability: Sun-sysdef Affected Platforms: Solaris (2.3, 2.4, 2.5, 2.5.1) Risk Factor: High The command, sysdef, is used to display current system information such as hardware devices, system devices, kernel parameters, etc. It contains a vulnerability that would allow local users to read kernel memory. Kernel memory can contain such information as un encrypted passwords, and could possibly lead to root access. References: [58]http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-157.txt [59]http://ciac.llnl.gov/ciac/bulletins/i-007.shtml [60]Top of Page || [61]Back to Alert List ___ Date Reported: 10/28/97 Vulnerability: IBM-libDtSvc Affected Platforms: AIX (4.1, 4.2) Risk Factor: High AIX has a buffer overflow in the libDtSrv.a library that allows unauthorized local users to obtain root privileges. An exploit for this vulnerability was posted on a security mailing list and is publicly available. Reference: [62]http://www.ers.ibm.com/tech-info/advisories/sva/1997/ERS-SVA-E01-1997:005.1 .txt [63]http://ciac.llnl.gov/ciac/bulletins/i-010.shtml [64]Top of Page || [65]Back to Alert List ___ Date Reported: 10/21/97 Vulnerability: bsd-tel-tgetent Affected Platforms: BSD/OS (2.1) Risk Factor: High The telnet daemon, telnetd, contains a vulnerability in its tgetent library routine. By manipulating environment variables which are passed to the telnet daemon, an attacker can produce a buffer overflow to obtain root privileges. Reference: [66]ftp://ftp.secnet.com/pub/advisories/SNI-20.telnetd.tgetent.advisory [67]Top of Page || [68]Back to Alert List ___ Date Reported: 10/6/97 Vulnerability: linux-lpd Affected Platforms: Linux (Redhat 4.2) Risk Factor: High The first problem is that Redhat calls the printfilter software package when any file is being printed. After determining the file type, printfilter applies the appropriate filter to the file so that it can be printed properly. Some filters use the /tmp directory to write in, therefore local users can create system links that will overwrite files with uid bin and gid root. The second problem concerns groff requests that allows local as well as remote users execute programs as uid bin and gid root, which can easily lead to root access. Reference: [69]http://www.dec.net/ksrt/adv4.html [70]Top of Page || [71]Back to Alert List ___ Date: 10/28/97 Update: Sun-rlogin Vendor: Sun Microsystems, Inc. Platforms: Solaris (2.3, 2.4, 2.5, 2.5.1) SunOS (4.1.3, 4.1.4) Sun has released patches for the rlogin vulnerability in which the TERM environment variable is copied to an internal buffer. The buffer can be overflowed and arbitrary code can be executed. Since rlogin is setuid root, local accounts would be able obtain unauthorized root access. References: [72]http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-158.txt [73]http://ciac.llnl.gov/ciac/bulletins/h-25a.shtml [74]ftp://info.cert.org/pub/cert_advisories/CA-97.06.rlogin-term For a comparative review of five network security scanners, see Network World Magazine. [75]http://www.nwfusion.com and register for a login. Review: [76]http://www.nwfusion.com/reviews/1027rev.html [77]Top of Page || [78]Back to Alert List --- Risk Factor Key: High any vulnerability that provides an attacker with immediate access into a machine, gains superuser access, or bypasses a firewall. Example: A vulnerable Sendmail 8.6.5 version that allows an intruder to execute commands on mail server. Medium any vulnerability that provides information that has a high potential of giving access to an intruder. Example: A misconfigured TFTP or vulnerable NIS server that allows an intruder to get the password file that possibly can contain an account with a guessable password. Low any vulnerability that provides information that potentially could lead to a compromise. Example: A finger that allows an intruder to find out who is online and potential accounts to attempt to crack passwords via brute force. Developed and maintained by renown security experts, the X-Force Computer Vulnerability and Threat Database is the world's most comprehensive on-line source for information on network security risks. It details hundreds of network security vulnerabilities and threats, including information on the relative severity of each risk, and recommended corrective actions to tighten security holes. Visit it at [79]http://www.iss.net/xforce Internet Security Systems, Inc., (ISS) is the pioneer and world's leading supplier of network security assessment and intrusion detection tools, providing comprehensive software that enables organizations to proactively manage and minimize their network security risks. For more information, contact the company at (800) 776-2362 or (770) 395-0150 or visit the ISS Web site at [80]http://www.iss.net [81]Top of Page || [82]Back to Alert List -------- Copyright (c) 1997 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert Summary electronically. It is not to be edited in any way without express consent of X-Force. If you wish to reprint the whole or any part of this Alert Summary in any other medium excluding electronic medium, please e-mail [83]xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: [84]http://www.iss.net/xforce/sensitive.html as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X Force [85]xforce@iss.net of Internet Security Systems, Inc. [86]Top of Page || [87]Back to Alert List [88]News | [89]Serious Fun | [90]Mail Lists | [91]Security Library [92]Protoworx | [93]Alerts | [94]Submissions | [95]Feedback [96]Advanced Search [97]About the Knowledge Base Copyright ©1994-1998 Internet Security Systems, Inc. All Rights Reserved. Sales Inquiries: [98]sales@iss.net 6600 Peachtree-Dunwoody Rd · Bldg 300 · Atlanta, GA 30328 Phone (678) 443-6000 · Fax (678) 443-6477 Read our [99]privacy guidelines. References 1. http://xforce.iss.net/news.php3 2. http://xforce.iss.net/seriousfun/ 3. http://xforce.iss.net/maillists/ 4. http://xforce.iss.net/library/ 5. http://xforce.iss.net/protoworx/ 6. http://xforce.iss.net/alerts/ 7. http://xforce.iss.net/submission.php3 8. http://xforce.iss.net/feedback.php3 9. http://xforce.iss.net/search.php3 10. http://www.iss.net/xforce 11. mailto:majordomo@iss.net 12. http://xforce.iss.net/alerts/alerts.php3 13. http://xforce.iss.net/alerts/vol-1_num-6.php3#HP-cde 14. http://xforce.iss.net/alerts/vol-1_num-6.php3#FreeBSD-open 15. http://xforce.iss.net/alerts/vol-1_num-6.php3#portmir 16. http://xforce.iss.net/alerts/vol-1_num-6.php3#piodmgrsu 17. http://xforce.iss.net/alerts/vol-1_num-6.php3#lookup 18. http://xforce.iss.net/alerts/vol-1_num-6.php3#ftp 19. http://xforce.iss.net/alerts/vol-1_num-6.php3#niscache 20. http://xforce.iss.net/alerts/vol-1_num-6.php3#rlogind 21. http://xforce.iss.net/alerts/vol-1_num-6.php3#sysdef 22. http://xforce.iss.net/alerts/vol-1_num-6.php3#libDtSvc 23. http://xforce.iss.net/alerts/vol-1_num-6.php3#tgetent 24. http://xforce.iss.net/alerts/vol-1_num-6.php3#linux 25. http://xforce.iss.net/alerts/vol-1_num-6.php3#rlogin 26. http://xforce.iss.net/alerts/vol-1_num-6.php3#list 27. http://xforce.iss.net/alerts/alerts.php3 28. http://us-support.external.hp.com/ 29. http://ciac.llnl.gov/ciac/bulletins/i-009.shtml 30. http://xforce.iss.net/alerts/vol-1_num-6.php3#list 31. http://xforce.iss.net/alerts/alerts.php3 32. ftp://freebsd.org/pub/CERT/advisories/FreeBSD-SA-97%3A05.open.asc 33. http://xforce.iss.net/alerts/vol-1_num-6.php3#list 34. http://xforce.iss.net/alerts/alerts.php3 35. http://www.ers.ibm.com/tech-info/advisories/sva/1997/ERS-SVA-E01-1997:006.1.txt 36. http://ciac.llnl.gov/ciac/bulletins/i-011.shtml 37. http://xforce.iss.net/alerts/vol-1_num-6.php3#list 38. http://xforce.iss.net/alerts/alerts.php3 39. http://www.ers.ibm.com/tech-info/advisories/sva/1997/ERS-SVA-E01-1997:007.1.txt 40. http://ciac.llnl.gov/ciac/bulletins/i-010.shtml 41. http://xforce.iss.net/alerts/vol-1_num-6.php3#list 42. http://xforce.iss.net/alerts/alerts.php3 43. http://www.ers.ibm.com/tech-info/advisories/sva/1997/ERS-SVA-E01-1997:008.1.txt 44. http://ciac.llnl.gov/ciac/bulletins/i-010.shtml 45. http://xforce.iss.net/alerts/vol-1_num-6.php3#list 46. http://xforce.iss.net/alerts/alerts.php3 47. http://www.ers.ibm.com/tech-info/advisories/sva/1997/ERS-SVA-E01-1997:009.1.txt 48. http://xforce.iss.net/alerts/vol-1_num-6.php3#list 49. http://xforce.iss.net/alerts/alerts.php3 50. http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-155.txt 51. http://ciac.llnl.gov/ciac/bulletins/i-007.shtml 52. http://xforce.iss.net/alerts/vol-1_num-6.php3#list 53. http://xforce.iss.net/alerts/alerts.php3 54. http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-156.txt 55. http://ciac.llnl.gov/ciac/bulletins/i-007.shtml 56. http://xforce.iss.net/alerts/vol-1_num-6.php3#list 57. http://xforce.iss.net/alerts/alerts.php3 58. http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-157.txt 59. http://ciac.llnl.gov/ciac/bulletins/i-007.shtml 60. http://xforce.iss.net/alerts/vol-1_num-6.php3#list 61. http://xforce.iss.net/alerts/alerts.php3 62. http://www.ers.ibm.com/tech-info/advisories/sva/1997/ERS-SVA-E01-1997:005.1.txt 63. http://ciac.llnl.gov/ciac/bulletins/i-010.shtml 64. http://xforce.iss.net/alerts/vol-1_num-6.php3#list 65. http://xforce.iss.net/alerts/alerts.php3 66. ftp://ftp.secnet.com/pub/advisories/SNI-20.telnetd.tgetent.advisory 67. http://xforce.iss.net/alerts/vol-1_num-6.php3#list 68. http://xforce.iss.net/alerts/alerts.php3 69. http://www.dec.net/ksrt/adv4.html 70. http://xforce.iss.net/alerts/vol-1_num-6.php3#list 71. http://xforce.iss.net/alerts/alerts.php3 72. http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-158.txt 73. http://ciac.llnl.gov/ciac/bulletins/h-25a.shtml 74. ftp://info.cert.org/pub/cert_advisories/CA-97.06.rlogin-term 75. http://www.nwfusion.com/ 76. http://www.nwfusion.com/reviews/1027rev.html 77. http://xforce.iss.net/alerts/vol-1_num-6.php3#list 78. http://xforce.iss.net/alerts/alerts.php3 79. http://www.iss.net/xforce 80. http://www.iss.net/ 81. http://xforce.iss.net/alerts/vol-1_num-6.php3#list 82. http://xforce.iss.net/alerts/alerts.php3 83. mailto:xforce@iss.net 84. http://xforce.iss.net/alerts/sensitive.html 85. mailto:xforce@iss.net 86. http://xforce.iss.net/alerts/vol-1_num-6.php3#list 87. http://xforce.iss.net/alerts/alerts.php3 88. http://xforce.iss.net/news.php3 89. http://xforce.iss.net/seriousfun/ 90. http://xforce.iss.net/maillists/ 91. http://xforce.iss.net/library/ 92. http://xforce.iss.net/protoworx/ 93. http://xforce.iss.net/alerts/ 94. http://xforce.iss.net/submission.php3 95. http://xforce.iss.net/feedback.php3 96. http://xforce.iss.net/search.php3 97. http://xforce.iss.net/about.php3 98. http://xforce.iss.net/cgi-bin/getSGIInfo.pl 99. http://xforce.iss.net/privacy.php3