news:[EMAIL PROTECTED] Marcey Kelley <[EMAIL PROTECTED]> wrote: >-----BEGIN PGP SIGNED MESSAGE----- > >[ Moderator's note: Forwarded from linux-alert. :-) --liw ] > >[Mod: Forwarded from Bugtraq. --Jeff.] > >- -----BEGIN PGP SIGNED MESSAGE----- > > > __________________________________________________________ > > The U.S. Department of Energy > Computer Incident Advisory Capability > ___ __ __ _ ___ > / | /_\ / > \___ __|__ / \ \___ > __________________________________________________________ > > INFORMATION BULLETIN > > Vulnerability in WorkMan Program > >August 29, 1996 15:00 GMT Number G-42 >______________________________________________________________________________ >PROBLEM: When the "WorkMan" compact disc playing program is installed > set-user-id "root", it can be used to make any file on the > system world-writable. >PLATFORM: Linux, UNIX System V Release 4.0 (and derivatives). >DAMAGE: A non-privileged user can use "WorkMan" to make any file on the > system world-writable, and then modify that file's contents. > This vulnerbility can allow the user to create accounts, > destroy log files, and perform other unauthorized actions. >SOLUTION: Apply the patches listed in the vendor bulletin below. >______________________________________________________________________________ >VULNERABILITY This vulnerability is becoming widely known. >ASSESSMENT: >______________________________________________________________________________ > >[Begin IBM Bulletin] > >- - - >--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT-ERS-ALERT >- - - ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL >RELEASE > > ======= ============ ====== ====== > ======= ============== ======= ======= > === === ==== ====== ====== > === =========== ======= ======= > === =========== === ======= === > === === ==== === ===== === > ======= ============== ===== === ===== > ======= ============ ===== = ===== > > EMERGENCY RESPONSE SERVICE > SECURITY VULNERABILITY ALERT > >28 August 1996 18:00 GMT Number: ERS-SVA-E01-1996:005.1 >============================================================================= > VULNERABILITY SUMMARY > >VULNERABILITY: When the "WorkMan" compact disc playing program is installed > set-user-id "root," it can be used to make any file on the > system world-writable. > >PLATFORMS: Linux, UNIX System V Release 4.0 (and derivatives) > >SOLUTION: Remove the set-user-id bit from the "workman" program. > >THREAT: A non-privileged user can use "WorkMan" to make any file on > the system world-writable, and then modify that file's > contents. > >============================================================================= > DETAILED INFORMATION > >NOTE: This advisory is NOT a re-hash of the problem reported on several lists > earlier this week by a group calling itself "r00t." The vulnerability > described by "r00t" is essentially a subset of the problem described in > this alert. > >I. Description > >"WorkMan" is a popular program used for playing audio compact disks on local >workstation CD-ROM drives that is widely available from many sites around the >Internet. Versions of "WorkMan" are also included with some operating system >distributions, such as Linux. > >On systems where "WorkMan" was built and installed using the procedures that >are given in "Makefile.linux" or "Makefile.svr4" (in general, this means on >Linux systems and UNIX System V Release 4.0 systems), the "workman" program >is installed set-user-id "root." This means that when the program is run, >it will execute with super-user permissions. > >In order to allow signals to be sent to it, "WorkMan" writes its process-id >to a file called "/tmp/.wm_pid." The "-p" option to the program allows the >user to specify a different file name in which to record this information. >When a file is specified with "-p", "WorkMan" simply attempts to create and/or >truncate the file, and if this succeeds, "WorkMan" changes the permissions on >the file so that it is world-readable and world-writable. > >In the general case, when "WorkMan" is installed without the set-user-id bit >set, the normal file access permissions provided by the operating system will >prevent users from creating or truncating files they are not authorized to >create or truncate. However, when "WorkMan" is installed set-user-id "root," >this process breaks down (because "root" is allowed to create/truncate any >file). > >II. Impact > >A user executing a set-user-id "root" version of "WorkMan" can use the "-p" >option to create a file anywhere in the file system, or to truncate any file >in the file system. More importantly, the file specified with "-p" will be >world-readable and world-writable when "WorkMan" is finished. This can enable >the user to create accounts, destroy log files, and perform other unauthorized >actions. > >III. Solutions > >"WorkMan" does not require the set-user-id bit to work; it is installed this >way only on systems that do not make the CD-ROM device file world-readable >by default. > >This vulnerability can be alleviated by: > >1) Removing the set-user-id bit from the "WorkMan" program, via a command > such as > > chmod u-s /usr/local/bin/workman > >and > >2) Making the CD-ROM device world-readable, via a command such as > > chmod +r /dev/cdrom > >Note that on multi-user systems, part (2) of the above procedure will allow >any user to access the contents of the disc installed in the CD-ROM; this >may not be desirable in all environments. > >IV. Acknowledgements > >IBM-ERS would like to thank the IBM Global Security Analysis Laboratory at the >IBM T. J. Watson Research Center for their discovery of this vulnerability, >bringing it to our attention, providing the steps to fix it, and assistance in >developing this alert. > >UNIX is a technology trademark of X/Open Company, Ltd. > >=============================================================================== > >[End IBM Bulletin] >_______________________________________________________________________________ > >CIAC wishes to acknowledge the contributions of IBM for the >information contained in this bulletin. >_______________________________________________________________________________ > >CIAC, the Computer Incident Advisory Capability, is the computer >security incident response team for the U.S. Department of Energy >(DOE) and the emergency backup response team for the National >Institutes of Health (NIH). CIAC is located at the Lawrence Livermore >National Laboratory in Livermore, California. CIAC is also a founding >member of FIRST, the Forum of Incident Response and Security Teams, a >global organization established to foster cooperation and coordination >among computer security teams worldwide. > >CIAC services are available to DOE, DOE contractors, and the NIH. CIAC >can be contacted at: > Voice: +1 510-422-8193 > FAX: +1 510-423-8002 > STU-III: +1 510-423-2604 > E-mail: [EMAIL PROTECTED] > >For emergencies and off-hour assistance, DOE, DOE contractor sites, >and the NIH may contact CIAC 24-hours a day. During off hours (5PM - >8AM PST), call the CIAC voice number 510-422-8193 and leave a message, >or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two >Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC >duty person, and the secondary PIN number, 8550074 is for the CIAC >Project Leader. > >Previous CIAC notices, anti-virus software, and other information are >available from the CIAC Computer Security Archive. > > World Wide Web: http://ciac.llnl.gov/ > Anonymous FTP: ciac.llnl.gov (128.115.19.53) > Modem access: +1 (510) 423-4753 (28.8K baud) > +1 (510) 423-3331 (28.8K baud) > >CIAC has several self-subscribing mailing lists for electronic >publications: >1. CIAC-BULLETIN for Advisories, highest priority - time critical > information and Bulletins, important computer security information; >2. CIAC-NOTES for Notes, a collection of computer security articles; >3. SPI-ANNOUNCE for official news about Security Profile Inspector > (SPI) software updates, new features, distribution and > availability; >4. SPI-NOTES, for discussion of problems and solutions regarding the > use of SPI products. > >Our mailing lists are managed by a public domain software package >called ListProcessor, which ignores E-mail header subject lines. To >subscribe (add yourself) to one of our mailing lists, send the >following request as the E-mail message body, substituting >CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for list-name and >valid information for LastName FirstName and PhoneNumber when sending > >E-mail to [EMAIL PROTECTED]: > subscribe list-name LastName, FirstName PhoneNumber > e.g., subscribe ciac-notes OHara, Scarlett W. 404-555-1212 x36 > >You will receive an acknowledgment containing address, initial PIN, >and information on how to change either of them, cancel your >subscription, or get help. > >PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing >communities receive CIAC bulletins. If you are not part of these >communities, please contact your agency's response team to report >incidents. Your agency's team will coordinate with CIAC. The Forum of >Incident Response and Security Teams (FIRST) is a world-wide >organization. A list of FIRST member organizations and their >constituencies can be obtained by sending email to >[EMAIL PROTECTED] with an empty subject line and a message body >containing the line: send first-contacts. > >This document was prepared as an account of work sponsored by an >agency of the United States Government. Neither the United States >Government nor the University of California nor any of their >employees, makes any warranty, express or implied, or assumes any >legal liability or responsibility for the accuracy, completeness, or >usefulness of any information, apparatus, product, or process >disclosed, or represents that its use would not infringe privately >owned rights. Reference herein to any specific commercial products, >process, or service by trade name, trademark, manufacturer, or >otherwise, does not necessarily constitute or imply its endorsement, >recommendation or favoring by the United States Government or the >University of California. The views and opinions of authors expressed >herein do not necessarily state or reflect those of the United States >Government or the University of California, and shall not be used for >advertising or product endorsement purposes. > >LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) > >G-32: HP-UX Vulnerabilities in expreserve, rpc.pcnfsd, rpc.statd >G-33: rdist vulnerability >G-34: HP-UX Vulnerabilities (netttune, SAM remote admin) >G-35: SUN Microsystems Solaris vold Vulnerability >G-36: HP-UX Vulnerabilities in elm and rdist Programs >G-37: Vulnerability in Adobe FrameMaker (fm_fls) >G-38: Linux Vulnerabilities in mount and umount Programs >G-39: Vulnerability in expreserve >G-40: SGI admin and user Program Vulnerabilities >G-41: Vulnerability in BASH Program > >RECENT CIAC NOTES ISSUED (Previous Notes available from CIAC) > >Notes 07 - 3/29/95 A comprehensive review of SATAN > >Notes 08 - 4/4/95 A Courtney update > >Notes 09 - 4/24/95 More on the "Good Times" virus urban legend > >Notes 10 - 6/16/95 PKZ300B Trojan, Logdaemon/FreeBSD, vulnerability > in S/Key, EBOLA Virus Hoax, and Caibua Virus > >Notes 11 - 7/31/95 Virus Update, Hats Off to Administrators, > America On-Line Virus Scare, SPI 3.2.2 Released, > The Die_Hard Virus > >Notes 12 - 9/12/95 Securely configuring Public Telnet Services, X > Windows, beta release of Merlin, Microsoft Word > Macro Viruses, Allegations of Inappropriate Data > Collection in Win95 > >Notes 96-01 - 3/18/96 Java and JavaScript Vulnerabilities, FIRST > Conference Announcement, Security and Web Search > Engines, Microsoft Word Macro Virus Update > >- -----BEGIN PGP SIGNATURE----- >Version: 4.0 Business Edition > >iQCVAgUBMicE47nzJzdsy3QZAQGRCQQAiA9WGkaF14qx8/7X3qvEicuv23dBgrlV >siE/Jcq7yBMtuDCThMk9nDbDf1fGLUyysZ/MeeS9ybBpWJxzgWL2iXP9f0yBRtap >siGX0ij+7LKrexR5nWBsdf7jZF34qaqU8xRlBHxbC7QiZIZD7SMtl9ZYBsflN8nP >CFT0bTnpUOk= >=PYbw >- -----END PGP SIGNATURE----- > > >-----BEGIN PGP SIGNATURE----- >Version: 2.6.2i > >iQCVAwUBMkGkHIQRll5MupLRAQHKcQP+MRWwuNgPZulW9K6GHXvuKL2nA1h8unOX >aQRrw5Di/SUjXbq2U4W5QiqHrCGoqHZ7KztpYReLnmKNwCCiIewVDNCTvmPxE6+4 >0mqXKiRIVNGiEQkvWftlBOEcLWhz9Fx2iOrhZJmg2Kn6b9O6VckfjxsPWikmuluX >FKBnv6LLS8Y= >=WQNr >-----END PGP SIGNATURE----- > >-- >This article has been digitally signed by the moderator, using PGP. >http://www.iki.fi/liw/lasu-public-key.asc has PGP key for validating signature. >Send submissions for comp.os.linux.announce to: [EMAIL PROTECTED] >PLEASE remember a short description of the software and the LOCATION. >This group is archived at http://www.iki.fi/liw/linux/cola.html
-- Lazaro D. Salem E-mail: [EMAIL PROTECTED] RF-Rogaland Research Phone: +47 51 87 50 00 P.O.Box 2503, Ullandhaug Direct: +47 51 87 50 65 N-4004 Stavanger, NORWAY Fax: +47 51 87 52 00
