-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
AL-95.06a                     AUSCERT Alert
			     January 3, 1996
                 (Revised from AL-95.06 December 13, 1995)
                        splitvt(1) vulnerability
- -----------------------------------------------------------------------------

* This alert contains new information regarding the splitvt(1) vulnerability
* as described in AL-95.06.  A new version of splitvt(1) is now available
* which removes the vulnerability (see section 3 for availability).

A vulnerability has been discovered in the splitvt(1) utility which may allow
local users to gain root access.  This utility is included in many
standard Linux distributions including, but not necessarily limited to,
numerous Slackware versions.  The source code for this utility is publicly
available and operating systems other than Linux which have splitvt(1)
installed may also be vulnerable.

This vulnerability exists in splitvt(1) versions prior to 1.6.3.

* An exploit for this vulnerability has been made publicly available.  Sites
* which have splitvt(1) installed are encouraged to apply a workaround
* mentioned in Section 3 as soon as possible.

1.  Description

    The splitvt(1) utility is a publicly available program for running
    multiple shells in a split window.  A vulnerability exists in versions
    prior to 1.6.3 which may allow users to gain root access.  The version
    may be identified using the command "splitvt -version".	

    The splitvt(1) utility is included as part of the standard installation
    of numerous Slackware Linux distributions.  Other Linux distributions
    and sites which are not running Linux, but have splitvt(1) installed,
    may also be vulnerable.

2.  Impact

    Local users may gain root access.

3.  Workaround

    This vulnerability has been removed in splitvt version 1.6.3.  Sites
    that require splitvt(1) are encouraged to upgrade to this version.  It
    is available from:

         ftp://dandelion.ceres.ca.gov/pub/splitvt

    The MD5 checksum is:

         MD5 (splitvt-1.6.3.tar) = eec2fe2c5b4a3958261197905a9d9c81

    An interim solution until the official patch is installed is to restrict 
    the permissions and remove the setuid bit from splitvt(1).  As root:

	# chmod 700 /usr/bin/splitvt

    Note: This workaround causes splitvt(1) to become unavailable for
    use by non privileged users.

- ----------------------------------------------------------------------------
AUSCERT wishes to thank Sam Lantinga for his rapid response in addressing
this vulnerability and Alexander O. Yuriev for his assistance in this matter.
- ----------------------------------------------------------------------------

The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate.  However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual system
should be considered before application in conjunction with local policies
and procedures.  AUSCERT takes no responsibility for the consequences of
applying the contents of this document.

If you believe that your system has been compromised, contact AUSCERT or your
representative in FIRST (Forum of Incident Response and Security Teams).

AUSCERT is the Australian Computer Emergency Response Team, funded by the
Australian Academic Research Network (AARNet) for its members.  It is
located at The University of Queensland within the Prentice Centre.
AUSCERT is a full member of the Forum of Incident Response and Security
Teams (FIRST).

AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au.  This archive contains past SERT and AUSCERT
Advisories, and other computer security information.

AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au.

Internet Email:	auscert@auscert.org.au
Facsimile:	(07) 3365 4477
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AUSCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

Postal:
Australian Computer Emergency Response Team
c/- Prentice Centre
The University of Queensland
Brisbane
Qld.  4072.
AUSTRALIA

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2i
Comment: Finger pgp@ftp.auscert.org.au to retrieve AUSCERT's public key

iQCVAwUBMOsXSih9+71yA2DNAQHvggP+PgxMy+0YILv+2wq9BMSoL16vJ4MdPRSy
fXudpVXSi7kBeZ2A7kr37mPSgluCCElE6IofjQIMJBv+zqx72kT0ts0qOnPxQcVF
gM1cFEjGccDNUOdMnk1aYsSu5LLNVWVsS1a9GP9PW8r9r/lmlz/uIC9k08nsnCKE
D62BdF7ax68=
=E+IF
-----END PGP SIGNATURE-----