MCI Telecommunications internetMCI Security Group Report Name: iMCI MIIGS Security Alert Report Number: iMCISE:IMCICIAC:081696:01:P1R1 Report Date: 08/16/96 Report Format: Formal Report Classification: MCI Informational Report Reference: http://www.security.mci.net Report Distribution: iMCI Security, MCI Internal Internet Gateway Security (MIIGS), MCI Emergency Alert LiSt (MEALS) (names on file) ------------------------------------------------------------------------------- >-----BEGIN PGP SIGNED MESSAGE----- > > > __________________________________________________________ > > The U.S. Department of Energy > Computer Incident Advisory Capability > ___ __ __ _ ___ > / | /_\ / > \___ __|__ / \ \___ > __________________________________________________________ > > INFORMATION BULLETIN > > Vulnerability in expreserve > >August 15, 1996 17:00 GMT Number G-39 >______________________________________________________________________________ >PROBLEM: A vulnerability in the expreserve utility allows users to > overwrite any file on a system. >PLATFORM: Many UNIX variants; see vendor information in bulletin below. >DAMAGE: By exploiting this vulnerability, users with access to an > account on the system can gain root access. >SOLUTION: Apply the appropriate vendor patches stated in the bulletin > below. >______________________________________________________________________________ >VULNERABILITY This vulnerability is not new, and is widely known. >ASSESSMENT: Exploitation scripts are publicly available. >______________________________________________________________________________ > >[Begin CERT Bulletin] > >============================================================================= >CERT(sm) Advisory CA-96.19 >August 15, 1996 > >Topic: Vulnerability in expreserve >- ------------------------------------------------------------------------------ > > *** This advisory supersedes CA-93:09 and CA-93:09a. *** > >The CERT Coordination Center has received reports of a vulnerability in >expreserve. Though this is not a new vulnerability, it is one that is widely >known and that many users have not yet patched. The CERT/CC team recommends >that you patch your system as soon as possible, as exploitation scripts are >publicly available. Appendix A contains the information we have received from >vendors. Until you can install a patch, you should apply the workaround in >Section III below. > >As we receive additional information relating to this advisory, we will place >it in > ftp://info.cert.org/pub/cert_advisories/CA-96.19.README > >We encourage you to check our README files regularly for updates on >advisories that relate to your site. > >- ------------------------------------------------------------------------------ > >I. Description > > Expreserve is a utility that preserves the state of a file being edited > by vi(1) or ex(1) when an edit session terminates abnormally or when the > system crashes. Expreserve has a vulnerability that allows users to > overwrite any file on the system. Exploitation scripts are publicly > available. > >II. Impact > > By exploiting this vulnerability, users with access to an account on the > system can readily gain root privileges. > > >III. Solution > > A. Apply a patch or workaround provided by your vendor. > Below is a summary list of the vendors who have provided information, > which we have placed in Appendix A of this advisory. If your vendor's > name is not on this list, please contact the vendor directly. > > Berkeley Software Design, Inc. > Cray Research > Data General Corporation > Digital Equipment Corporation > Hewlett-Packard Company > IBM Corporation > NeXT Software, Inc. > Open Software Foundation > The Santa Cruz Operation, Inc. > Sun Microsystems, Inc. > > B. Until you are able to apply a patch or workaround, we recommend > that you remove the execute permissions on the existing > /usr/lib/expreserve program. Do this as root: > > % /usr/bin/chmod a-x /usr/lib/expreserve > > This workaround disables expreserve functionality. The result of this > workaround is that if vi(1) or ex(1) is running, and the sessions are > interrupted, the files being edited will not be preserved and all > edits not explicitly saved by the users will be lost. Encourage users > to save their files often. > >........................................................................ > >Appendix A: Vendor Information > >Current as of August 15, 1996 >See CA-96.19.README for updated information. > >Below is information we have received from vendors concerning the >vulnerability described in this advisory. If you do not see your vendor's >name, please contact the vendor directly for information. > > >Berkeley Software Design, Inc. >============================== > BSD/OS is not vulnerable to this problem. We ship the > current Keith Bostic nvi which does not use the old expreserve > scheme to save files (it uses the 4.4BSD-style 1777 tmp > directories to store user tmp files in /var/tmp owned by > the user and therefore doesn't require a setuid scheme to > recover them). > >Cray Research >============= > We have fixed this problem at Cray Research in Unicos version 7.0. > >Data General Corporation >======================== > The binary /usr/lib/expreserve is not a setuid program on DG/UX, > any flavor. We are not, therefore, vulnerable to the exploitation > described. Nevertheless, the suggested change has been made and > will be included in subsequent releases of DG/UX. > >Digital Equipment Corporation >============================= > This reported problem is not present for Digital's ULTRIX or > Digital UNIX Operating Systems Software. > > Source: > Digital Equipment Corporation > Software Security Response Team > Copyright (c) Digital Equipment Corporation 1996. > All rights reserved. > > 8/13/96 - DIGITAL EQUIPMENT CORPORATION > >Hewlett-Packard Company >======================= > Hewlett-Packard recommends that all customers concerned with the > security of their HP-UX systems either apply the appropriate > patch or perform the actions described below as soon as possible. > > The vulnerability can be eliminated from releases 9.X of HP-UX > by applying a patch: > > Apply patch PHCO_6363 (series 700/800, HP-UX 9.x), or > PHCO_7833 (series 300/400, HP-UX 9.x), or > perform the actions described below in releases of HP-UX prior > to 9.X, and in 10.X) > > Since some patches will not be made available on some releases of HP-UX > (e.g., prior to 9.X, and now 10.0X), affected systems can be protected by > system administrators. > They should: > > $ su root > # chmod 0555 /usr/lib/expreserve > > In the case of 10.X systems execute the following to affect the link > target: > > $ su root > # chmod 0555 /usr/lbin/expreserve > > > The default permission for the file /usr/lib/expreserve (or on HP-UX 10.X > /usr/lbin/expreserve) needs only minimal privileges. If the patches > mentioned above are applied the vulnerability cannot be exploited. > > Hewlett-Packard Security Bulletin #HPSBUX9607-033, dated July 18, 1996 > contains more details. This bulletin is available from > http://us.external.hp.com/news/ > ftp://info.cert.org/pub/vendors/hp/ > >IBM Corporation >=============== > AIX versions 3.2.5, 4.1, and 4.2 are not vulnerable to this > particular problem. > > IBM and AIX are registered trademarks of International Business > Machines Corporation. > >NeXT Software, Inc. >=================== > This problem was fixed in or before release 3.3 of NeXTstep. > >Open Software Foundation >======================== > OSF's OSF/1 R1.3 is not effected by this vulnerability. > >The Santa Cruz Operation, Inc. >============================== > SCO Operating Systems are not vulnerable to this problem. > >Sun Microsystems, Inc. >====================== > >System Patch ID Filename MD5 Checksum >- - ------ -------- --------------- ----------- >SunOS 101080-01 101080-01.tar.Z 53c8a5c4eee770924560c5fc100542a3 >Solaris 2.0 101119-01 101119-01.tar.Z No longer available >Solaris 2.1 101089-01 101089-01.tar.Z No longer available >Solaris 2.2 101090-01 101090-01.tar.Z e9ff98823abbc75d95410a0cb7856644 >Solaris 2.3 >Solaris 2.4 102756-01 102756-01.tar.Z 61f4a48ddba41ae1c27e70b84f4c8d87 >Solaris 2.4_x86 102757-01 102757-01.tar.Z 1f2b7f3824565ef849eb3c4677567399 > >- ---------------------------------------------------------------------------- >The CERT Coordination Center thanks all the vendors who provided input >for this advisory. >- ---------------------------------------------------------------------------- > >[End CERT Bulletin] >_______________________________________________________________________________ > >CIAC wishes to acknowledge the contributions of CERT and all the vendors who >provided input for the information contained in this bulletin. >_______________________________________________________________________________ > >CIAC, the Computer Incident Advisory Capability, is the computer >security incident response team for the U.S. Department of Energy >(DOE) and the emergency backup response team for the National >Institutes of Health (NIH). CIAC is located at the Lawrence Livermore >National Laboratory in Livermore, California. CIAC is also a founding >member of FIRST, the Forum of Incident Response and Security Teams, a >global organization established to foster cooperation and coordination >among computer security teams worldwide. > >CIAC services are available to DOE, DOE contractors, and the NIH. CIAC >can be contacted at: > Voice: +1 510-422-8193 > FAX: +1 510-423-8002 > STU-III: +1 510-423-2604 > E-mail: ciac@llnl.gov > >For emergencies and off-hour assistance, DOE, DOE contractor sites, >and the NIH may contact CIAC 24-hours a day. During off hours (5PM - >8AM PST), call the CIAC voice number 510-422-8193 and leave a message, >or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two >Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC >duty person, and the secondary PIN number, 8550074 is for the CIAC >Project Leader. > >Previous CIAC notices, anti-virus software, and other information are >available from the CIAC Computer Security Archive. > > World Wide Web: http://ciac.llnl.gov/ > Anonymous FTP: ciac.llnl.gov (128.115.19.53) > Modem access: +1 (510) 423-4753 (28.8K baud) > +1 (510) 423-3331 (28.8K baud) > >CIAC has several self-subscribing mailing lists for electronic >publications: >1. CIAC-BULLETIN for Advisories, highest priority - time critical > information and Bulletins, important computer security information; >2. CIAC-NOTES for Notes, a collection of computer security articles; >3. SPI-ANNOUNCE for official news about Security Profile Inspector > (SPI) software updates, new features, distribution and > availability; >4. SPI-NOTES, for discussion of problems and solutions regarding the > use of SPI products. > >Our mailing lists are managed by a public domain software package >called ListProcessor, which ignores E-mail header subject lines. To >subscribe (add yourself) to one of our mailing lists, send the >following request as the E-mail message body, substituting >CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for list-name and >valid information for LastName FirstName and PhoneNumber when sending > >E-mail to ciac-listproc@llnl.gov: > subscribe list-name LastName, FirstName PhoneNumber > e.g., subscribe ciac-notes OHara, Scarlett W. 404-555-1212 x36 > >You will receive an acknowledgment containing address, initial PIN, >and information on how to change either of them, cancel your >subscription, or get help. > >PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing >communities receive CIAC bulletins. If you are not part of these >communities, please contact your agency's response team to report >incidents. Your agency's team will coordinate with CIAC. The Forum of >Incident Response and Security Teams (FIRST) is a world-wide >organization. A list of FIRST member organizations and their >constituencies can be obtained by sending email to >docserver@first.org with an empty subject line and a message body >containing the line: send first-contacts. > >This document was prepared as an account of work sponsored by an >agency of the United States Government. Neither the United States >Government nor the University of California nor any of their >employees, makes any warranty, express or implied, or assumes any >legal liability or responsibility for the accuracy, completeness, or >usefulness of any information, apparatus, product, or process >disclosed, or represents that its use would not infringe privately >owned rights. Reference herein to any specific commercial products, >process, or service by trade name, trademark, manufacturer, or >otherwise, does not necessarily constitute or imply its endorsement, >recommendation or favoring by the United States Government or the >University of California. The views and opinions of authors expressed >herein do not necessarily state or reflect those of the United States >Government or the University of California, and shall not be used for >advertising or product endorsement purposes. > >LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) > >G-29: dip Program Vulnerability >G-30: DEC Software Security Kits >G-31: FreeBSD Security Vulnerabilities (ppp, rdist, and rz) >G-32: HP-UX Vulnerabilities in expreserve, rpc.pcnfsd, rpc.statd >G-33: rdist vulnerability >G-34: HP-UX Vulnerabilities (netttune, SAM remote admin) >G-35: SUN Microsystems Solaris vold Vulnerability >G-36: HP-UX Vulnerabilities in elm and rdist Programs >G-37: Vulnerability in Adobe FrameMaker (fm_fls) >G-38: Linux Vulnerabilities in mount and umount Programs > >RECENT CIAC NOTES ISSUED (Previous Notes available from CIAC) > >Notes 07 - 3/29/95 A comprehensive review of SATAN > >Notes 08 - 4/4/95 A Courtney update > >Notes 09 - 4/24/95 More on the "Good Times" virus urban legend > >Notes 10 - 6/16/95 PKZ300B Trojan, Logdaemon/FreeBSD, vulnerability > in S/Key, EBOLA Virus Hoax, and Caibua Virus > >Notes 11 - 7/31/95 Virus Update, Hats Off to Administrators, > America On-Line Virus Scare, SPI 3.2.2 Released, > The Die_Hard Virus > >Notes 12 - 9/12/95 Securely configuring Public Telnet Services, X > Windows, beta release of Merlin, Microsoft Word > Macro Viruses, Allegations of Inappropriate Data > Collection in Win95 > >Notes 96-01 - 3/18/96 Java and JavaScript Vulnerabilities, FIRST > Conference Announcement, Security and Web Search > Engines, Microsoft Word Macro Virus Update > > > >-----BEGIN PGP SIGNATURE----- >Version: 2.6.1 >Comment: Processed by Mailcrypt 3.3, an Emacs/PGP interface > >iQCVAwUBMhOYuLnzJzdsy3QZAQEKZQP8Dtcue1wnE8MPCrf8eTnqaK/c7vANCMpu >fyzUZOcJAxobUBoBcwFp0fXTTNl6/l3FABB4xeMZNshyyOK21tE6KOgjukabQMjA >Y3hc5KzfeAFMFiKJ6/mUaoBzXjxlNyw1eP9SBflepwUnBV5g+HmmFtUNjSmzeiq8 >Eiiuy1KA8M0= >=iwa2 >-----END PGP SIGNATURE----- > > ===============================================================