<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> /* *\ / * * \ / * * \ / * * \ / * System Vulnerabilities * \ | * * | | * * | | * * | | * Another Modernz Presentation * | | * * | \ * by * / \ * Multiphage * / \ * * / \ * (C)opyright July 5th, 1992 * / \ * */ ********************************************************* <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> ******************************************************************************* The Modernz can be contacted at: MATRIX BBS WOK-NOW! World of Kaos NOW! World of Knowledge NOW! St. Dismis Institute - Sysops: Wintermute Digital-demon (908) 905-6691 (908) WOK-NOW! (908) 458-xxxx 1200/2400/4800/9600 14400/19200/38400 Home of Modernz Text Philez <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< <*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*> <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><> TANSTAAFL Pheonix Modernz The Church of Rodney - Sysop: Tal Meta (908) 830-TANJ (908) 830-8265 Home of TANJ Text Philez <*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*> CyberChat Sysop: Hegz (908)506-6651 (908)506-7637 300/1200/2400/4800/9600 14400/19200/38400 Modernz Site TLS HQ <><><><><><><><><><><><><><<><<><><><><><><><><><><><><><><><><><><><><><><><>< The Global Intelligence Center World UASI Headquarters! Pennsylvania SANsite! (412) 475-4969 300/1200/2400/9600 24 Hours! SysOp: The Road Warrior <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< The Lost Realm Western PA UASI site! Western PA. SANfranchise (412) 588-5056 300/1200/2400 SysOp: Orion Buster <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< The Last Outpost PowerBBS Support Board UASI ALPHA Division NorthWestern PA UASI site! (412) 662-0769 300/1200/2400 24 hours! SysOp: The Almighty Kilroy <><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>< Hellfire BBS SANctuary World Headquarters! New Jersey UASI site! (908) 495-3926 300/1200/2400 24 hours! SysOp: Red <*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*> BlitzKreig BBS Home of TAP (502)499-8933 <*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*><*> Information concerning a vulnerability in the crp facility in Hewlett Packard/Apollo Domain/OS. This vulnerability is present on all HP/Apollo Domain/OS SR10 systems up through SR10.3. Patches that address this problem will be available in the SR10.3 patch tape (~Feb 92) and in the SR10.4 software release. Contact your local sales office for more information. --------------------------------------------------------------------------- I. Description There is a security problem with the /usr/apollo/bin/crp facility. A user who is not running crp is not vulnerable to this problem. II. Impact A person at a remote or local site can obtain the privileges of the user who is running crp. III. Workaround The suggested workaround is to disable two system calls that are made by /usr/apollo/bin/crp. The following steps should be executed by root or another appropriate userid that has the privilege to write in the directories involved. 1. Create a file "crplib.c" containing the four-line C program: extern void pad_$dm_cmd(void); void pad_$dm_cmd() { } extern void pad_$def_pfk(void); void pad_$def_pfk() { } 2. Compile this program using '-pic': (AEGIS) /com/cc crplib.c -pic (UNIX) /bin/cc -c crplib.c -W0,-pic 3. Copy the result to somewhere accessible to all users (/lib/crplib is recommended). (AEGIS) /com/cpf crplib.bin /lib/crplib (AEGIS) /com/edacl -p root prwx -g wheel rx -w rx /lib/crplib (UNIX) /bin/cp crplib.o /lib/crplib (UNIX) /bin/chmod 755 /lib/crplib 4. a) Ensure that all users do an 'inlib' of that file before running crp. One way to ensure this would be to replace the /usr/apollo/bin/crp command by a shell script that does the inlib. Doing this step will force crp to use the null functions defined in step 1 above. (AEGIS) /com/chn /usr/apollo/bin/crp crp.orig (UNIX) /bin/mv /usr/apollo/bin/crp /usr/apollo/bin/crp.orig b) Create the file /usr/apollo/bin/crp containing the shell script: (AEGIS) #!/com/sh /com/sh -c inlib /lib/crplib ';' /usr/apollo/bin/crp.orig ^* (UNIX) #!/bin/sh inlib /lib/crplib exec /usr/apollo/bin/crp.orig "$@" c) Make this script executable. (AEGIS) /com/edacl -p root prwx -g wheel rx -w rx /usr/apollo/bin/crp (UNIX) /bin/chmod 755 /usr/apollo/bin/crp --------------- NOTE: This workaround will prevent crp from making use of the two system calls; and therefore, it may affect the functionality of various software programs since they will be unable to define programmable function keys, create new windows on the client node, or execute background processes using the Display Manager interface. =========================================================================== NeXTstep Configuration Vulnerability --------------------------------------------------------------------------- Information concerning a vulnerability in release 2 of NeXTstep's NetInfo default configuration. This vulnerability will be corrected in future versions of NeXTstep. --------------------------------------------------------------------------- I. Description By default, a NetInfo server process will provide information to any machine that requests it. II. Impact Remote users can gain unauthorized access to the network's administrative information such as the passwd file. III. Solution Ensure that the trusted_networks property of each NetInfo domain's root NetInfo directory is set correctly, so that only those systems which should be obtaining information from NetInfo are granted access. The value for the trusted_networks property should be the network numbers of the networks the server should trust. Note that improperly setting trusted_networks can render your network unusable. Consult Chapter 16, "Security", of the "NeXT Network and System Administration" manual for release 2 for details on setting the trusted_networks property of the root NetInfo directory.