Archive of CERT general posting, CERT Summary CS-97.01

27/02/97, CERT Summary CS-97.01
From: CERT Advisory <cert-advisory@cert.org>

Generated by MHonArc

CSIM Logo WelcomeCourses
Faculty, Student, Staff
Projects and reports
Conferences, workshop and seminars
Laboratories and reasearch facilities
Information related to CSIM
Information non-related to CSIM
Address, map, phone, etc.
Search

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


To: cert-advisory@cert.org
Subject: CERT Summary CS-97.01
From: CERT Advisory <cert-advisory@cert.org>
Date: Wed, 26 Feb 1997 15:51:04 -0500
Organization: CERT(sm) Coordination Center - +1 412-268-7090
Reply-To: cert-advisory-request@cert.org

-----BEGIN PGP SIGNED MESSAGE-----

- ---------------------------------------------------------------------------
CERT(sm) Summary CS-97.01
February 26, 1997

The CERT Coordination Center periodically issues the CERT Summary to
draw attention to the types of attacks currently being reported to our
Incident Response Team. The summary includes pointers to sources of
information for dealing with the problems. We also list new or updated
files that are available for anonymous FTP from
     ftp://info.cert.org/pub/

Past CERT Summaries are available from
     ftp://info.cert.org/pub/cert_summaries/
- ---------------------------------------------------------------------------

Recent Activity
- ---------------

1. Continuing cgi-bin Exploits

The CERT Coordination Center continues to receive daily reports of attempts
to exploit vulnerabilities in cgi-bin scripts. Our original advisory
regarding these vulnerabilities was published in March 1996, and is
available from:

  ftp://info.cert.org/pub/cert_advisories/CA-96.06.cgi_example_code

The most frequently reported variety of these vulnerabilities uses the
"phf" program discussed in the advisory. The "phf" program is
installed by default with several implementations of httpd servers.
Intruders continue to use widely available "phf" exploit scripts to
attempt to obtain a copy of the /etc/passwd file. Fortunately, many
of the reported attempts are unsuccessful.

We are now seeing increasing numbers of incidents where intruders
exploit "phf" to execute a broad range of commands. This can result
in the addition or modification of files, and the creation of terminal
windows. We are also receiving reports that the "phf" program is
being renamed by intruders so that further use can remain undetected.
Intruders are increasingly aware of similar weaknesses in cgi-bin
programs other than "phf", such as the vulnerability described in CERT
Advisory 97.07:

  ftp://info.cert.org/pub/cert_advisories/CA-97.07.nph-test-cgi_script

2. Continuing Linux Exploits

We continue to see incidents in which Linux machines have been the
victims of root compromises. In many of these incidents, the
compromised systems were unpatched or misconfigured, and the intruders
exploited well-known vulnerabilities for which CERT advisories have
been published.

If you are using Linux, we strongly urge you to keep current with all
security patches and workarounds. If your system has been root
compromised, we also recommend that you review

  ftp://info.cert.org/pub/tech_tips/root_compromise

Further, you may want to monitor the Linux newsgroups and mailing
lists for security patches and workarounds. More information can be
found at

  http://bach.cis.temple.edu/linux/linux-security/

3. Naughty Robot Email Messages

The CERT Coordination Center has received a number of reports describing
forged email messages with a subject of "security breached by NaughtyRobot".
These messages appear to originate from the victim's own account and claim to
have exploited a security hole in the victim's web server. The messages also
claim to have collected a variety of information including the victim's credit
card numbers.

As far as the CERT Coordination Center is aware, there has been no
indication that the activities described in the message have actually
taken place on any machine. Other response teams have been
investigating these messages. The Computer Incident Advisory
Capability (CIAC) has additional information on their web site at:

  http://ciac.llnl.gov/ciac/CIACHoaxes.html#naughty

For additional information concerning email spoofing and what you can
do, please see our document:

  ftp://info.cert.org/pub/tech_tips/email_spoofing



What's New in the CERT FTP Archive
- ----------------------------------
We have made the following changes since the last CERT Summary (November 26,
1996).

* New Additions

ftp://info.cert.org/pub/cert_advisories/

    CA-96.25.sendmail_groups            Addresses a security problem affecting
                                        sendmail version 8 relating to
                                        group-writable files. Vendor patches
                                        and a workaround are included.

    CA-96.26.ping                       Describes a denial-of-service attack
                                        using large ICMP datagrams issued via
                                        the ping command. Vendor information
                                        is included.

    CA-96.27.hp_sw_install              Describes a vulnerability in
                                        Hewlett-Packard SD-UX that may allow
                                        local users to gain root privileges. A
                                        workaround is included.

    CA-97.01.flex_lm                    Describes multi-platform UNIX FLEXlm
                                        vulnerabilities. These problems may
                                        allow local users to create arbitrary
                                        files on the system and execute
                                        arbitrary programs using the
                                        privileges of the user running the
                                        FLEXlm daemons.

    CA-97.02.hp_newgrp                  Describes a vulnerability in the
                                        newgrp(1) program under HP-UX 9.x and
                                        10.x that may allow users to gain root
                                        privileges. A workaround is provided.

    CA-97.03.csetup                     A vulnerability in the csetup program
                                        under IRIX versions 5.x, 6.0, 6.0.1,
                                        6.1, and 6.2 allows local users to
                                        create or overwrite arbitrary files on
                                        the system and ultimately gain root
                                        privileges. A workaround is provided.

    CA-97.04.talkd                      A vulnerability in talkd(8) program
                                        used by talk(1) makes it possible to
                                        provide corrupt DNS information to a
                                        host and to remotely execute arbitrary
                                        commands with root privileges.

    CA-97.05.sendmail                   Addresses a MIME conversion buffer
                                        overflow in sendmail versions 8.8.3
                                        and 8.8.4. The advisory includes
                                        vendor information, pointers to the
                                        latest version of sendmail, a
                                        workaround, and general precautions to
                                        take when using sendmail.

    CA-97.06.rlogin-term                Reports a vulnerability in many
                                        implementations of the rlogin program,
                                        including eklogin and klogin. Vendor
                                        information and a workaround are
                                        included.

    CA-97.07.nph-test-cgi_script        Points out a vulnerability in the
                                        nph-test-cgi script included with some
                                        http daemons. Readers are urged to
                                        disable the script. Vendor information
                                        is included.

    CA-97.08.innd                       Describes a vulnerability in all
                                        versions of INN (the InterNetNews
                                        server) up to and including version
                                        1.5. The advisory includes a pointers
                                        to version 1.5.1 and to patches, along
                                        with information from vendors.


ftp://info.cert.org/pub/cert_bulletins/

    VB-96.19.sgi                        Describes possible vulnerabilities in
                                        systour and OutOfBox.

    VB-96.20.hp                         Describes vulnerabilities in HP Remote
                                        Watch.


ftp://info.cert.org/pub/vendors/hp/

   HPSBUX9609-038                       Using Vue 3.0 on only HP-UX releases
                                        10.01 and 10.10 it is possible to
                                        increase privileges and launch denial
                                        of service attacks.

   HPSBUX9610-040                       Describes a vulnerability with
                                        specific incoming ICMP Echo Request
                                        (ping) packets.

   HPSBUX9611-041                       Describes a vulnerability with Large
                                        UID's and GID's in HP-UX 10.20.

   HPSBUX9701-049                       Describes a security vulnerability in
                                        the chfn executable.


ftp://info.cert.org/pub/vendors/ibm/

    ibm-key


ftp://info.cert.org/pub/vendors/sgi/

   19961202-01-PX                       Discusses TCP SYN and ping denial of
                                        service attacks.


ftp://info.cert.org/pub/latest_sw_versions/

   MH                                   Added information on MH version
                                        6.8.4-10.

   sendmail                             Added information on sendmail version
                                        8.8.5.

   wuftpd                               Added information on wuftpd version
                                        2.4.2-beta-12.


ftp://info.cert.org/pub/tools/crack/

    crack5.0.tar.gz


ftp://info.cert.org/pub/tools/tcp_wrappers/

   tcp_wrappers_7.5.tar.gz



* Updated Files

ftp://info.cert.org/pub/

    cert_faq                            Added URL for CIAC virus hoax page.

    Sysadmin_Tutorial.announcement      Describes the course Internet Security
                                        for System and Network
                                        Administrators. Shows dates and
                                        locations of upcoming course
                                        offerings.


ftp://info.cert.org/pub/cert_advisories/

    CA-96.01.UDP_service_denial         Updated IP spoofing information. Added
                                        pointers to Cisco Systems documents.

    CA-96.14.rdist_vul                  Added patch from Sun Microsystems,
                                        Inc.

    CA-96.19.expreserve                 Updated HP information.

    CA-96.21.tcp_syn_flooding           Added patch from IBM
                                        Corporation. Corrected Sun
                                        Microsystems, Inc. security alert
                                        address. Added or changed information
                                        from Silicon Graphics Inc., Livingston
                                        Enterprises, Hewlett-Packard Company,
                                        and 3COM.

    CA-96.25.sendmail_groups            Added information Cray Research - A
                                        Silicon Graphics Company.

    CA-96.26.ping                       Updated information from The Santa Cruz
                                        Operation (SCO) and Data General
                                        Corporation.

    CA-97.01.flex_lm                    Added Silicon Graphics Inc. and Sun
                                        Microsystems, Inc. patch information.

    CA-97.02.hp_newgrp                  Added patch information.

    CA-97.04.talkd                      Added information from Cisco Systems.

    CA-97.05.sendmail                   Corrected sendmail.cf example.

    CA-97.06.rlogin-term                Added information from Cygnus
                                        Solutions, NetBSD, and Sun
                                        Microsystems, Inc.

    CA-97.07.nph-test-cgi_script        Corrected information in
                                        acknowledgements.


- ---------------------------------------------------------------------------
How to Contact the CERT Coordination Center

Email    cert@cert.org

Phone    +1 412-268-7090 (24-hour hotline)
                CERT personnel answer 8:30-5:00 p.m. EST
                (GMT-5)/EDT(GMT-4), and are on call for
                emergencies during other hours.

Fax      +1 412-268-6989

Postal address
        CERT Coordination Center
        Software Engineering Institute
        Carnegie Mellon University
        Pittsburgh PA 15213-3890
        USA

To be added to our mailing list for CERT advisories and bulletins, send your
email address to
        cert-advisory-request@cert.org
In the subject line, type
        SUBSCRIBE your-email-address

CERT advisories and bulletins are posted on the USENET news group
         comp.security.announce

CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from
        http://www.cert.org/
        ftp://info.cert.org/pub/

If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise you to encrypt your message.
We can support a shared DES key or PGP. Contact the CERT staff for more
information.

Location of CERT PGP key
         ftp://info.cert.org/pub/CERT_PGP.key

- ---------------------------------------------------------------------------
Copyright 1997 Carnegie Mellon University
This material may be reproduced and distributed without permission provided
it is used for noncommercial purposes and credit is given to the CERT
Coordination Center.

CERT is a service mark of Carnegie Mellon University.

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMxR8THVP+x0t4w7BAQHLdgP/ZhctBl2lw6D5+ITY01aLq7t0ObFXGqzb
pDNsLCTbF5d27dpBQHBlee7472qMSZjIwtFxeouOP/kSzlBQ951AXDz8S0S3McOm
0Jz2XNOzQciNxxPXdbs7ai0Md+OPNPLy1gxeNq+l+zqQmhq9o/F1+a9PV40hWW/f
lRqM6TtEF6Q=
=x6rN
-----END PGP SIGNATURE-----



Next message sorted by date: CERT Summary CS-97.02
Next message by thread: CERT Summary CS-97.02
Main Index
Thread Index

CSIM home pageWMailAccount managementCSIM LibraryNetwork test toolsSearch CSIM directories
Contact us: Olivier Nicole CSIM    SET    AIT Last update: Feb 2000