Copyright 2022 - CSIM - Asian Institute of Technology

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


- ---------------------------------------------------------------------------
CERT(sm) Summary CS-97.01
February 26, 1997

The CERT Coordination Center periodically issues the CERT Summary to
draw attention to the types of attacks currently being reported to our
Incident Response Team. The summary includes pointers to sources of
information for dealing with the problems. We also list new or updated
files that are available for anonymous FTP from

Past CERT Summaries are available from
- ---------------------------------------------------------------------------

Recent Activity
- ---------------

1. Continuing cgi-bin Exploits

The CERT Coordination Center continues to receive daily reports of attempts
to exploit vulnerabilities in cgi-bin scripts. Our original advisory
regarding these vulnerabilities was published in March 1996, and is
available from:

The most frequently reported variety of these vulnerabilities uses the
"phf" program discussed in the advisory. The "phf" program is
installed by default with several implementations of httpd servers.
Intruders continue to use widely available "phf" exploit scripts to
attempt to obtain a copy of the /etc/passwd file. Fortunately, many
of the reported attempts are unsuccessful.

We are now seeing increasing numbers of incidents where intruders
exploit "phf" to execute a broad range of commands. This can result
in the addition or modification of files, and the creation of terminal
windows. We are also receiving reports that the "phf" program is
being renamed by intruders so that further use can remain undetected.
Intruders are increasingly aware of similar weaknesses in cgi-bin
programs other than "phf", such as the vulnerability described in CERT
Advisory 97.07:

2. Continuing Linux Exploits

We continue to see incidents in which Linux machines have been the
victims of root compromises. In many of these incidents, the
compromised systems were unpatched or misconfigured, and the intruders
exploited well-known vulnerabilities for which CERT advisories have
been published.

If you are using Linux, we strongly urge you to keep current with all
security patches and workarounds. If your system has been root
compromised, we also recommend that you review

Further, you may want to monitor the Linux newsgroups and mailing
lists for security patches and workarounds. More information can be
found at

3. Naughty Robot Email Messages

The CERT Coordination Center has received a number of reports describing
forged email messages with a subject of "security breached by NaughtyRobot".
These messages appear to originate from the victim's own account and claim to
have exploited a security hole in the victim's web server. The messages also
claim to have collected a variety of information including the victim's credit
card numbers.

As far as the CERT Coordination Center is aware, there has been no
indication that the activities described in the message have actually
taken place on any machine. Other response teams have been
investigating these messages. The Computer Incident Advisory
Capability (CIAC) has additional information on their web site at:

For additional information concerning email spoofing and what you can
do, please see our document:

What's New in the CERT FTP Archive
- ----------------------------------
We have made the following changes since the last CERT Summary (November 26,

* New Additions

    CA-96.25.sendmail_groups            Addresses a security problem affecting
                                        sendmail version 8 relating to
                                        group-writable files. Vendor patches
                                        and a workaround are included.                       Describes a denial-of-service attack
                                        using large ICMP datagrams issued via
                                        the ping command. Vendor information
                                        is included.

    CA-96.27.hp_sw_install              Describes a vulnerability in
                                        Hewlett-Packard SD-UX that may allow
                                        local users to gain root privileges. A
                                        workaround is included.

    CA-97.01.flex_lm                    Describes multi-platform UNIX FLEXlm
                                        vulnerabilities. These problems may
                                        allow local users to create arbitrary
                                        files on the system and execute
                                        arbitrary programs using the
                                        privileges of the user running the
                                        FLEXlm daemons.

    CA-97.02.hp_newgrp                  Describes a vulnerability in the
                                        newgrp(1) program under HP-UX 9.x and
                                        10.x that may allow users to gain root
                                        privileges. A workaround is provided.

    CA-97.03.csetup                     A vulnerability in the csetup program
                                        under IRIX versions 5.x, 6.0, 6.0.1,
                                        6.1, and 6.2 allows local users to
                                        create or overwrite arbitrary files on
                                        the system and ultimately gain root
                                        privileges. A workaround is provided.

    CA-97.04.talkd                      A vulnerability in talkd(8) program
                                        used by talk(1) makes it possible to
                                        provide corrupt DNS information to a
                                        host and to remotely execute arbitrary
                                        commands with root privileges.

    CA-97.05.sendmail                   Addresses a MIME conversion buffer
                                        overflow in sendmail versions 8.8.3
                                        and 8.8.4. The advisory includes
                                        vendor information, pointers to the
                                        latest version of sendmail, a
                                        workaround, and general precautions to
                                        take when using sendmail.

    CA-97.06.rlogin-term                Reports a vulnerability in many
                                        implementations of the rlogin program,
                                        including eklogin and klogin. Vendor
                                        information and a workaround are

    CA-97.07.nph-test-cgi_script        Points out a vulnerability in the
                                        nph-test-cgi script included with some
                                        http daemons. Readers are urged to
                                        disable the script. Vendor information
                                        is included.

    CA-97.08.innd                       Describes a vulnerability in all
                                        versions of INN (the InterNetNews
                                        server) up to and including version
                                        1.5. The advisory includes a pointers
                                        to version 1.5.1 and to patches, along
                                        with information from vendors.

    VB-96.19.sgi                        Describes possible vulnerabilities in
                                        systour and OutOfBox.

    VB-96.20.hp                         Describes vulnerabilities in HP Remote

   HPSBUX9609-038                       Using Vue 3.0 on only HP-UX releases
                                        10.01 and 10.10 it is possible to
                                        increase privileges and launch denial
                                        of service attacks.

   HPSBUX9610-040                       Describes a vulnerability with
                                        specific incoming ICMP Echo Request
                                        (ping) packets.

   HPSBUX9611-041                       Describes a vulnerability with Large
                                        UID's and GID's in HP-UX 10.20.

   HPSBUX9701-049                       Describes a security vulnerability in
                                        the chfn executable.


   19961202-01-PX                       Discusses TCP SYN and ping denial of
                                        service attacks.

   MH                                   Added information on MH version

   sendmail                             Added information on sendmail version

   wuftpd                               Added information on wuftpd version



* Updated Files

    cert_faq                            Added URL for CIAC virus hoax page.

    Sysadmin_Tutorial.announcement      Describes the course Internet Security
                                        for System and Network
                                        Administrators. Shows dates and
                                        locations of upcoming course

    CA-96.01.UDP_service_denial         Updated IP spoofing information. Added
                                        pointers to Cisco Systems documents.

    CA-96.14.rdist_vul                  Added patch from Sun Microsystems,

    CA-96.19.expreserve                 Updated HP information.

    CA-96.21.tcp_syn_flooding           Added patch from IBM
                                        Corporation. Corrected Sun
                                        Microsystems, Inc. security alert
                                        address. Added or changed information
                                        from Silicon Graphics Inc., Livingston
                                        Enterprises, Hewlett-Packard Company,
                                        and 3COM.

    CA-96.25.sendmail_groups            Added information Cray Research - A
                                        Silicon Graphics Company.                       Updated information from The Santa Cruz
                                        Operation (SCO) and Data General

    CA-97.01.flex_lm                    Added Silicon Graphics Inc. and Sun
                                        Microsystems, Inc. patch information.

    CA-97.02.hp_newgrp                  Added patch information.

    CA-97.04.talkd                      Added information from Cisco Systems.

    CA-97.05.sendmail                   Corrected example.

    CA-97.06.rlogin-term                Added information from Cygnus
                                        Solutions, NetBSD, and Sun
                                        Microsystems, Inc.

    CA-97.07.nph-test-cgi_script        Corrected information in

- ---------------------------------------------------------------------------
How to Contact the CERT Coordination Center

Email    This email address is being protected from spambots. You need JavaScript enabled to view it.

Phone    +1 412-268-7090 (24-hour hotline)
                CERT personnel answer 8:30-5:00 p.m. EST
                (GMT-5)/EDT(GMT-4), and are on call for
                emergencies during other hours.

Fax      +1 412-268-6989

Postal address
        CERT Coordination Center
        Software Engineering Institute
        Carnegie Mellon University
        Pittsburgh PA 15213-3890

To be added to our mailing list for CERT advisories and bulletins, send your
email address to
        This email address is being protected from spambots. You need JavaScript enabled to view it.
In the subject line, type
        SUBSCRIBE your-email-address

CERT advisories and bulletins are posted on the USENET news group

CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from

If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise you to encrypt your message.
We can support a shared DES key or PGP. Contact the CERT staff for more

Location of CERT PGP key

- ---------------------------------------------------------------------------
Copyright 1997 Carnegie Mellon University
This material may be reproduced and distributed without permission provided
it is used for noncommercial purposes and credit is given to the CERT
Coordination Center.

CERT is a service mark of Carnegie Mellon University.

Version: 2.6.2


Powered by: MHonArc

Login Form


School of Engineering and technologies     Asian Institute of Technology