Copyright 2022 - CSIM - Asian Institute of Technology

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


- ---------------------------------------------------------------------------
CERT* Summary CS-97.03
May 28, 1997

The CERT Coordination Center periodically issues the CERT Summary to
draw attention to the types of attacks currently being reported to our
Incident Response Team. The summary includes pointers to sources of
information for dealing with the problems. We also list new or updated
files that are available for anonymous FTP from

Past CERT Summaries are available from
- ---------------------------------------------------------------------------

Recent Activity
- ---------------

Since the February CERT Summary, we have seen these continuing trends in
incidents reported to us.

1. Continuing cgi-bin Exploits

The CERT Coordination Center continues to receive daily reports of attempts to
exploit vulnerabilities in cgi-bin scripts. Our original advisory regarding
these vulnerabilities was published in March 1996, and is available from:

The most frequently reported exploitation attempts use the "phf" program
discussed in the advisory. The "phf" program is installed by default with
several implementations of httpd servers. Intruders continue to use widely
available "phf" exploit scripts to attempt to obtain a copy of the /etc/passwd
file. Fortunately, many of the reported attempts are unsuccessful. We are now
receiving reports that "php" is being exploited as well.

Similar attacks may succeed against other cgi scripts if the scripts are
written without appropriate care regarding security issues. We encourage sites
to evaluate all programs in their cgi-bin directory and remove any scripts
that are not in active use.

2. INND Exploits

In our previous summary (CS-97.02 - SPECIAL EDITION) we reported widespread,
large-scale attacks on NNTP (Network News Transport Protocol)
servers. CS-97.02 is available from

We continue to receive reports that INND versions older than 1.5.1 are being
exploited. For more information about the INND vulnerability please see

We recommend that you *not* try to exploit your own server to determine if it
is vulnerable. Many of the INND attacks reported were a result of sites
testing their own servers and inadvertently releasing their test on the
Internet. To determine if your version of INND is vulnerable, please consult
the advisory (CA-97.08.innd).

A number of sites have reported that they continue to be vulnerable after
applying the patch for upgrading to INN 1.5.1. If you are upgrading to INN
1.5.1, please be sure to read the README file carefully.

3. Chargen and Echo Services

The CERT/CC continues to receive reports of denial-of-service attacks that
result from an intruder creating a "UDP packet storm" either on a system or
between two systems. An attack on one host causes that host to perform
poorly. An attack between two hosts can cause extreme network congestion in
addition to adversely affecting host performance. For more information about
this problem please see

We recommend disabling unneeded services on each host, in particular the
chargen and echo services, and filtering these services at the firewall or
Internet gateway. Note that these services cannot be wrapped by TCP wrappers
as they are usually part of inetd itself.

4. Spoofed CERT Summary

The CERT/CC has received a number of questions about fake CERT Summaries. All
documents produced by the CERT Coordination Center are PGP (Pretty Good
Privacy) signed to ensure the integrity of their information and their
authenticity. We encourage you to verify all of our documents using PGP. Our
PGP public key is available from

This same key can be used to encrypt incident and vulnerability
reports sent to us. For more information about PGP please see

What's New in the CERT FTP Archive
- ----------------------------------
We have made the following changes since the last CERT Summary (February 26,

* New Additions

    CA-97.08.innd                       Describes two vulnerabilities in
                                        INN. One affects versions 1.5 and
                                        earlier; the other affects 1.5.1 and
                                        earlier. Vendor information and
                                        pointers to patches are included.

    CA-97.09.imap_pop                   Reports a vulnerability in some
                                        Internet Message Access Protocol
                                        (IMAP) and Post Office Protocol (POP)
                                        implementations (imapd, ipop2d, and
                                        ipop3d). Vendor and upgrade
                                        information are included.

    CA-97.10.nls                        Reports a buffer overflow condition
                                        that affects some libraries using the
                                        Natural Language Service (NLS). Vendor
                                        vulnerability and patch information
                                        are included.

    CA-97.11.libXt                      Reports a buffer overflow
                                        vulnerability in the Xt library of the
                                        X Windowing System. Vendor
                                        vulnerability and patch information
                                        are included.

    CA-97.12.webdist                    Describes a vulnerability in the
                                        webdist.cgi-bin program, part of the
                                        IRIX Mindshare Out Box package,
                                        available with IRIX 5.x and 6.x. A
                                        workaround is included.

    CA-97.13.xlock                      Reports a buffer overflow problem in
                                        some versions of xlock. Patch
                                        information and a workaround are

    VB-97.01.dec                        Information from Digital Equipment
                                        Corporation about a potential
                                        vulnerability in the Division of
                                        Privilege (DoP).

    VB-97.02.sol_guestbook              Information from Selena Sol about a
                                        vulnerability in her Guestbook script
                                        for Web servers using Server Side
                                        Includes (SSI).

    CS-97.02                            This special edition of the CERT
                                        Summary highlights widespread,
                                        large-scale attacks that are
                                        occurring against news servers.

* Updated Files

    CA-96.02.bind                       Noted that BIND 8.1 was released in
                                        May 1997. Gave new location of the
                                        BIND archives.

    CA-96.08.pcnfsd                     Corrected a name in acknowledgments.

    CA-96.20.sendmail_vul               Updated vendor information for
                                        Hewlett-Packard Company.

    CA-96.21.tcp_syn_flooding           Updated vendor information for
                                        Hewlett-Packard Company.

    CA-96.24.sendmail.daemon.mode       Updated vendor information for
                                        Hewlett-Packard Company.

    CA-97.02.hp_newgrp                  Noted that the vulnerability described
                                        in this advisory is being exploited.

    CA-97.03.csetup                     Updated the Solution section to
                                        include URL for SGI patch

    CA-97.04.talkd                      Updated vendor information for
                                        Hewlett-Packard Company.

    CA-97.05.sendmail                   Updated NEC Corporation information.

    CA-97.08.innd                       Added information about Topic 2,
                                        ucbmail, including a new patch that
                                        must be applied to many versions of
                                        INN. Replaced pointer to patch 04 with
                                        patch 05 and noted that you must use
                                        patch 05. Added information from
                                        various vendors. Noted that the
                                        vulnerability is being actively

    CA-97.09.imap_pop                   Added vendor information from
                                        Microsoft Corporation.

    CA-97.10.nls                        Updated vendor information from
                                        Hewlett-Packard Company.

    CA-97.11.libXt                      Updated vendor information from
                                        Hewlett-Packard Company.

    CA-97.14.metamail                   Added vendor information from Berkeley
                                        Software Design, Inc. (BSDI). Changed
                                        release date of the patch.

    ifstatus                            Added pointer to latest version,
                                        ifstatus 2.0.

- ---------------------------------------------------------------------------
How to Contact the CERT Coordination Center

Email    This email address is being protected from spambots. You need JavaScript enabled to view it.

Phone    +1 412-268-7090 (24-hour hotline)
                CERT personnel answer 8:30-5:00 p.m. EST
                (GMT-5)/EDT(GMT-4), and are on call for
                emergencies during other hours.

Fax      +1 412-268-6989

Postal address
        CERT Coordination Center
        Software Engineering Institute
        Carnegie Mellon University
        Pittsburgh PA 15213-3890

To be added to our mailing list for CERT advisories and bulletins, send your
email address to
        This email address is being protected from spambots. You need JavaScript enabled to view it.
In the subject line, type
        SUBSCRIBE your-email-address

CERT advisories and bulletins are posted on the USENET news group

CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from

If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise you to encrypt your message.
We can support a shared DES key or PGP. Contact the CERT staff for more

Location of CERT PGP key

- ---------------------------------------------------------------------------
Copyright 1997 Carnegie Mellon University
This material may be reproduced and distributed without permission provided
it is used for noncommercial purposes and credit is given to the CERT
Coordination Center.

* Registered U.S. Patent and Trademark Office.

Version: 2.6.2


Powered by: MHonArc

Login Form


School of Engineering and technologies     Asian Institute of Technology