Date: Thu, 28 Mar 2024 18:51:12 -0400 (EDT) Message-ID: <2125194301.519.1711666272887@windcrest.sei.cmu.edu> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_518_197429614.1711666272885" ------=_Part_518_197429614.1711666272885 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
A complete revision history is at the end of this file.
The original technical content for this advisory was published by the IB= M-ERS response team and is used here with their permission.
There is a vulnerability in the WorkMan compact disc-playing program tha= t affects UNIX System V Release 4.0 and derivatives and Linux systems. When= the program is installed set-user-id root, it can be used to make any file= on the system world-writable.
To address this problem, you should remove the set-user-id bit from the = program.
We will update this advisory as we receive additional information. Pleas= e check advisory files regularly for updates that relate to your site.
On systems where WorkMan was built and installed using the procedures th= at are given in "Makefile.linux" or "Makefile.svr4" (in general, this means= on Linux systems and UNIX System V Release 4.0 systems), the WorkMan progr= am is installed set-user-id root. This means that when the program is run, = it will execute with super-user permissions.
In order to allow signals to be sent to it, WorkMan writes its process-i= d to a file called /tmp/.wm_pid. The "-p" option to the program allows the = user to specify a different file name in which to record this information. = When a file is specified with "-p", WorkMan simply attempts to create and/o= r truncate the file, and if this succeeds, WorkMan changes the permissions = on the file so that it is world-readable and world-writable.
In the general case, when WorkMan is installed without the set-user-id b= it set, the normal file access permissions provided by the operating system= will prevent users from creating or truncating files they are not authoriz= ed to create or truncate. However, when WorkMan is installed set-user-id ro= ot, this process breaks down (because "root" is allowed to create/truncate = any file).
WorkMan does not require the set-user-id bit to work; it is installed th= is way only on systems that do not make the CD-ROM device file world-readab= le by default.
Note: The vulnerability described by "r00t" on several mailing lists is = not the same one that we describe in this advisory.
chmod u-s /usr/local/bin/workman2. Make the CD-ROM device world-readable using a command such as=20
chmod +r /dev/cdromOn multi-user systems, Step 2 will allow any user to access the cont= ents of the disc installed in the CD-ROM; this may not be desirable in all = environments.=20
The vulnerability described in this advisory is related to the WorkMan p= rogram, not to the products of particular vendors. However, if a vendor sen= ds us advice for their users, we will put it in Appendix A.
When an unprivileged users executes a recent version of the workman prog= ram on a properly configured Solaris 2.x system, a message similar to the f= ollowing appears. (Ellipses added to save space.)
As root, please run
chmod 666 /devices/iommu@0,...sd@6,0:c,rawto give yourself permission to access the CD-ROM device.=20
That's pretty good advice. Of course, if you don't want to give every us= er access to the contents of a CD (which will sometimes be data or software= , and sometimes music) such permissions are not appropriate.
The CERT Coordination Center thanks IBM-ERS for permission to reproduce = the technical content in their IBM Emergency Response Service Security Vuln= erability Alert ERS-SVA-E01-1996:005.1. These alerts are copyrighted 1996 I= nternational Business Machines Corporation.
Copyright 1996 Carnegie Mellon University.
Sep. 24, 1997 Updated copyright statement