-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= CERT Advisory CA-94:04 Original issue date: March 17, 1994 Last revised: July 24, 1996 SUPERSEDED BY CA-96:14 Topic: SunOS /usr/ucb/rdist Vulnerability ============================================================================= *** SUPERSEDED BY CA-96:14 *** The CERT Coordination Center has received information concerning a vulnerability in /usr/ucb/rdist in Sun Microsystems, Inc. SunOS 4.1.1, 4.1.2, 4.1.3, and 4.1.3c on all sun3 and sun4 architectures. SunOS 4.1.3_U1, Solaris 2.x, and Solbourne's 4.1B and 4.1C are not vulnerable. This is a Sun specific Advisory. Please reference CERT Advisory CA-91:20 "/usr/ucb/rdist Vulnerability" for general information regarding other vendors. A vendor status file pub/cert_advisories/rdist-patch-status is available via anonymous FTP from info.cert.org. This vulnerability is being actively exploited; please review CERT Advisory CA-94:01 "Ongoing Network Monitoring Attacks." Patches can be obtained from local Sun Answer Centers worldwide as well as through anonymous FTP from ftp.uu.net in the /systems/sun/sun-dist directory. In Europe, these patches are available from ftp.eu.net in the /sun/fixes directory. Information concerning specific patches is outlined below. Please note that Sun sometimes updates patch files. If you find that the checksum is different, please contact Sun. - ----------------------------------------------------------------------------- I. Description A security vulnerability exists in /usr/ucb/rdist that can be used to gain unauthorized privileges. Under some circumstances /usr/ucb/rdist can be used to create setuid root programs. II. Impact This vulnerability allows a local user to gain root access. III. Solution A. If rdist is not being used, change the permissions on the file. # chmod 700 /usr/ucb/rdist B. Obtain and install the appropriate patches according to the instructions included with the patches. Module Patch ID Filename ---------- --------- --------------- rdist 100383-06 100383-06.tar.Z BSD Checksum = 58984 121 System V Checksum = 9125 241 MD5 Checksum = f8f78ddab19af5efabb9bd66fc8f5c1a - --------------------------------------------------------------------------- If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in Forum of Incident Response and Security Teams (FIRST). Internet E-mail: cert@cert.org Telephone: 412-268-7090 (24-hour hotline) CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Past advisories, information about FIRST representatives, and other information related to computer security are available for anonymous FTP from info.cert.org. Copyright 1994 Carnegie Mellon University This material may be reproduced and distributed without permission provided it is used for noncommercial purposes and the copyright statement is included. CERT is a service mark of Carnegie Mellon University. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Revision history July 24, 1996 Superseded by CA-96.14 -----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQA/AwUBOBS98lr9kb5qlZHQEQI0jACeLDvLwg18iTYe+Q+wlBlsneWeUesAnRXy oaD/1zhBGFnZeWBr1+tibSjp =o1wZ -----END PGP SIGNATURE-----