Original issue date: January 21, 1993<BR>
Last revised: September 19, 1997<BR>
Attached copyright statement
<P>A complete revision history is at the end of this file.
<B>THIS IS A REVISED CERT ADVISORY<BR>
IT CONTAINS NEW INFORMATION</B>
<P>The CERT Coordination Center has received updated information from
NeXT Computer, Inc. concerning vulnerabilities in the distributed
printing facility of NeXT computers running all releases of NeXTSTEP
software through NeXTSTEP Release 3.0. The online patch described in
CERT Advisory CA-93.02 has been replaced with a new patch. The size
and checksum information in this Advisory have been updated to reflect
the new online patch.
<P>For more information, please contact your authorized support
center. If you are an authorized support provider, please contact
NeXT through your normal channels.
<P><HR>
<P>
<H2>I. Description</H2>
<P>The default NetInfo "_writers" properties are configured
to allow users to install printers and FAX modems and to export them
to the network without requiring assistance from the system
administrator. They also allow a user to configure other parts of the
system, such as monitor screens, without requiring help from the
system administrator. Vulnerabilities exist in this facility that
could allow users to gain unauthorized privileges on the system.
<P>
<H2>II. Impact</H2>
<P>In the case of the "/printers" and the
"/fax_modems" directories, the "_writers" property
can permit users to obtain unauthorized root access to a system.
<P>In the "/localconfig/screens" directory, the "_writers" property can
potentially permit a user to deny normal login access to other users.
<P>
<H2>III. Solution</H2>
<P>To close the vulnerabilities, remove the "_writers"
properties from the "/printers", "/fax_modems",
and "/localconfig/screens" directories in all NetInfo
domains on the network, and from all immediate subdirectories of all
"/printers", "/fax_modems", and
"/localconfig/screens" directories. The
"_writers" properties may be removed using any one of the
following three methods:
<P>
<OL>
<B><LI TYPE = "A"></B>As root, use the "niutil" command-line utility. For example, to remove the "_writers" property from the "/printers" directory:
<PRE>
# /usr/bin/niutil -destroyprop . /printers _writers
</PRE>
<P>
<B><LI></B>Alternatively, use the NetInfoManager application: open the
desired domain, open the appropriate directory, select the
"_writers" property, choose the "Delete" command [Cmd-r] from the "Edit" menu, and save the directory.
<P>
<B><LI></B>To assist system administrators in editing their NetInfo
domains, a shell script, "writersfix", is available via
anonymous FTP from next.com (129.18.1.2):
<PRE>
Filename Size Checksum
-------- ---- --------
pub/Misc/Utilities/WritersFix.compressed 5600 25625 6
</PRE>
<P>After transferring this file using BINARY transfer type,
double-click on the file. A "WritersFix" directory will be
created in your file system, containing the script<BR>
("writersfix") and some documentation ("WritersFix.rtf").
<P>
</OL>
<P>Consider removing "_writers" from other NetInfo
directories as well (for example, "/locations"), noting the
following trade-off between ease-of-use and security. By removing the
"_writers" properties, the network and the computers on the
network become more secure, but a system administrator's assistance is
required where it previously was not required.
<P>Please refer to the NeXTSTEP Network and System Administration
manual for additional information on "_writers". Note that
the subdirectories of the "/users" directory have
"_writers_passwd" set to the user whose account is described
by the directory. This is essential if users are to be able to change
their own passwords, and this does not compromise system security.
<P><HR>
<P>The CERT Coordination Center wishes to thank Alan Marcum and Eric
Larson of NeXT Computer, Inc. for notifying us about the existence of
these vulnerabilities and for providing appropriate technical
information.
<!--#include virtual="/include/footer_nocopyright.html" -->
<P>Copyright 1993 Carnegie Mellon University.</P>
<HR>
Revision History
<PRE>
September 19, 1997 Attached Copyright Statement
</PRE>
|