-----BEGIN PGP SIGNED MESSAGE-----
- ---------------------------------------------------------------------------
CERT(sm) Summary CS-97.01
February 26, 1997
The CERT Coordination Center periodically issues the CERT Summary to
draw attention to the types of attacks currently being reported to our
Incident Response Team. The summary includes pointers to sources of
information for dealing with the problems. We also list new or updated
files that are available for anonymous FTP from
ftp://info.cert.org/pub/
Past CERT Summaries are available from
ftp://info.cert.org/pub/cert_summaries/
- ---------------------------------------------------------------------------
Recent Activity
- ---------------
1. Continuing cgi-bin Exploits
The CERT Coordination Center continues to receive daily reports of attempts
to exploit vulnerabilities in cgi-bin scripts. Our original advisory
regarding these vulnerabilities was published in March 1996, and is
available from:
ftp://info.cert.org/pub/cert_advisories/CA-96.06.cgi_example_code
The most frequently reported variety of these vulnerabilities uses the
"phf" program discussed in the advisory. The "phf" program is
installed by default with several implementations of httpd servers.
Intruders continue to use widely available "phf" exploit scripts to
attempt to obtain a copy of the /etc/passwd file. Fortunately, many
of the reported attempts are unsuccessful.
We are now seeing increasing numbers of incidents where intruders
exploit "phf" to execute a broad range of commands. This can result
in the addition or modification of files, and the creation of terminal
windows. We are also receiving reports that the "phf" program is
being renamed by intruders so that further use can remain undetected.
Intruders are increasingly aware of similar weaknesses in cgi-bin
programs other than "phf", such as the vulnerability described in CERT
Advisory 97.07:
ftp://info.cert.org/pub/cert_advisories/CA-97.07.nph-test-cgi_script
2. Continuing Linux Exploits
We continue to see incidents in which Linux machines have been the
victims of root compromises. In many of these incidents, the
compromised systems were unpatched or misconfigured, and the intruders
exploited well-known vulnerabilities for which CERT advisories have
been published.
If you are using Linux, we strongly urge you to keep current with all
security patches and workarounds. If your system has been root
compromised, we also recommend that you review
ftp://info.cert.org/pub/tech_tips/root_compromise
Further, you may want to monitor the Linux newsgroups and mailing
lists for security patches and workarounds. More information can be
found at
http://bach.cis.temple.edu/linux/linux-security/
3. Naughty Robot Email Messages
The CERT Coordination Center has received a number of reports describing
forged email messages with a subject of "security breached by NaughtyRobot".
These messages appear to originate from the victim's own account and claim to
have exploited a security hole in the victim's web server. The messages also
claim to have collected a variety of information including the victim's credit
card numbers.
As far as the CERT Coordination Center is aware, there has been no
indication that the activities described in the message have actually
taken place on any machine. Other response teams have been
investigating these messages. The Computer Incident Advisory
Capability (CIAC) has additional information on their web site at:
http://ciac.llnl.gov/ciac/CIACHoaxes.html#naughty
For additional information concerning email spoofing and what you can
do, please see our document:
ftp://info.cert.org/pub/tech_tips/email_spoofing
What's New in the CERT FTP Archive
- ----------------------------------
We have made the following changes since the last CERT Summary (November 26,
1996).
* New Additions
ftp://info.cert.org/pub/cert_advisories/
CA-96.25.sendmail_groups Addresses a security problem affecting
sendmail version 8 relating to
group-writable files. Vendor patches
and a workaround are included.
CA-96.26.ping Describes a denial-of-service attack
using large ICMP datagrams issued via
the ping command. Vendor information
is included.
CA-96.27.hp_sw_install Describes a vulnerability in
Hewlett-Packard SD-UX that may allow
local users to gain root privileges. A
workaround is included.
CA-97.01.flex_lm Describes multi-platform UNIX FLEXlm
vulnerabilities. These problems may
allow local users to create arbitrary
files on the system and execute
arbitrary programs using the
privileges of the user running the
FLEXlm daemons.
CA-97.02.hp_newgrp Describes a vulnerability in the
newgrp(1) program under HP-UX 9.x and
10.x that may allow users to gain root
privileges. A workaround is provided.
CA-97.03.csetup A vulnerability in the csetup program
under IRIX versions 5.x, 6.0, 6.0.1,
6.1, and 6.2 allows local users to
create or overwrite arbitrary files on
the system and ultimately gain root
privileges. A workaround is provided.
CA-97.04.talkd A vulnerability in talkd(8) program
used by talk(1) makes it possible to
provide corrupt DNS information to a
host and to remotely execute arbitrary
commands with root privileges.
CA-97.05.sendmail Addresses a MIME conversion buffer
overflow in sendmail versions 8.8.3
and 8.8.4. The advisory includes
vendor information, pointers to the
latest version of sendmail, a
workaround, and general precautions to
take when using sendmail.
CA-97.06.rlogin-term Reports a vulnerability in many
implementations of the rlogin program,
including eklogin and klogin. Vendor
information and a workaround are
included.
CA-97.07.nph-test-cgi_script Points out a vulnerability in the
nph-test-cgi script included with some
http daemons. Readers are urged to
disable the script. Vendor information
is included.
CA-97.08.innd Describes a vulnerability in all
versions of INN (the InterNetNews
server) up to and including version
1.5. The advisory includes a pointers
to version 1.5.1 and to patches, along
with information from vendors.
ftp://info.cert.org/pub/cert_bulletins/
VB-96.19.sgi Describes possible vulnerabilities in
systour and OutOfBox.
VB-96.20.hp Describes vulnerabilities in HP Remote
Watch.
ftp://info.cert.org/pub/vendors/hp/
HPSBUX9609-038 Using Vue 3.0 on only HP-UX releases
10.01 and 10.10 it is possible to
increase privileges and launch denial
of service attacks.
HPSBUX9610-040 Describes a vulnerability with
specific incoming ICMP Echo Request
(ping) packets.
HPSBUX9611-041 Describes a vulnerability with Large
UID's and GID's in HP-UX 10.20.
HPSBUX9701-049 Describes a security vulnerability in
the chfn executable.
ftp://info.cert.org/pub/vendors/ibm/
ibm-key
ftp://info.cert.org/pub/vendors/sgi/
19961202-01-PX Discusses TCP SYN and ping denial of
service attacks.
ftp://info.cert.org/pub/latest_sw_versions/
MH Added information on MH version
6.8.4-10.
sendmail Added information on sendmail version
8.8.5.
wuftpd Added information on wuftpd version
2.4.2-beta-12.
ftp://info.cert.org/pub/tools/crack/
crack5.0.tar.gz
ftp://info.cert.org/pub/tools/tcp_wrappers/
tcp_wrappers_7.5.tar.gz
* Updated Files
ftp://info.cert.org/pub/
cert_faq Added URL for CIAC virus hoax page.
Sysadmin_Tutorial.announcement Describes the course Internet Security
for System and Network
Administrators. Shows dates and
locations of upcoming course
offerings.
ftp://info.cert.org/pub/cert_advisories/
CA-96.01.UDP_service_denial Updated IP spoofing information. Added
pointers to Cisco Systems documents.
CA-96.14.rdist_vul Added patch from Sun Microsystems,
Inc.
CA-96.19.expreserve Updated HP information.
CA-96.21.tcp_syn_flooding Added patch from IBM
Corporation. Corrected Sun
Microsystems, Inc. security alert
address. Added or changed information
from Silicon Graphics Inc., Livingston
Enterprises, Hewlett-Packard Company,
and 3COM.
CA-96.25.sendmail_groups Added information Cray Research - A
Silicon Graphics Company.
CA-96.26.ping Updated information from The Santa Cruz
Operation (SCO) and Data General
Corporation.
CA-97.01.flex_lm Added Silicon Graphics Inc. and Sun
Microsystems, Inc. patch information.
CA-97.02.hp_newgrp Added patch information.
CA-97.04.talkd Added information from Cisco Systems.
CA-97.05.sendmail Corrected sendmail.cf example.
CA-97.06.rlogin-term Added information from Cygnus
Solutions, NetBSD, and Sun
Microsystems, Inc.
CA-97.07.nph-test-cgi_script Corrected information in
acknowledgements.
- ---------------------------------------------------------------------------
How to Contact the CERT Coordination Center
Email [log in to unmask]
Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST
(GMT-5)/EDT(GMT-4), and are on call for
emergencies during other hours.
Fax +1 412-268-6989
Postal address
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
USA
To be added to our mailing list for CERT advisories and bulletins, send your
email address to
[log in to unmask]
In the subject line, type
SUBSCRIBE your-email-address
CERT advisories and bulletins are posted on the USENET news group
comp.security.announce
CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from
http://www.cert.org/
ftp://info.cert.org/pub/
If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise you to encrypt your message.
We can support a shared DES key or PGP. Contact the CERT staff for more
information.
Location of CERT PGP key
ftp://info.cert.org/pub/CERT_PGP.key
- ---------------------------------------------------------------------------
Copyright 1997 Carnegie Mellon University
This material may be reproduced and distributed without permission provided
it is used for noncommercial purposes and credit is given to the CERT
Coordination Center.
CERT is a service mark of Carnegie Mellon University.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMxR8THVP+x0t4w7BAQHLdgP/ZhctBl2lw6D5+ITY01aLq7t0ObFXGqzb
pDNsLCTbF5d27dpBQHBlee7472qMSZjIwtFxeouOP/kSzlBQ951AXDz8S0S3McOm
0Jz2XNOzQciNxxPXdbs7ai0Md+OPNPLy1gxeNq+l+zqQmhq9o/F1+a9PV40hWW/f
lRqM6TtEF6Q=
=x6rN
-----END PGP SIGNATURE-----
|