-----BEGIN PGP SIGNED MESSAGE----- - --------------------------------------------------------------------------- CERT(sm) Summary CS-97.01 February 26, 1997 The CERT Coordination Center periodically issues the CERT Summary to draw attention to the types of attacks currently being reported to our Incident Response Team. The summary includes pointers to sources of information for dealing with the problems. We also list new or updated files that are available for anonymous FTP from ftp://info.cert.org/pub/ Past CERT Summaries are available from ftp://info.cert.org/pub/cert_summaries/ - --------------------------------------------------------------------------- Recent Activity - --------------- 1. Continuing cgi-bin Exploits The CERT Coordination Center continues to receive daily reports of attempts to exploit vulnerabilities in cgi-bin scripts. Our original advisory regarding these vulnerabilities was published in March 1996, and is available from: ftp://info.cert.org/pub/cert_advisories/CA-96.06.cgi_example_code The most frequently reported variety of these vulnerabilities uses the "phf" program discussed in the advisory. The "phf" program is installed by default with several implementations of httpd servers. Intruders continue to use widely available "phf" exploit scripts to attempt to obtain a copy of the /etc/passwd file. Fortunately, many of the reported attempts are unsuccessful. We are now seeing increasing numbers of incidents where intruders exploit "phf" to execute a broad range of commands. This can result in the addition or modification of files, and the creation of terminal windows. We are also receiving reports that the "phf" program is being renamed by intruders so that further use can remain undetected. Intruders are increasingly aware of similar weaknesses in cgi-bin programs other than "phf", such as the vulnerability described in CERT Advisory 97.07: ftp://info.cert.org/pub/cert_advisories/CA-97.07.nph-test-cgi_script 2. Continuing Linux Exploits We continue to see incidents in which Linux machines have been the victims of root compromises. In many of these incidents, the compromised systems were unpatched or misconfigured, and the intruders exploited well-known vulnerabilities for which CERT advisories have been published. If you are using Linux, we strongly urge you to keep current with all security patches and workarounds. If your system has been root compromised, we also recommend that you review ftp://info.cert.org/pub/tech_tips/root_compromise Further, you may want to monitor the Linux newsgroups and mailing lists for security patches and workarounds. More information can be found at http://bach.cis.temple.edu/linux/linux-security/ 3. Naughty Robot Email Messages The CERT Coordination Center has received a number of reports describing forged email messages with a subject of "security breached by NaughtyRobot". These messages appear to originate from the victim's own account and claim to have exploited a security hole in the victim's web server. The messages also claim to have collected a variety of information including the victim's credit card numbers. As far as the CERT Coordination Center is aware, there has been no indication that the activities described in the message have actually taken place on any machine. Other response teams have been investigating these messages. The Computer Incident Advisory Capability (CIAC) has additional information on their web site at: http://ciac.llnl.gov/ciac/CIACHoaxes.html#naughty For additional information concerning email spoofing and what you can do, please see our document: ftp://info.cert.org/pub/tech_tips/email_spoofing What's New in the CERT FTP Archive - ---------------------------------- We have made the following changes since the last CERT Summary (November 26, 1996). * New Additions ftp://info.cert.org/pub/cert_advisories/ CA-96.25.sendmail_groups Addresses a security problem affecting sendmail version 8 relating to group-writable files. Vendor patches and a workaround are included. CA-96.26.ping Describes a denial-of-service attack using large ICMP datagrams issued via the ping command. Vendor information is included. CA-96.27.hp_sw_install Describes a vulnerability in Hewlett-Packard SD-UX that may allow local users to gain root privileges. A workaround is included. CA-97.01.flex_lm Describes multi-platform UNIX FLEXlm vulnerabilities. These problems may allow local users to create arbitrary files on the system and execute arbitrary programs using the privileges of the user running the FLEXlm daemons. CA-97.02.hp_newgrp Describes a vulnerability in the newgrp(1) program under HP-UX 9.x and 10.x that may allow users to gain root privileges. A workaround is provided. CA-97.03.csetup A vulnerability in the csetup program under IRIX versions 5.x, 6.0, 6.0.1, 6.1, and 6.2 allows local users to create or overwrite arbitrary files on the system and ultimately gain root privileges. A workaround is provided. CA-97.04.talkd A vulnerability in talkd(8) program used by talk(1) makes it possible to provide corrupt DNS information to a host and to remotely execute arbitrary commands with root privileges. CA-97.05.sendmail Addresses a MIME conversion buffer overflow in sendmail versions 8.8.3 and 8.8.4. The advisory includes vendor information, pointers to the latest version of sendmail, a workaround, and general precautions to take when using sendmail. CA-97.06.rlogin-term Reports a vulnerability in many implementations of the rlogin program, including eklogin and klogin. Vendor information and a workaround are included. CA-97.07.nph-test-cgi_script Points out a vulnerability in the nph-test-cgi script included with some http daemons. Readers are urged to disable the script. Vendor information is included. CA-97.08.innd Describes a vulnerability in all versions of INN (the InterNetNews server) up to and including version 1.5. The advisory includes a pointers to version 1.5.1 and to patches, along with information from vendors. ftp://info.cert.org/pub/cert_bulletins/ VB-96.19.sgi Describes possible vulnerabilities in systour and OutOfBox. VB-96.20.hp Describes vulnerabilities in HP Remote Watch. ftp://info.cert.org/pub/vendors/hp/ HPSBUX9609-038 Using Vue 3.0 on only HP-UX releases 10.01 and 10.10 it is possible to increase privileges and launch denial of service attacks. HPSBUX9610-040 Describes a vulnerability with specific incoming ICMP Echo Request (ping) packets. HPSBUX9611-041 Describes a vulnerability with Large UID's and GID's in HP-UX 10.20. HPSBUX9701-049 Describes a security vulnerability in the chfn executable. ftp://info.cert.org/pub/vendors/ibm/ ibm-key ftp://info.cert.org/pub/vendors/sgi/ 19961202-01-PX Discusses TCP SYN and ping denial of service attacks. ftp://info.cert.org/pub/latest_sw_versions/ MH Added information on MH version 6.8.4-10. sendmail Added information on sendmail version 8.8.5. wuftpd Added information on wuftpd version 2.4.2-beta-12. ftp://info.cert.org/pub/tools/crack/ crack5.0.tar.gz ftp://info.cert.org/pub/tools/tcp_wrappers/ tcp_wrappers_7.5.tar.gz * Updated Files ftp://info.cert.org/pub/ cert_faq Added URL for CIAC virus hoax page. Sysadmin_Tutorial.announcement Describes the course Internet Security for System and Network Administrators. Shows dates and locations of upcoming course offerings. ftp://info.cert.org/pub/cert_advisories/ CA-96.01.UDP_service_denial Updated IP spoofing information. Added pointers to Cisco Systems documents. CA-96.14.rdist_vul Added patch from Sun Microsystems, Inc. CA-96.19.expreserve Updated HP information. CA-96.21.tcp_syn_flooding Added patch from IBM Corporation. Corrected Sun Microsystems, Inc. security alert address. Added or changed information from Silicon Graphics Inc., Livingston Enterprises, Hewlett-Packard Company, and 3COM. CA-96.25.sendmail_groups Added information Cray Research - A Silicon Graphics Company. CA-96.26.ping Updated information from The Santa Cruz Operation (SCO) and Data General Corporation. CA-97.01.flex_lm Added Silicon Graphics Inc. and Sun Microsystems, Inc. patch information. CA-97.02.hp_newgrp Added patch information. CA-97.04.talkd Added information from Cisco Systems. CA-97.05.sendmail Corrected sendmail.cf example. CA-97.06.rlogin-term Added information from Cygnus Solutions, NetBSD, and Sun Microsystems, Inc. CA-97.07.nph-test-cgi_script Corrected information in acknowledgements. - --------------------------------------------------------------------------- How to Contact the CERT Coordination Center Email [log in to unmask] Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA To be added to our mailing list for CERT advisories and bulletins, send your email address to [log in to unmask] In the subject line, type SUBSCRIBE your-email-address CERT advisories and bulletins are posted on the USENET news group comp.security.announce CERT publications, information about FIRST representatives, and other security-related information are available for anonymous FTP from http://www.cert.org/ ftp://info.cert.org/pub/ If you wish to send sensitive incident or vulnerability information to CERT staff by electronic mail, we strongly advise you to encrypt your message. We can support a shared DES key or PGP. Contact the CERT staff for more information. Location of CERT PGP key ftp://info.cert.org/pub/CERT_PGP.key - --------------------------------------------------------------------------- Copyright 1997 Carnegie Mellon University This material may be reproduced and distributed without permission provided it is used for noncommercial purposes and credit is given to the CERT Coordination Center. CERT is a service mark of Carnegie Mellon University. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMxR8THVP+x0t4w7BAQHLdgP/ZhctBl2lw6D5+ITY01aLq7t0ObFXGqzb pDNsLCTbF5d27dpBQHBlee7472qMSZjIwtFxeouOP/kSzlBQ951AXDz8S0S3McOm 0Jz2XNOzQciNxxPXdbs7ai0Md+OPNPLy1gxeNq+l+zqQmhq9o/F1+a9PV40hWW/f lRqM6TtEF6Q= =x6rN -----END PGP SIGNATURE-----