CIAC documents FY 1991 Series B ciacfy91.txt All public FY91 CIAC bulletins. b-01.txt ciac-next-os b-02.txt ciac-silicon-graphics-mail b-04.txt ciac-vms-analyze b-05.txt ciac-hp-ux-authorization b-07.txt ciac-bitnet-worm b-08.txt ciac-vmscrtl_exe-trojan-horse b-09.txt ciac-italy b-10.txt ciac-sunos-tioccon b-11.txt ciac-openwindows-selection_svc b-12.txt ciac-bitnet-worm b-13.txt ciac-sunos-mail b-14.txt ciac-sunos-mail b-15.txt ciac-tcpip-decnet-x25 b-16.txt ciac-mac-dos-virus-catalog b-17.txt ciac-unicos-security b-18.txt ciac-mvs-tso-reconnect b-19.txt ciac-system-v-uarea-bug b-20.txt ciac-sunos-telnetd-vulnerability b-21.txt ciac-sunos-telnetd-rlogind-vulnerability b-22.txt ciac-password-change-warning b-24.txt ciac-ultrix-v4-v4.1-vulnerability b-25.txt ciac-next-config-problems b-26.txt ciac-sun-directory-file-permissions b-27.txt ciac-sunsrc-setuid-installation-prob b-28.txt ciac-system-v-bin-login-patch b-30.txt ciac-sun-lpd-problem b-31.txt ciac-cray-unicos-accton-vulnerability b-32.txt ciac-ultrix-usr-bin-mail-problem b-33.txt ciac-new-sun-lpd-problem b-33a.txt ciac-new-sun-lpd-problem-addendum b-35.txt ciac-brunswick-virus b-36.txt ciac-telnet-patch b-37.txt ciac-rutil-databases b-38.txt ciac.sgi-fmt-vulnerability b-39.txt ciac.cray-unicos-vuln b-40.txt ciac.virus-on-pcnfs b-41.txt ciac-sunos-integer-division-patch b-42.txt ciac-macintosh-system7 b-43.txt ciac-decnet-internet-gateway b-44.txt ciac-automated-tftp-probes b-45.txt ciac-end-of-fy91-update _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Informational Bulletin Security Problem on the NeXT Operating System October 5, 1990, 0800 PST Number B-1 CIAC has been informed of a series of security problems in the NeXT operating system that are now becoming well known. If your site operates NeXT machines, CIAC recommends that you follow the procedures below to secure these systems against attack. The information contained in this message has been provided by David Besemer, NeXT Computer, Inc. and from the Computer Emergency Response Team (CERT). The following describes four potential security problems and NeXT Computer's recommended solutions and known system impact. Problem 1. DESCRIPTION: On Release 1.0 and 1.0a, a script exists in /usr/etc/restore0.9 that is a setuid shell script. The existence of this script is a potential security problem. IMPACT: The script is only needed during the installation process and isn't needed for normal usage. It is possible for any logged in user to gain root access. SOLUTION: NeXT owners running Release 1.0 or 1.0a should remove the file /usr/etc/restore0.9 from all disks. This file is installed by the "BuildDisk" application, so it should be removed from all systems built with the standard release disk, as well as from the standard release disk itself (which will prevent the file from being installed on systems built with the standard release disk in the future). You must be root to remove this script, and the command that will remove the script is the following: # /bin/rm /usr/etc/restore0.9 Problem 2. DESCRIPTION: On NeXT computers running Release 1.0 or 1.0a that also have publicly accessible printers, users can gain extra permissions via a combination of bugs. IMPACT: Computer intruders are able to exploit this security problem to gain access to the system. Intruders, local users and remote users are able to gain root access. SOLUTION: NeXT computer owners running Release 1.0 or 1.0a should do two things to fix a potential security problem. First, the binary /usr/lib/NextPrinter/npd must be replaced with a more secure version. This more secure version of npd is available through your NeXT support center. You may contact this support center using electronic mail to: ask_next@NeXT.com. This patched npd is also available by anonymous FTP on the nodes nova.cc.purdue.edu, umd5.umd.edu, and cs.orst.edu. You may also contact CIAC for help in obtaining this patch. Upon receiving a copy of the more secure npd, you must become root and install it in place of the old one in /usr/lib/NextPrinter/npd. The new npd binary needs to be installed with the same permission bits (6755) and owner (root) as the old npd binary. The commands to install the new npd binary are the following: # /bin/mv /usr/lib/NextPrinter/npd /usr/lib/NextPrinter/npd.old # /bin/mv newnpd /usr/lib/NextPrinter/npd (In the above command, "newnpd" is the npd binary that you obtained from your NeXT support center.) # /etc/chown root /usr/lib/NextPrinter/npd # /etc/chmod 6755 /usr/lib/NextPrinter/npd # /etc/chmod 440 /usr/lib/NextPrinter/npd.old The second half of the fix to this potential problem is to change the permissions of directories on the system that are currently owned and able to be written by group "wheel". The command that will remove write permission for directories owned and writable by group "wheel" is below. This command is all one line, and should be run as root. # find / -group wheel ! -type l -perm -20 ! -perm -2 -ls -exec chmod g-w {} \; -o -fstype nfs -prune Problem 3. DESCRIPTION: On NeXT computers running any release of the system software, public access to the window server may be a potential security problem.The default in Release 1.0 or 1.0a is correctly set so that public access to the window server is not available. It is possible, when upgrading from a prior release, that the old configuration files will be reused. These old configuration files could possibly enable public access to the window server. IMPACT: This security problem will enable an intruder to gain access to the system. SOLUTION: If public access isn't needed, it should be disabled. 1. Launch the Preferences application, which is located in /NextApps 2. Select the UNIX panel by pressing the button with the UNIX certificate on it. 3. If the box next to Public Window Server contains a check, click on the box to remove the check. Problem 4. DESCRIPTION: On NeXT computers running any release of the system software, the "BuildDisk" application is executable by all users. IMPACT: Allows a user to gain root access. SOLUTION: Change the permissions on the "BuildDisk" application allowing only root to execute it. This can be accomplished with the command: # chmod 4700 /NextApps/BuildDisk To remove "BuildDisk" from the default icon dock for new users, do the following: 1. Create a new user account using the UserManager application. 2. Log into the machine as that new user. 3. Remove the BuildDisk application from the Application Dock by dragging it out. 4. Log out of the new account and log back in as root. 5. Copy the file in ~newuser/.NeXT/.dock to /usr/template/user/.NeXT/.dock (where ~newuser is the home directory of the new user account) 6. Set the protections appropriately using the following command: # chmod 555 /usr/template/user/.NeXT/.dock 7. If you wish, with UserManager, remove the user account that you created in step 1. In release 2.0, the BuildDisk application will prompt for the root password if it is run by a normal user. NeXT has also reported that these potential problems have been fixed in NeXT's Release 2.0, which will be available in November, 1990. For additional information or assistance, please contact CIAC or your NeXT support center. Tom Longstaff (415) 423-4416 or (FTS) 543-4416 or David Brown (415) 423-9878 or (FTS) 543-9878 FAX: (415) 423-0913 or (FTS) 543-0913 or send e-mail to: ciac@tiger.llnl.gov Thanks to Corey Satten and Scott Dickson for discovering, documenting, and helping resolve these problems. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Informational Bulletin UNIX Security Problem with Silicon Graphics Mail October 12, 1990, 0800 PST Number B-2 CIAC has been learned of a security problem with the Berkeley Mailer supplied by Silicon Graphics. The program /usr/sbin/Mail on IRIX 3.3 and later releases sets the setgid bit. This allows users to read any mail on the system, including mail to root. To determine if your system has this problem you should execute: ls -l /usr/sbin/Mail A line similar to the following should be displayed: -rwxr-sr-x 1 bin mail 172080 Jun 7 15:05 /usr/sbin/Mail Look at the permission bits. If you see, "-rwxr-sr-x" then the problem exists on your system. There are several potential solutions for this problem. Alternative 1 - Workaround Execute the following command as root: chmod 755 /usr/sbin/Mail Then after doing a ls -l you should see: -rwxr-xr-x 1 bin mail 172080 Jun 7 15:05 /usr/sbin/Mail This workaround has one known side effect. The Mail program can no longer remove the user's mail file from /usr/mail when all messages have been deleted. Instead, it leaves a zero length file. If you choose this solution, please be aware that the fixed binary will be available in the next release of IRIX (3.3.2, currently scheduled for November, 1990). Alternative 2 - Obtain and install the fixed binary A better solution is to download the fixed binary from sgi.com. Silicon Graphics has made a new executable available to fix this problem. It is available for anonymous ftp from sgi.com, or from your local Silicon Graphics sales representative. Contact the SGI hotline for more information. (The bug number is alpha bug AF19315). If you are not certain how to ftp to sgi.com and properly install the binary, use the following commands: cd /usr/sbin - The directory that Mail is in chmod 755 /usr/sbin/Mail - Remove the setgid bit mv /usr/sbin/Mail /usr/sbin/Mail.org - Rename Mail ftp 192.48.153.1 - ftp to sgi.com and get the new binary, name: anonymous - login as anonymous password: guest - password guest ftp> bin - Set binary mode ftp> cd sgi/Mail - The Mail directory ftp> get Mail - Get the new binary ftp> quit - quit ftp chmod 2755 Mail - Make sure permissions are correct chgrp mail Mail - Make sure group is correct chown bin Mail - Make sure owner is correct For additional information or assistance, please contact CIAC David Brown (415) 423-9878 or (FTS) 543-9878 FAX: (415) 423-0913 or (FTS) 543-0913 or send e-mail to: ciac@tiger.llnl.gov The assistance of Kevin E. Leininger and Matt Wicks of Fermi National Accelerator Laboratory and Chuck Athey and Ross Guant of Lawrence Livermore National Laboratory is gratefully acknowledged. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. ======================================================================== || THE COMPUTER INCIDENT ADVISORY CAPABILITY || || || || C I A C || || || || INFORMATION NOTICE || ======================================================================== VMS Security Problem with ANALYZE/PROCESS_DUMP ---------------------------------------------- October 22, 1990, 1200 PST Number B-4 Summary:: Critical VMS Security Problem Facts ---------------------------------------------------------------------------- PROBLEM: VMS security problem with the ANALYZE/PROCESS_DUMP command PLATFORM: DEC VMS systems (all versions 4.0 to 5.3 including MicroVMS) DAMAGE: Allows system privileges to non-privileged users (including the user decnet on older VMS systems) WORKAROUND: Disable ANALYZE/PROCESS_DUMP for non-privileged users PATCH: Not currently available, but DEC is aware of the problem SYSTEM IMPACT: The workaround will disallow the use of analyze/process_dump for non-privileged users. Other program debuggers are unaffected ---------------------------------------------------------------------------- CIAC has learned of a serious security problem on Digital Equipment Corp. (DEC) VMS systems. The potential damage of this problem is that users may gain unauthorized system privileges through the use of the ANALYZE/PROCESS_DUMP dcl command. In addition, systems that have set up the FAL and default DECNET account to use the same directory have a potential to allow system access to other VMS machines connected to the network. DEC is currently working on a permanent solution to this problem. As a interim measure, DEC recommends that this command be disabled for all non-privileged users. This may be accomplished using the following procedure: 1. Log into the system account. 2. $ SET PROC/PRIV=ALL 3. a) For VMS systems prior to V5.0, Modify SYS$MANAGER:SYSTARTUP.COM to include the following lines as the first two lines in the file: $ SET NOON $ MCR INSTALL ANALIMDMP.EXE/DELETE b) For VMS system V5.0 and later, Modify SYS$MANAGER:SYSTARTUP_V5.COM to include the following as the first two lines of the file: $SET NOON $ MCR INSTALL ANALIMDMP.EXE/DELETE c) For MicroVMS systems, The image ANALIMDMP.EXE is not installed by default, but SYSTARTUP.COM contains a suggestion of installing the image if you have multiple users on your system. You mus ensure that this image is not installed in SYSTARTUP.COM. You can use the following command to verify that the image is not installed: $MCR INSTALL ANALIMDMP/LIST If you receive the message similar to the following: %INSTALL-W-FAIL, failed to LIST entry for ANALIMDMP.EXE then you do not have the image installed. Otherwise, proceed as step 3.a above. 4. $ MCR INSTALL ANALIMDMP/DELETE This command removes the installed image from the active system. 5. (Optional) Restart your systems and verify that the image is not installed using the following command: $MCR INSTALL ANALIMDMP/LIST If you receive the message similar to the following: %INSTALL-W-FAIL, failed to LIST entry for ANALIMDMP.EXE -INSTALL-E-NOKFEFND, Known File Entry not found then you do not have the image installed and your system does not have the security problem. For additional information or assistance, please contact CIAC Thomas A. Longstaff (415) 423-4416 or (FTS) 543-4416 FAX: (415) 423-0913 or (FTS) 543-0913 or send e-mail to: ciac@tiger.llnl.gov Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. ======================================================================== || THE COMPUTER INCIDENT ADVISORY CAPABILITY || || || || C I A C || || || || INFORMATION NOTICE || ======================================================================== HP-UX Trusted Systems 6.5 or 7.0, Authorization Problem ------------------------------------------------------- Oct 24, 1990 1600 PST Number B-5 Summary:: Critical HP-UX Trusted Systems Facts - ---------------------------------------------------------------------------- PROBLEM: May allow non-privileged users to gain root access. PLATFORM: Hewlett Packard, Trusted Systems 6.5/7.0 DAMAGE: Allows unauthorized system modification. WORKAROUND: Ensure correct password files and use user names less than 8 characters. PATCH: H.P. is aware of this problem and has released patch P025, available from the HP Response Center or your local HP representative. SYSTEM IMPACT: Inconvenience of temporarily changing some user names. - ---------------------------------------------------------------------------- CIAC has learned of a serious security problem with Hewlett Packard Trusted Systems 6.5/7.0, which may allow non-privileged users to gain root access. Two problems exist within the user authentication (login) system. Both problems only effect the secure C2 version of HP-UX. If you are running Trusted Systems 6.5 or 7.0, then the vulnerability exists on your system. The two related vulnerabilities are: Problem 1 If you are running Trusted Systems HP-UX you must be absolutely sure that each entry in your /.secure/etc/passwd file matches an entry in your /etc/passwd file. If you have an entry in /.secure/etc/passwd, and not in /etc/passwd, the user will be authorized and given root privileges. Problem 2 A related vulnerability has to do with users that have 8 character user names. If any users have user names of 8 characters, you should change them to 7 or less characters until you install the patch described below. Solution The above modifications should be considered a temporary workaround. A permanent solution to both, is to obtain patch P025 from the HP Response Center, or your local HP Representative. For additional information or assistance, please contact CIAC, or your local HP Representative. David Brown (415) 423-9878 or (FTS) 543-9878 FAX: (415) 423-0913 or (FTS) 543-0913 or send e-mail to: ciac@tiger.llnl.gov Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin BITNET Worm November 5, 1990, 0800 PST Number B-7 PROBLEM: Self-replicating code (worm) on external BITNET RSCS systems PLATFORM: IBM VM/CMS DAMAGE: May flood the mail queue of the infected computers IMMUNIZATION: RSCS filter program available from IBM at no cost Critical BITNET Worm Facts CIAC has been informed of a slow spreading worm on the external BITNET* network that has affected IBM mainframe systems running the VM/CMS operating system and the RSCS communications utility. Preliminary reports indicate that this worm was first detected in late October, and that it spread for approximately one day. The worm does not appear to be spreading at this time, and we are aware of fewer than a dozen systems penetrated by this worm so far. This worm is readily identified by its characteristics and poor coding style. This bulletin is to advise you that this worm may be released again sometime in the future, possibly once the many coding errors that prevented a wider spread are corrected. This bulletin is also to inform you about a filter program available from IBM to prevent against this and similar security threats. CHARACTERISTICS The worm was initially named "TERM MODULE" and consisted of a REXX program that displayed user nicknames on the user's screen. It was apparently modified to additionally perform the following functions: a. It attempts to copy itself to all users listed in the NAMES file of the user executing the code. Due to programming errors, this will be effective for only about 50% of the user names. b. It sends a copy of the "ALL NOTEBOOK" back to the user. This is not necessarily harmful, but may fill up spool space on the affected machine. DETECTION The worm is easily identified when it is run by displaying a "pretty-printed" copy of the names file to the user's display terminal. (There is an IBM function designed to print a copy of a user's names file in a more easily readable format, a "pretty-printed" format.) Since the IBM TERM command does not include this functionality, this will be an easily identified anomaly. In addition, it must be EXECUTED by the user in order to replicate, specifically, the user must must receive the worm file from the reader application and then either type the command "EXEC TERM" or accidently execute the code from the CP TERMINAL command. COUNTERMEASURES Sites running VM/CMS should install and use the RSCS filter program (available free from IBM). This filter program is called the selective file filter, and was announced in the IBM VM Software Newsletter (WSC Flash 9013). Contact your local IBM representative for details. This program can scan for file names or file types, then place them into the punch queue for later identification and analysis. As a minimum level of protection, all files with the name and type of "TERM MODULE" should be examined prior to receipt by the user. Sites which do not routinely transmit compiled REXX code may wish to wildcard the filename and scan for all files with a filetype of MODULE. This may help to protect against future versions of the worm that might have a different file name. It is EXTREMELY DOUBTFUL that the worm could execute on an MVS system. Therefore, sites running the MVS operating system should not be affected, even if they support the REXX language. These sites, however, may begin seeing copies of the worm (which should not execute) if MVS users routinely receive files from affected machines. We recommend that you also notify users that they should not receive and execute any program without first browsing it or discussing its operation with the sender. The VM/CMS reader is designed to prevent problems associated with executing unfamiliar programs, and should be used for this purpose. If you receive an unknown file with a filetype of EXEC or MODULE, immediately contact your computer security officer for information and assistance. Please also notify CIAC, as we wish to track any spread of this worm. For additional information or assistance, please contact CIAC Thomas A. Longstaff (415) 423-4416 or (FTS) 543-4416 or call (415) 422-8193 or (FTS) 532-8193 send FAX messages to: (415) 423-0913 or (FTS) 543-0913 ___ * BITNET is a communications network among universities and industries around the world. Jim Molini of Computer Sciences Corporation supplied much of the information contained in this bulletin. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin Detection/Eradication Procedures for VMSCRTL.EXE Trojan Horse November 21, 1990, 1100 PST Number B-8 __________________________________________________________________________ PROBLEM: Detection of trojan horse and recovery procedures PLATFORM: VAX/VMS (all versions) DAMAGE: Gives unauthorized privileged access to system if trojan horse is implanted in system by intruders who have already obtained privileged status DETECTION: Several methods (described herein), of which finding VMSCRTL.EXE in SYS$LIBRARY is the fastest __________________________________________________________________________ Critical Trojan Horse Facts In bulletin B-6 CIAC warned of a new pattern of intrusions into VMS systems. Part of this pattern is placing a file named VMSCTRL.EXE into SYS$LIBRARY. CIAC has determined that this file contains a trojan horse program. VMSCRTL.EXE also provides a means for the attackers to gain full privileges from a non-privileged account if this file has been installed with the CMKRNL privilege. The presence of VMSCRTL.EXE in SYS$LIBRARY indicates that a VMS system has been compromised and that the attackers have been able to gain full privileges. The trojan horse behaviors of VMSCRTL.EXE are: 1. Copies itself to SYS$LIBRARY:VMSCRTL.EXE 2. Creates the file SYS$STARTUP:DECW$INSTALL_LAT.COM This file contains a standard DEC copyright notice and a DCL command to install SYS$LIBRARY:VMSCRTL.EXE with CMKRNL privilege. 3. Modifies the file SYS$STARTUP:VMS$LAYERED.DAT to include the execution of SYS$STARTUP:DECW$INSTALL_LAT.COM as part of the VMS boot procedure. 4. Exits with a (falsified) CLI error message while returning a status of SYS$NORMAL The "tracks" left behind by the execution of VMSCRTL.EXE are fairly obvious: 1. The presence of SYS$LIBRARY:VMSCRTL.EXE 2. The presence of SYS$STARTUP:DECW$INSTALL_LAT.COM 3. The file SYS$STARTUP:VMS$LAYERED.DAT will have its MODIFIED date changed to reflect the time at which VMSCRTL.EXE was run. Use the DCL command "$ DIRECTORY/FULL SYS$STARTUP:VMS$LAYERED.DAT" or "$ DIRECTORY/DATE=MODIFIED SYS$STARTUP:VMS$LAYERED.DAT" to determine the modification date. Note that this evidence will be destroyed if any subsequent modifications or listings of SYS$STARTUP:VMS$LAYERED.DAT are made via the STARTUP command to SYSMAN. 4. The DCL command "$ MCR SYSMAN STARTUP FILE" will list DECW$INSTALL_LAT.COM as one of the startup files. Note that executing this command will change the modification date of SYS$STARTUP:VMS$LAYERED.DAT Be sure, therefore, to do this check after checking the MODIFIED date as prescribed above. 5. If the infected system has been rebooted since VMSCRTL.EXE was run, the DCL command "$ MCR INSTALL /LIST" will reveal that SYS$LIBRARY:VMSCRTL.EXE is installed with privilege. A full list of this installed image will show it is installed with CMKRNL. DETECTION The presence of the file SYS$LIBRARY:VMSCRTL.EXE is definite confirmation that this trojan horse is present. Additional confirmatory evidence includes: 1. The presence of the file SYS$STARTUP:DECW$INSTALL_LAT.COM 2. Modification to the SYSMAN STARTUP database file to include the execution of SYS$STARTUP:DECW$INSTALL_LAT.COM A search string that can be used to identify VMSCRTL.EXE regardless of the file's name is "%VCR" For example, to search your entire system disk you might enter: $ SEARCH SYS$SYSDEVICE:[*...]*.* "%VCR"/WINDOW=1 If VMSCRTL.EXE is detected in a non-system directory, it is likely that the attackers have penetrated a non-privileged account but have not yet been able to gain full privileges. MINIMAL RECOVERY PROCEDURE If you have detected VMSCRTL.EXE in SYS$LIBRARY, the VMS system has been compromised by attackers who were able to gain full privileges. (If these attackers are able to reenter the system, they will again be able to gain full privileges). The minimal recovery procedure described below is provided only as a quick, short-term, "stop gap" measure. (The possibility that other damage to the compromised VMS system was done by the attackers is large--we therefore recommend that when time permits the full recovery procedure be implemented.) The minimal recovery procedure is: 1. Use INSTALL to remove SYS$LIBRARY:VMSCRTL.EXE with the command: "$ MCR INSTALL SYS$LIBRARY:VMSCRTL.EXE/DELETE" Note: It is possible that VMSCRTL.EXE is not installed (yet) and so this command may produce the appropriate error message. 2. Remove the startup entry SYS$STARTUP:DECW$INSTALL_LAT.COM from SYSMAN's database with the command: "$ MCR SYSMAN STARTUP REMOVE FILE SYS$STARTUP:DECW$INSTALL_LAT.COM 3. Delete the file SYS$LIBRARY:VMSCRTL.EXE and the file SYS$STARTUP:DECW$INSTALL_LAT.COM 4. Disable all inactive accounts using AUTHORIZE. For example, to disable an account named JONES, enter: $ SET DEF SYS$SYSTEM $ RUN AUTHORIZE UAF> MOD JONES/FLAGS=DISUSER UAF> EXIT 5. Change the passwords on all active accounts. 6. Review all entries in SYSUAF.DAT and make appropriate corrections 7. Review all SYSGEN parameters and make appropriate corrections 8. Review all system files for modifications occurring after the penetration. The following DCL command can prove very useful in this endeavor: $ DIR/FULL/MODIFIED/SINCE="" For example, if the penetration date were October 31st, enter: $ DIR/FULL/MODIFIED/SINCE="31-OCT-1990" FULL RECOVERY PROCEDURE For the full recovery procedure, follow the complete VMS recovery procedure given in the appendix to this bulletin. For additional information or assistance, please contact CIAC Hal R. Brand (415) 422-6312 or (FTS) 532-6312 or call (415) 422-8193 or (FTS) 532-8193 send FAX messages to: (415) 423-0913 or (FTS) 543-0913 Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - COMPLETE VMS RECOVERY PROCEDURE This recovery procedure should be applied to a compromised VMS system whenever it can not be determined that the intruders failed to gain system privilege. 1. Get a hardcopy listing of your current SYSUAF.DAT If SYSUAF.DAT contains an extremely large number of users, it will take considerable time to restore all accounts (so it may be expedient to save SYSUAF.DAT to tape or elsewhere so it can be restored, although we do not generally recommend this procedure). 2. Remove from all disks all executable code (including DCL command procedures) run by privileged accounts. 3. Initialize the system disk to remove all files. (This is an extreme step, but it is guaranteed to remove any damage done by the intruder.) 4. Install VMS and all layered products. 5. Use AUTHORIZE to add only currently active accounts (or restore the SYSUAF.DAT you saved). If you restore SYSUAF.DAT you must scrutinize it very carefully. To restore SYSUAF.DAT is not generally recommended. It is better to re-create only the active accounts, because this not only removes all dormant accounts, but also guarantees elimination of bogus accounts and unauthorized modifications. 6. Restore from TRUSTED backups all site specific files found on the system disk. In the event you do not have TRUSTED backups, we recommend you re-create these files. Note: "Trusted backups" are defined as backups in which there is a high degree of assurance that there were no unauthorized changes made to any of the files before the backup was made. 7. Restore from TRUSTED backups all files removed in step 2. In the event you do not have TRUSTED backups, we recommend that you re-create these files. _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin Update on Internet Activity December 10, 1990, 1300 PST Number B-9 ________________________________________________________________________ PROBLEM: Apparent intrusion attempts from Italy on machines connected to the Internet PLATFORM: UNIX computers on the Internet DAMAGE: None ________________________________________________________________________ Critical Facts about Internet Activity CIAC has been receiving numerous inquiries about reports of apparent intrusion attempts originating from Milano, Italy. Information currently available suggests that there has been an increase in activity on the Internet originating from Milano. The problem, however, does not appear to be due to network intruders. A computer security researcher at the State University of Milano, Italy has been testing a program to check for known bugs. His test has produced numerous symptoms normally associated with cracker attacks, and has alerted many system managers throughout the Internet community. This activity has now ceased, and there does not appear to be any potential for damage as a result of this test. The researcher who conducted this test has contacted the system managers whose systems were probed by this program. NOTE: This program tests for vulnerabilities exploited by the 1988 Internet Worm, commonly known as the Morris Worm. This program is still available from some anonymous ftp sites, and could be used by anyone to determine whether it is possible to intrude into a UNIX system. A number of systems tested by this program still had unpatched bugs in the ftp, tftp, rsh, sendmail and finger utilities. If you are unsure whether systems at your site could be attacked through these avenues, please contact CIAC: David S. Brown (415) 423-9878 or (FTS) 543-9878 or Eugene Schultz (415) 422-7781 or (FTS) 532-7781 or call (415) 422-8193 or (FTS) 532-8193 send FAX messages to: (415) 423-0913 or (FTS) 543-0913 Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin Patch for TIOCCON in SunOS 4.1 and 4.1.1 Available December 21, 1990, 0900 PST Number B-10 ________________________________________________________________________ PROBLEM: Security problem in the TIOCCON redirection of console input/ output PLATFORM: Sun computer (all architectures) running SunOS versions 4.0.3 through 4.1.1 . DAMAGE: Allows misuse of the TIOCCON function PATCH: Available through anonymous ftp from ftp.uu.net or from Sun (contact Sun at 1-800-USA4SUN for details). A patch for SunOS 4.0.3 will be available soon. _______________________________________________________________________ Critical Facts about the TIOCCON patch CIAC has been informed of a problem with the TIOCCON function in SunOS 4.1 and 4.1.1. Sun Microsystems has developed a patch to close this vulnerability. The application of this patch should have no impact on current applications, i.e., should not cause existing systems to behave in an anomalous manner. The patch is available on the Internet using anonymous ftp to the site ftp.uu.net (ip address 192.48.96.2). Login with the username anonymous and use your account name as the password. The patches are in the directory ~ftp/sun-dist. The patch for systems running SunOS 4.1 and 4.1.1 is 100187-01.tar.Z and 100188-01.Z, respectively. If you do not have Internet access, you may request the patch from Sun or CIAC. Call 1-800-USA-4SUN and request patch 100187-01 for SunOS 4.1 and 100188-01 for SunOS 4.1.1. The patch file available on ftp.uu.net is a compressed tar archive of 5 object files that must be placed in the appropriate directory in /sys/sun?/OBJ, where sun? is one of sun4, sun4c, sun3, sun3x, or sun4/490-4.1_PSR_A. To install the patch, the files must be placed in this directory and a new kernel must be built. Once the kernel (file /vmunix) is replaced with the newly built version, the patch installation is complete. Appended to this notice is the original Sun Microsystems security bulletin concerning this vulnerability. Please contact CIAC for assistance. Thomas A. Longstaff (415) 423-4416 or (FTS) 543-4416 or call (415) 422-8193 or (FTS) 532-8193 Send FAX messages to: (415) 423-0913 or (FTS) 543-0913 Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. Appendix: SUN MICROSYSTEMS SECURITY BULLETIN: This information is only to be used for the purpose of alerting customers to problems. Any other use or re-broadcast of this information without the express written consent of Sun Microsystems shall be prohibited. Sun expressly disclaims all liability for any misuse of this information by any third party. ------------------------------------------------------------------------- These patches are available through your local Sun answer centers worldwide. As well as through anonymous ftp to ftp.uu.net in the ~ftp/sun-dist directory. Please refer to the BugID and PatchID when requesting patches from Sun answer centers. NO README information will be posted in the patch on UUNET. Please refer the the information below for patch installation instructions. ------------------------------------------------------------------------- Sun Bug ID : 1008324 Synopsis : TIOCCONS redirection of console input/output is a security violation. Sun Patch ID : for SunOS 4.1, SunOS 4.1_PSR_A 100187-01 Sun Patch ID : for SunOS 4.1.1 100188-01 Available for: Sun3, Sun3x, Sun4 Sun4c SunOS 4.1, SunOS 4.1_PSR_A, SunOS 4.1.1 Checksum of compressed tarfile on ftp.uu.net:~ftp/sun-dist sum of SunOS 4.1 tarfile 100187-01.tar.Z : 14138 142 sum of SunOS 4.1.1 tarfile 100188-01.tar.Z: 24122 111 -------------------------------------------------------------------------- README information follows: Patch-ID# 100188-01 Keywords: TIOCCONS Synopsis: SunOS 4.1.1: TIOCCONS redirection of console is a security violation. Date: 17/Dec/90 SunOS release: 4.1.1 Unbundled Product: Unbundled Release: Topic: BugId's fixed with this patch: 1008324 Architectures for which this patch is available: sun3 sun3x sun4 sun4c Patches which may conflict with this patch: Obsoleted by: Next major release of SunOS Problem Description: TIOCCONS can be used to re-direct console output/input away from "console" Patch contains kernel object modules for: /sys/sun?/OBJ/cons.o /sys/sun?/OBJ/zs_async.o /sys/sun?/OBJ/mcp_async.o /sys/sun?/OBJ/mti.o Where sun? is one of sun4, sun4c, sun3, sun3x, sun4/490-4.1_PSR_A NOTE: The sun4c does not use mti.o nor mcp_async.o since this architecture does not have VME slots and therefore cannot use the ALM-2 Asynchronous Line Multiplexor or Systech MTI-800/1600. So those modules are not needed. The fix consists of adding permission checking to setcons, the routine that does the work of console redirection, and changing its callers to supply additional information required for the check and to see whether or not the check succeeded. Setcons now uses uid and gid information supplied to it as new arguments to perform a VOP_ACCESS call for VREAD permission on the console. If the caller doesn't have permission to read from the console, setcons rejects the redirection attempt. INSTALL: AS ROOT: save aside the object modules from the FCS tapes as a precaution: # mv /sys/sun?/OBJ/cons.o /sys/sun?/OBJ/cons.o.orig # mv /sys/sun?/OBJ/tty_pty.o /sys/sun?/OBJ/tty_pty.o.orig # mv /sys/sun?/OBJ/zs_async.o /sys/sun?/OBJ/zs_async.o.orig # mv /sys/sun?/OBJ/mcp_async.o /sys/sun?/OBJ/mcp_async.o.orig # mv /sys/sun?/OBJ/mti.o /sys/sun?/OBJ/mti.o.orig copy the new ".o" files to the OBJ directory: # cp sun?/*.o /sys/sun?/OBJ/ build and install a new kernel: rerun /etc/config and do a "make" for the new kernel Please refer to the System and Network Administration Manual for details on how to configure and install a custom kernel. ------------------------------------------------------------------------- Patch-ID# 100187-01 Keywords: TIOCCONS Synopsis: SunOS 4.1 4.1_PSR_A: TIOCCONS redirection of console is a security violation. Date: 17/Dec/90 SunOS release: 4.1 4.1_PSR_A Unbundled Product: Unbundled Release: Topic: BugId's fixed with this patch: 1008324 Architectures for which this patch is available: sun3 sun3x sun4 sun4c sun4-490_4.1_PSR_A Patches which may conflict with this patch: Obsoleted by: Next major release of SunOS Problem Description: TIOCCONS can be used to re-direct console output/ input away from "console" Patch contains kernel object modules for: /sys/sun?/OBJ/cons.o /sys/sun?/OBJ/zs_async.o /sys/sun?/OBJ/mcp_async.o /sys/sun?/OBJ/mti.o Where sun? is one of sun4, sun4c, sun3, sun3x, sun4/490-4.1_PSR_A NOTE: The sun4c does not use mti.o nor mcp_async.o since this architecture does not have VME slots and therefore cannot use the ALM-2 Asynchronous Line Multiplexed or Systech MTI-800/1600. So those modules are not needed. The fix consists of adding permission checking to setcons, the routine that does the work of console redirection, and changing its callers to supply additional information required for the check and to see whether or not the check succeeded. Setcons now uses uid and gid information supplied to it as new arguments to perform a VOP_ACCESS call for VREAD permission on the console. If the caller doesn't have permission to read from the console, setcons rejects the redirection attempt. INSTALL: AS ROOT: save aside the object modules from the FCS tapes as a precaution: # mv /sys/sun?/OBJ/cons.o /sys/sun?/OBJ/cons.o.orig # mv /sys/sun?/OBJ/tty_pty.o /sys/sun?/OBJ/tty_pty.o.orig # mv /sys/sun?/OBJ/zs_async.o /sys/sun?/OBJ/zs_async.o.orig # mv /sys/sun?/OBJ/mcp_async.o /sys/sun?/OBJ/mcp_async.o.orig # mv /sys/sun?/OBJ/mti.o /sys/sun?/OBJ/mti.o.orig copy the new ".o" files to the OBJ directory: # cp sun?/*.o /sys/sun?/OBJ/ build and install a new kernel: rerun /etc/config and do a "make" for the new kernel Please refer to the System and Network Administration Manual for details on how to configure and install a custom kernel. _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin OpenWindows 2.0 selection_svc Vulnerability January 16, 1991, 1700 PST Number B-11 ________________________________________________________________________ PROBLEM: Security vulnerability on Sun computers running OpenWindows 2.0 allows theft of critical files. PLATFORM: SunOS release 4.0.3, 4.1 , Sun386i 4.0.1/4.0.2 DAMAGE: Theft of critical system files. PATCH: Available through anonymous ftp from ftp.uu.net or from Sun (contact Sun at 1-800-USA4SUN for details). A patch for SunOS 4.0.3 will be available soon. Critical Facts about the OpenWindows 2.0 selection_svc Vulnerability _______________________________________________________________________ Critical Facts about the OpenWindows 2.0 selection_svc Vulnerability CIAC has been advised that there is a vulnerability (Sun Bugid 1040747) in systems running OpenWindows 2.0 in compatibility mode. This problem is similar in scope to the SunView/SunTools selection_svc vulnerability described in CIAC Information Bulletin Number A-32, (Sun Bugid 1039576 and Sun Patchid 100085-03), excerpted here: The SunView/SunTools selection_svc facility may allow a remote user unauthorized access to selected files from a computer running SunView. [...] Because the selection_svc process continues to run until terminated, this vulnerability can be exploited even after a user changes to another window system after running SunView/SunTools or logs off the system. (The problem is in SunView/SunTools, however, and not with other window systems such as X11.) In essence, the SunView/SunTools bug allows an unauthorized user on a remote system to read any file that is readable to the user running SunView. In addition, an unauthorized user on a remote 386i system can read any file on a workstation running SunView regardless of protections. Please note that if root runs Sunview, all files are potentially accessible by a remote system. The threat to OpenWindows is similar to the above. Sun gives more details: One of the OpenWindows 2.0 tools uses the same mechanism for displaying sunview windows in OpenWindows 2.0 in compatibility mode [ as the unfixed SunView/SunTools selection_svc ]. This tool "sv_xv_sel_svc" should be replaced with the new version. If the password file is world readable, an intruder can copy this file and attempt to guess passwords. This threat can be eliminated if you obtain and install a new version of sv_xv_sel_svc from the Sun Answer Centers or uunet. Binaries for both a Sun3 and Sun4 are available. The Bugid for this is 1040747 and Patchid is 100184-02. If you obtain your patch from uunet, please note that the checksum of this compressed tarfile is 100184-02.tar.Z: 33786 35 The following installation instructions are provided by Sun Microsystems. (No additional README information will be available from uunet.) Patch-ID# 100184-02 Keywords:bugid 1040747 Synopsis: sv_xv_sel_svc and rpc can be used to gain access to system files Date: 14/Dec/90 SunOS release: 4.0.3 or later Unbundled Product: Open Windows Unbundled Release: Version 2 Topic: BugId's fixed with this patch: 1040747 Architectures for which this patch is available: sun4 sun3 Patches which may conflict with this patch: Obsoleted by: Open Windows Version 3 Problem Description: sv_xv_sel_svc and rpc can be used to gain access to system files. INSTALL: mv $OPENWINHOME/bin/xview/sv_xv_sel_svc $OPENWINHOME/bin/xview/sv_xv_sel _svc.orig cp `arch`/sv_xv_sel_svc $OPENWINHOME/bin/xview/sv_xv_sel_svc To obtain this patch from the Sun Answer Center, call your local Sun answer center, phone (800) USA-4SUN, or send e-mail to: security-features@sun.com To reach Sun Microsystems' customer warning system, send e-mail to: security-alert@sun.com or leave a message on the voice mail system at (415) 336-7205. Please also advise CIAC of any new vulnerabilities you may discover. David S. Brown (415) 423-9878 or (FTS) 543-9878 Send e-mail to ciac@tiger.llnl.gov Call CIAC at (415) 422-8193 or (FTS) 532-8193, or send FAX messages to (415) 423-0913 or (FTS) 543-0913. FELIX, the CIAC Bulletin Board, can be accessed at 1200 or 2400 baud at (415) 423-4753 or (FTS) 543-4753. (9600 baud access can be obtained from Lawrence Berkeley and Lawrence Livermore Laboratories at 423-9885.) This announcement bulletin was prepared with assistance from Dave Liebreich, Sterling Software @ NASA Ames Research Center. CERT/CC and Brad Powell of Sun Microsystems provided information included in this bulletin. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin GAME2 MODULE "Worm" on BITNET January 18, 1991, 1200 PST Number B-12 Critical GAME2 MODULE Facts PROBLEM: Self-replicating mail message (worm) on external BITNET RSCS systems PLATFORM: IBM VM/CMS DAMAGE: May flood the mail queue of the infected computers IMMUNIZATION: RSCS filter program available from IBM (at no cost) ________________________________________________________________________ CIAC has been informed of a new self-replicating mail message currently circulating around the external BITNET. Preliminary reports indicate that this message, also known as a BITNET worm or trojan horse, has been received on a number of IBM VM/CMS systems connecting to the external BITNET. The worm consists of a message containing a REXX module and instructions for saving and executing the module (with the name GAME2) in a user's local a: drive. When executed, this module will display a message on the screen as it sends copies of itself to each entry in the user's CMS NAMES file. Since this worm requires user initiation to spread, the rate of expansion of this worm has been limited. However, there is the potential to flood the mail queues of IBM VM/CMS systems if the worm becomes widespread. The worm is similar in nature to the BITNET worm described in CIAC bulletin B-7, and may be blocked using same RSCS filter program described in that notice and available from IBM. The worm was initially named "GAME2 MODULE" and consisted of a REXX program that will display several messages (such as "Please Waiting") and a simple Hello/Bye message. While these messages are displayed, the REXX code will send a copy of the GAME2 MODULE to each entry in the user's NAMES file. COUNTERMEASURES As mentioned in CIAC bulletin B-7, sites running VM/CMS should install and use the RSCS filter program (available free from IBM). This filter program is called the selective file filter, and was announced in the IBM VM Software Newsletter (WSC Flash 9013). Contact your local IBM representative for details. This program can scan for file names or file types, then place them into the punch queue for later identification and analysis. As a minimum level of protection, all files with the name and type of "TERM MODULE" should be examined prior to receipt by the user. Sites which do not routinely transmit compiled REXX code may wish to wildcard the filename and scan for all files with a filetype of MODULE. This may help to protect against future versions of the worm that might have a different file name. We recommend that you also notify users that they should neither receive nor execute any program without first browsing it or discussing its operation with the sender. The VM/CMS reader is designed to prevent problems associated with executing unfamiliar programs, and should be used for this purpose. If you receive an unknown file with a filetype of EXEC or MODULE, immediately contact your computer security officer for information and assistance. Please also notify CIAC, as we wish to track any spread of this worm. For additional information or assistance, please contact CIAC Thomas A. Longstaff (415) 423-4416 or (FTS) 543-4416 During working hours, call CIAC at (415) 422-8193 or (FTS) 532-8193. For non-working hour emergencies , call (415) 422-7222 or (FTS) 532-7222 and ask for CIAC (this is a new emergency number) send FAX messages to: (415) 423-0913 or (FTS) 543-0913 ___ * BITNET is a communications network among industries and universities around the world. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin February 20, 1991, 1700 PST Number B-13 UNIX Security Problem with /bin/mail in SunOS ________________________________________________________________________ PROBLEM: Bug in /bin/mail allows users unauthorized privileged access PLATFORM: SunOS 4.03, 4.1 and 4.1.1; Sun3, Sun3x, Sun4, Sun4c and Sun4/490_4.1_PSR_A architectures DAMAGE: Potential for significant damage once intruder has gained root access. PATCH: Available through anonymous ftp from ftp.uu.net or from Sun (contact Sun at 1-800-USA4SUN for details). _______________________________________________________________________ Critical /bin/mail Bug Facts A recently discovered vulnerability in SunOS bin/mail allows an intruder to obtain unauthorized access to a root shell. This vulnerability applies to versions 4.0.3, 4.1, and 4.1.1 of SunOS running on the Sun3, Sun3x, Sun4, Sun4c, and Sun4/490_4.1_PSR_A architectures. Sun Microsystems has prepared a patch described in Sun Microsystems Security Bulletin #00105. The particulars are: Patch ID: 100224-01 BugIDs fixed by this patch: 1045636 and 1047340 Availability: Anonymous FTP from ftp.uu.net:/sun-dist/100224-01.tar.Z Checksum of the compressed tarfile 100224-01.tar.Z = 64102 109 Patches Obsoleted: 100161-01 Obsoleted by: SysV Release 4 Patch installation instructions are as follows: (Login as root - you must have root access to apply this patch!) (Create a temporary directory and "cd" to it) (Use anonymous FTP to obtain the file sun-dist/100224-01.tar.Z from ftp.uu.net) # uncompress 100224-01.tar # tar xvf 100224-01.tar # mv /bin/mail /bin/mail.old # cp $arch/$os/mail /bin/mail (where $arch is either sun3 sun4 sun4c or sun3x) (and where $os is either 4.0.3 4.1 or 4.1.1) ( change the permissions for the newly installed mail binary) # chmod 4755 /bin/mail (You will probably wish to delete the 100224-01.tar file and the files created by "de-tar-ing" 100224-01.tar at this time!) For additional information or assistance, please contact CIAC Hal R. Brand (415) 422-6312 or (FTS) 532-6312 During working hours, call CIAC at (415) 422-8193 or (FTS) 532-8193. For non-working hour emergencies , call (415) 422-7222 or (FTS) 532-7222 and ask for CIAC (this is a new emergency number). send FAX messages to: (415) 423-0913 or (FTS) 543-0913 Tsutomu Shimomura and Sun Microsystems provided some of the information contained in this bulletin. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin February 22, 1991, 1300 PST Number B-14 Additional Information about UNIX Security Problem with /bin/mail in SunOS Sun Microsystems has released additional information about the security problem with /bin/mail described in CIAC Bulletin B-13. There are significant changes to the patch installation procedure. The new patch installation procedure is: ________________________________________________________________________ Patch ID: 100224-01 BugIDs fixed by this patch: 1045636 and 1047340 Availability: Anonymous FTP from ftp.uu.net:/sun-dist/100224-01.tar.Z Checksum of the compressed tarfile 100224-01.tar.Z = 64102 109 Patches Obsoleted: 100161-01 Obsoleted by: SysV Release 4 Patch installation instructions are as follows: (Login as root - you must have root access to apply this patch!) (Create a temporary directory and "cd" to it) (Use anonymous FTP to obtain the file sun-dist/100224-01.tar.Z from ftp.uu.net) # uncompress 100224-01.tar # tar xvf 100224-01.tar # mv /bin/mail /bin/mail.old NEW --> # chmod 400 /bin/mail.old # cp $arch/$os/mail /bin/mail (where $arch is either sun3 sun4 sun4c or sun3x) (and where $os is either 4.0.3 4.1 or 4.1.1) (change the permissions for the newly installed mail binary) UPDATED --> # chmod 4711 /bin/mail (Sun actually recommends setting the permissions to 4111, but CIAC considers 4711 a wiser choice.) NEW --> # ls -l /bin/mail (Verify that /bin/mail is owned by "root" and the file permissions are correct.) (You will probably wish to delete the 100224-01.tar file and the files created by "de-tar-ing" 100224-01.tar at this time!) ________________________________________________________________________ CIAC recommends that you delete /bin/mail.old altogether after verifying that the new version of /bin/mail just installed is functioning correctly. If you take this course of action, you should first make a backup copy of /bin/mail.old and store it off-line. For your information, we have included the Sun addendum below: ________________________________________________________________________ This is an addendum to the Security bulletin (#00105) that went out recently. Two points were brought to Sun's attention by the security community. First point: It is not advisable to leave the old version of /bin/mail around as this version can be exploited. After first verifying that the new version was not mangled in the transfer, either remove the old version (/bin/mail.old) or change the permissions to 100. example: chmod 100 /bin/mail.old Second point: The permissions on the new version of /bin/mail do not have to be set to 4755 as they come on the installation tape. setting the mode to 4111 allows /bin/mail to work, but keeps people from reading the binary (with strings) Special Thanks to Gordon O'Connor and Hal Brand for pointing out these flaws in the posting. Brad Powell Sun Microsystems ________________________________________________________________________ For additional information or assistance contact: Hal R. Brand (415) 422-6312 or (FTS) 532-6312 During working hours, call CIAC at (415) 422-8193 or (FTS) 532-8193. For non-working hour emergencies , call (415) 422-7222 or (FTS) 532-7222 and ask for CIAC (this is a new emergency number). send e-mail to ciac@cheetah.llnl.gov (this is a new Internet address) send FAX messages to: (415) 423-0913 or (FTS) 543-0913 Joe Ilacqua and Sun Microsystems provided information contained in this bulletin. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin Network Intrusions through TCP/IP and DECnet Gateways February 28, 1991, 1600 PST Number B-15 ________________________________________________________________________ PROBLEM: The use of multiple network protocol computers (gateways) can allow an intruder to gain unauthorized access to critical system files. PLATFORM: Multiple platforms, including DEC, VMS, ULTRIX, and Sun computers. Attacks involve X.25 networks as well as networks supporting TCP/IP and DECnet protocols. DAMAGE: Possible compromise of user accounts and other system files SOLUTIONS: Varied (depending on system configuration and required functionality). See appendix for details. ________________________________________________________________________ Critical Network Intrusion Facts CIAC has learned of a new series of attacks on computers connected to a variety of networks. The common element in these attacks is the use of computers supporting multiple network protocols, especially TCP/IP and DECnet protocols. These multi-protocol (gateway) computers can enable intruders on TCP/IP networks to obtain unauthorized access to files using DECnetUs default FAL1 account. Some attacks have resulted in attackers obtaining unauthorized copies of the UNIX password file and the VMS RIGHTSLIST.DAT2 file. CIAC recommends that during this time of increased threat you pay special attention to VAX/VMS computers offering ANONYMOUS FTP service and ULTRIX computers offering the DECnet-Internet Gateway services. These services have been exploited by intruders on TCP/IP networks to gain unauthorized access to remote files via DECnet. Some DECnet networks have been configured to a lower level of DECnet security in order to provide increased network functionality and ease of use. This configuration often used under the assumption that access to DECnet is limited to local users on the local DECnet network. However, the existence of TCP/IP-DECnet gateway computers connected to both the Internet and the local DECnet results in an increased risk of external, unauthorized access to computers on the DECnet network. This includes systems running VMS DECnet, ULTRIX DECnet, and Sunlink DNI DECnet. CIAC recommends that you follow appropriate procedures to secure your system(s) against this current threat. Possible actions are described in the appendix to this notice. The actions you should take depend on the type of system (VMS or UNIX) and tradeoffs between your security needs and your functionality requirements. For additional information or assistance, please contact CIAC Hal R. Brand (415) 422-6312 or (FTS) 532-6312 Call CIAC at (415) 422-8193 or (FTS) 532-8193. send FAX messages to: (415) 423-0913 or (FTS) 543-0913 Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. Appendix I. SECURING ANONYMOUS FTP ON VAX/VMS COMPUTERS Procedure: (login as SYSTEM) $ set def sys$system $ run authorize UAF> mod anonymous/defpriv=nonetmbx/priv=nonetmbx UAF> show anonymous (Inspect the anonymous account to be sure that: ) ( * The only privilege is TMPMBX ) ( * Only NETWORK access is allowed ) UAF> exit $ logout Positive Impacts: DECNet network security is greatly improved by preventing FTP users of the ANONYMOUS account from accessing files via DECNET. Security of the VAX/VMS computer is also improved by preventing DECNET access to the ANONYMOUS account. Negative Impacts: Anonymous FTP users will no longer be able to access remote files via DECNET. Mitigation of Negative Impacts: FTP users requiring access to remote files via DECNET can be given accounts on the VAX/VMS system. If necessary, these accounts can be configured to permit only NETWORK access with only TMPMBX and NETMBX privileges. Alternate Strategies: Some TCP/IP implementations (notably MultiNet) provide a mechanism to lock ANONYMOUS users into a directory tree. CIAC strongly recommends use of this feature where possible. II. SECURING ULTRIX COMPUTERS RUNNING THE DECNET-INTERNET GATEWAY SOFTWARE Procedure: (login as root) # cd /etc # cp inetd.conf inetd.conf-saved (edit the file inetd.conf) ( place the "#" character in from of the line: ) ( ftp stream tcp nowait /usr/etc/ftpd.gw ftpd.gw ) ( add this line just after the line just modified: ) ( ftp stream tcp nowait /usr/etc/ftpd ftpd ) ( save the file and exit the editor ) (Restart the inetd daemon. For example: ) ( # ps -ax | grep inetd ) ( Look at the output and find the process number of /etc/inetd ) ( # kill -9 ) ( # /etc/inetd ) # exit Positive Impacts: DECNet network security is greatly improved by preventing FTP access to remote files via DECNET through the ULTRIX computer. Negative Impacts: Loss of access to remote files via DECNet to FTP users. Mitigation of Negative Impacts: FTP users requiring access to remote files via DECNET can be given accounts on the ULTRIX computer from which they can copy the remote files via DECNet, and then FTP those files to/from the ULTRIX computer. III. SECURING DEFAULT FAL ACCESS Procedure (On VAX/VMS computers): (login as SYSTEM) $ mcr ncp set object fal username illegal $ mcr ncp define object fal username illegal (Make sure you don't have an account named "illegal".) $ logout Procedure (On ULTRIX computers): (login as root) # /etc/ncp set object fal default user illegal # /etc/ncp define object fal default user illegal (Make sure you don't have an account named "illegal".) # exit Procedure (On Sun computers): (login as root) # cd /etc (edit /etc/passwd to remove (or comment-out) the "dni" account) ( A typical dni account entry line looks like:) ( dni:*:376:376:default DNI account:/tmp: ) ( and should be deleted or modified to: ) ( #dni:*:376:376:default DNI account:/tmp: ) # exit Positive Impacts: Local security is greatly improved by preventing DECNet access to local files without specific authorization in the form of a local account or DECNet proxy login. Note that DECNet proxy logins are not supported by Sun's Sunlink DNI product. Negative Impacts: Loss of legitimate DECNet access to remote files by users not possessing an account on the local computer. Under Sunlink DNI, default access to the NML (Network Management Layer) server will also be lost. Mitigation of Negative Impacts: The use of DECNet proxy logins can provide access to legitimate users. Alternatively, legitimate users cna be given accounts. Under VAX/VMS, these accounts can be restricted to only NETWORK access and only NETMBX and TMPMBX privileges. Note that DECNet proxy logins are not supported by Sun's Sunlink DNI product. Alternate Strategies: For VAX/VMS computers, default FAL access to RIGHTSLIST.DAT can be disabled with an ACL (Access Control List) entry. To do this: (Login as SYSTEM) $ mcr ncp show object fal char (Locate the "User id" from the output of the previous command ) ( and substitute appropriately below for ) $ set acl sys$system:rightslist.dat/acl=(id=,access=none) ( for example: ) ( $ set acl sys$system:rightslist.dat/acl=(id=fal$server,access=none)) $ dir/full sys$system:rightslist.dat ( Verify that the ACL is properly set. ) (CIAC strongly suggests you also add this ACL setting command to ) ( sys$manager:systartup_v5.com so that it will not be lost in case ) ( a new RIGHTSLIST.DAT file is created. ) ________________________________________________________________________ THE COMPUTER INCIDENT ADVISORY CAPABILITY ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ INFORMATION BULLETIN ________________________________________________________________________ Virus Information Update March 1, 1991, 1100 PST Number B-16 CIAC periodically issues bulletins about specific computer viruses. These bulletins, however, do not cover all the computer viruses that affect the PC-DOS/MS-DOS and Macintosh platforms. The purpose of this bulletin is to identify most of the known viruses for these platforms, and give an overview of the effects of each virus. This bulletin supersedes CIAC Bulletin A-15 issued last year, and includes (at least by name) more than 100 new viruses. As we continue to gather more information, we will add it to future editions of this document. The following pages of this bulletin contain three tables of information, one for the PC-DOS/MS-DOS platform, one for the Macintosh platform, and one for the names of viruses currently being investigated. There is a two-line entry for each item in each table. The first line gives the name, transmission vector (explained below), method of infection, and possible damage. The second line gives an overview of the operation of each virus. The fields include: * The name field gives the different names by which the virus is known, including different names for the same virus, and the names of any nearly identical variants (clones). * The transmission vector field describes the vehicle by which the virus is transferred to a different machine). In most cases, this is an executable application, though there are cases where documents or invisible system files can transmit the virus. * The method of infection field describes where and how the virus inserts or attaches itself to a new machine. The potential damage field describes the damage that the virus may do. (In most cases, damage caused by viruses appears to be unintentional, i.e., most viruses do not appear to be programmed to cause damage.) * Finally, the overview field contains general comments describing the virus and its effects. PC-DOS/MS-DOS users desiring additional information can read the file "Coping with Computer Viruses and Related Problems" by IBM (filename: IBMPAPER.ZIP available from CIAC). For Macintosh users, help file built into Disinfectant and the Virus Encyclopedia Hyper-Card stack are good sources of additional information. All of these and more are available from FELIX, CIAC's bulletin board service. __________________________________ The FELIX Virus Bulletin Board FELIX, a bulletin board operated by CIAC, is available to the DOE community and contains all the CIAC bulletins, descriptions of other viruses, and public domain virus detection/protection software. For example, one available file named CIACDB.TXT contains a more detailed version of the tables contained in this bulletin with details on some additional viruses to the viruses described in this summary. As with any software you obtain, you should exercise caution and scan individual software packages before using the software for the first time. All software on FELIX has been scanned for known viruses, but it is advisable to scan it again using the most recent version of a virus scanning tool such as DDI's Virhunt package (available to all DOE sites - contact your operations office for details). Be sure to scan archived applications after they have been extracted from the .ZIP,.ARC, or SIT archive, as scanning software cannot currently detect a virus within an application until it is in an executable form (.EXE or .COM file). Access FELIX at speeds up to 2400 baud may be obtained by using a modem to call (415) 423-4753 or (FTS) 543-4753 (8 bit, no parity, 1 stop bit). High speed access can be obtained at the Lawrence Livermore National Laboratory, and the Lawrence Berkeley National Laboratory using 423- 9885. Downloadable PC-DOS/MS-DOS files are either text files (.TXT), zip archives (.ZIP) or executables (.COM or .EXE). Text files and executables can be downloaded directly and used. Be sure to use a binary downloading capability such as XMODEM for the executable files. Files in ZIP archives must be extracted after downloading with PKUNZIP (available on FELIX) before they can be used. Macintosh files in SIT archives must be extracted with Stuffit before they can be used. When downloading Macintosh files, be sure to use MacBinary format (such as MacBinary XMODEM) rather than plain binary format, if your terminal emulator allows this. If you are using a shareware package downloaded from FELIX or any other source, be sure to follow the instructions in the package for compensating the author. The cost is generally minimal ($10 to $50), for some very useful applications. For additional information or assistance, please contact CIAC William Orvis (415) 422-8649 or (FTS) 532-8649 During working hours call CIAC at (415) 422-8193 or (FTS) 532-8193. For non-working hour emergencies, call (415) 422-7222 or (FTS) 532-7222 and ask for CIAC ******(this is a new emergency number)******. Send FAX messages to: (415) 423-0913 or (FTS) 543-0913 This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. __________________________________ About the CIAC Virus Database and Bulletin This database is compiled and maintained by CIAC, the Computer Incident Advisory Capability. The authors are William J. Orvis, and David S. Brown. Information in this bulletin has been gathered from many sources, and we thank them all for their efforts. A partial listing of our sources is given here, and we will correct any omissions in the next release. AIDS Technical Info, By Dr Alan Solomon, Barry Nielson and Simon Meldrum. David Chess - IBM. Computer Virus Catalog, by Dr. Klaus Brunnstein, and Simone Fischer- Huebner, Virus Test Center, Faculty for Informatics, University of Hamburg The Dirty Dozen -- An Uploaded Trojan/Virus Program Alert List, compiled by Tom Sirianni of FidoNet 105 Node 301. Disinfectant, by John Norstad, Academic Computing and Network Services, Northwestern University. Joe Hirst, British Computer Virus Research Centre. Bill Kenny - Digital Dispatch Inc. John McAfee - McAfee Associates' Jim Molini - Johnson Spacecraft Center Mike Odawa - Simple Software VIRUS-L - The virus news service moderated by Ken Van Wick. __________________________________ Codes Used in the Virus Tables The following codes are used in the Method of Infection field. PC-DOS/MS-DOS Viruses EXE Infects .EXE files. COM Infects .COM files. OVR Infects program overlay files. CC Infects COMMAND.COM. HDB Infects hard disk boot sectors. HDP Infects hard disk partition tables. FDB Infects floppy disk boot sectors. RES Memory resident. The virus goes memory resident and infects disks when they are inserted or programs when they are run. ENC Encrypted. The virus code encrypts itself to make it difficult to scan for. TRJ A Trojan horse, not a virus. WRM A Worm, not a virus. Macintosh Viruses TYP1 Adds viral code as a new code segment , and patches the jump table to point to the new segment. For example when an application is infected with nVIR, the virus attaches a CODE 256 resource to the end of the application and changes the CODE 0 resource (the jump table) to jump to and execute the CODE 256 resource before executing the application. Most Macintosh viruses (today) are of this type for example: Scores, nVIR, INIT29. TYP2 Adds their new viral code to the end of the main code segment, and patches the jump table to point to the new viral code. TYP3 Adds their new viral code to the end of the main code segment, and patches the first program instruction to jump or return jump to the new viral code. They do not patch the jump table. TYP4 Adds their new viral code to the end of the main code segment, and patches the first program instruction to jump or return jump to the new viral code. This is a variant of type 3 viruses, except they have a bug. Instead of adding their code to and patching the first instruction in the main code segment, they make the incorrect assumption that the main code segment is some constant k. ANTI is a type 4 virus with k=1. INIT Adds viral code as an INIT resource on the system file. APP Infects Applications and the Finder SYS Infects the system file. DTOP Infects the Desktop file DOCS Infects document files. The following codes are used in the Potential Damage field. BOOT Overwrites or corrupts a disk's boot sector. PROG Corrupts a program or overlay files. FMT Attempts to format the disk. RUN Interferes with a running application. DATA Corrupts a data file. FAT Corrupts the file linkages or the file allocation table (FAT). ERASE Attempts to erase all mounted disks. __________________________________ DISTRIBUTION* No change from previous bulletin. * - Provided to CIAC by the Department of Energy; for changes, please contact your operations office. CIAC BULLETINS ISSUED SUN 386i authentication bypass vulnerability nVIR virus alert /dev/mem vulnerability tftp/rwalld vulnerability "Little Black Box" (Jerusalem) virus alert restore/dump vulnerability rcp/rdist vulnerability Internet trojan horse alert NCSA Telnet vulnerability Columbus Day (DataCrime) virus alert Columbus Day (DataCrime) virus alert (follow-up notice) Internet hacker alert (notice A-1) HEPnet/SPAN network worm alert (notice A-2) HEPnet/SPAN network worm alert (follow-up, notice A-3) HEPnet/SPAN network worm alert (follow-up, notice A-4) rcp vulnerability (second vulnerability, notice A-5) Trojan horse in Norton Utilities (notice A-6) UNICOS vulnerability (limited distribution, notice A-7) UNICOS problem (limited distribution, notice A-8) WDEF virus alert (notice A-9) PC CYBORG (AIDS) trojan horse alert (notice A-10) Problem in the Texas Instruments D3 Process Control System (notice A-11) DECnet hacker attack alert (notice A-12) Vulnerability in DECODE alias (notice A-13) Additional information on the vulnerability in the UNIX DECODE alias (notice A-14) Virus information update (notice A-15) Vulnerability in SUN sendmail program (notice A-16) Eradicating WDEF using Disinfectant 1.5 or 1.6 (notice A-17) Notice of availability of patch for SmarTerm 240 (notice A-18) UNIX Internet Attack Advisory (notice A-19) The Twelve Tricks Trojan Horse (notice A-20) Additional information on Current UNIX Internet Attacks (notice A-21) Logon Messages and Hacker/Cracker Attacks (notice A-22) New Internet Attacks (notice A-23) Password Problems with Unisys U5000 /etc/passwd (notice A-24) The MDEF or Garfield Virus on Macintosh Computers (notice A-25) A New Macintosh Trojan Horse Threat--STEROID (notice A-26) The Disk Killer (Ogre) Virus on MS DOS Computers (notice A-27) The Stoned (Marijuana or New Zealand) Virus on MS DOS Computers (notice A-28) The 4096 (4k, Stealth, IDF, etc.) Virus on MS DOS Computers (notice A-29) Apollo Domain/OS suid_exec Problem (notice A-30) DECnet (Wollongong) Hacker Activity (notice A-31) SunView/SunTools selection_svc Vulnerability (notice A-32) Virus Propagation in Novell and Other Networks (notice A-33) End of FY90 Update (notice A-34) Security Problems on the NeXT Operating System (notice B-1) Unix Security Problem with Silicon Graphics Mail (notice B-2) Threat to Computers on ESnet (notice B-3) VMS Security Problem with ANALYZE/PROCESS_DUMP (notice B-4) HP-UX Trusted Systems 6.5 or 7.0, Authorization Problem (notice B-5) Additional VMS/DECnet Attacks (notice B-6) BITNET Worm (notice B-7) Detection/Eradication Procedures for VMSCRTL Trojan Horse (notice B-8) Update on Internet Activity (notice B-9) Patch for TOCCON in SunOS 4.1 and 4.1.1 Available (notice B-10) OpenWindows 2.0 selection_svc Vulnerability (notice B-11) GAME2 MODULE RWormS on BITNET (notice B-12) UNIX Security Problem with /bin/mail in SunOS (notice B-13) Additional Information about UNIX Security Problem with /bin/mail in SunOS (notice B-14) Network Intrustions through TCP/IP and DECnet Vulnerability Gateways (notice B-15) Virus information update (notice B-16) ************************************************** The Computer Incident Advisory Capability: Macintosh Computer Viruses __________________________________________________ NAME(S): ANTI, ANTI-ANGE, ANTI A, ANTI B TRANSMISSION VECTOR: Applications MODE OF INFECTION CODES: TYP1, APP POTENTIAL DAMAGE CODES: RUN OVERVIEW: Attacks only application files, and causes some problems with infected applications. __________________________________________________ NAME(S): CDEF TRANSMISSION VECTOR: DeskTop files MODE OF INFECTION CODES: DTOP POTENTIAL DAMAGE CODES: OVERVIEW: It only infects the invisible Desktop files used by the Finder. Infection can occur as soon as a disk is inserted into a computer. An application does not have to be run to cause an infection. It does not infect applications, document files, or other system files. The virus does not intentionally try to do any damage, but still causes problems with running applications. __________________________________________________ NAME(S): Dukakis TRANSMISSION VECTOR: HyperCard Stacks MODE OF INFECTION CODES: POTENTIAL DAMAGE CODES: PROG, RUN OVERVIEW: Written in HyperTalk on a HyperCard stack called "NEWAPP.STK". Adds itself to Home Card and other stacks. Flashes a message saying, "Dukakis for President in 88, Peace on Earth, and have a nice day." __________________________________________________ NAME(S): FontFinder Trojan TRANSMISSION VECTOR: FontFinder Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: PROG, DATA, ERASE OVERVIEW: Trojan found in the Public Domain program called 'FontFinder'. Before Feb. 10, 1990, the application simply displays a list of the fonts and point sizes in the System file. After that date, it immediately destroys the directories of all available physically unlocked hard and floppy disks, including the one it resides on. __________________________________________________ NAME(S): INIT29 TRANSMISSION VECTOR: Applications, Document files MODE OF INFECTION CODES: TYP1 POTENTIAL DAMAGE CODES: PROG, RUN, DATA OVERVIEW: It infects any file with resources, including documents. It damages files with legitimate INIT#29 resources. __________________________________________________ NAME(S): MDEF, MDEF A, Garfield, MDEF B, Top Cat, MDEF C TRANSMISSION VECTOR: Applications MODE OF INFECTION CODES: APP, SYS, DTOP, DOCS POTENTIAL DAMAGE CODES: RUN OVERVIEW: MDEF infects applications, the System file, other system files, and Finder Desktop files. The System file is infected as soon as an infected application is run. Other applications become infected as soon as they are run on an infected system. MDEF's only purpose is to spread itself, and does not intentionally attempt to do any damage, yet it can be harmful. __________________________________________________ NAME(S): Mosaic Trojan TRANSMISSION VECTOR: Mosaic Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: PROG, DATA, ERASE OVERVIEW: Imbedded in a program called 'Mosaic', when launched, it immediately destroys the directories of all available physically unlocked hard and floppy disks, including the one it resides on. The attacked disks are renamed 'Gotcha!'. __________________________________________________ NAME(S): nVIR, nVIR A, nVIR B, AIDS, Hpat, MEV#, FLU, Jude, J-nVIR TRANSMISSION VECTOR: Applications MODE OF INFECTION CODES: TYP1, APP, SYS POTENTIAL DAMAGE CODES: PROG, RUN OVERVIEW: It infects the System file and applications. nVIR begins spreading to other applications immediately. Whenever a new application is run, it is infected. Symptoms include unexplained crashes and problems printing. __________________________________________________ NAME(S): Peace, MacMag virus, Drew, Brandow, Aldus TRANSMISSION VECTOR: HyperCard Stacks, System files MODE OF INFECTION CODES: INIT POTENTIAL DAMAGE CODES: PROG, RUN OVERVIEW: First virus on the Macintosh. Displays Peace on Earth message on March 2, 1988 and removes itself the next day. Distributed via a HyperCard stack. Its presence causes problems with some programs. __________________________________________________ NAME(S): Scores, NASA TRANSMISSION VECTOR: Applications MODE OF INFECTION CODES: TYP1 POTENTIAL DAMAGE CODES: PROG, RUN OVERVIEW: Infects applications and the system, and attempts to destroy files with creator types: VULT, and ERIC. Causes problems with other programs, including unexplained crashes and pronting errors. Changes the icons of the NotePad and Scrapbook files to the blank document icon. __________________________________________________ NAME(S): Sexy Ladies Trojan TRANSMISSION VECTOR: Sexy Ladies Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: ERASE OVERVIEW: Not a virus, but a Trojan Horse. Given away at 1988 San Fransisco MacWorld Expo, erased whatever hard disk or floppy disk it was on when it was lanched. __________________________________________________ NAME(S): Steroid Trojan TRANSMISSION VECTOR: Steroid INIT MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: ERASE OVERVIEW: The steroid INIT is claimed to speed up QuickDraw on Macintoshes with 9 inch screens. The INIT has code that checks for dates after June 30, 1989, and is active every year thereafter from July through December. When it is activated, it attempts to erase all mounted drives. __________________________________________________ NAME(S): Virus Info Trojan TRANSMISSION VECTOR: Virus Info Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: OVERVIEW: This application has not been sighted outside of the Edmonton, Province of Alberta, Canada area where it was discovered. __________________________________________________ NAME(S): WDEF, WDEF-A, WDEF-B TRANSMISSION VECTOR: DeskTop files MODE OF INFECTION CODES: TYP1, DTOP POTENTIAL DAMAGE CODES: OVERVIEW: WDEF only infects the invisible Desktop files used by the Finder. It can spread as soon as a disk is inserted into a machine. An application need not be run to cause infection. __________________________________________________ NAME(S): ZUC, ZUC 1, ZUC 2 TRANSMISSION VECTOR: Applications MODE OF INFECTION CODES: APP POTENTIAL DAMAGE CODES: OVERVIEW: It infects onlu applications files. Before March 2, 1990 or less than two weeks after an application becomes infected, it only spreads from application to application. After that time, approximately 90 seconds after an infected application is run, the cursor begins to behave unusually whenever the mouse button is held down. The cursor moves diagonally across the screen, changing direction and bouncing like a billiard ball whenever it reaches any of the four sides of the screen. The cursor stops moving when the mouse button is released. ************************************************** The Computer Incident Advisory Capability: PC-DOS/MS-DOS Computer Viruses __________________________________________________ NAME(S): 12-TRICKS Trojan TRANSMISSION VECTOR: CORETEST.COM MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: FAT, FMT, RUN, BOOT OVERVIEW: Contained in "CORETEST.COM", a file that tests the speed of a hard disk. Every time the computer boots, one entry in the FAT will be changed. With a probability of 1/4096, the hard disk will be formatted (Track 0, Head 1, Sector 1, 1 Sector) followed by the message: "SOFTLoK+ V3.0 SOFTGUARD SYSTEMS,INC, 2840 St.Thomas Expwy,suite 201, Santa Clara,CA 95051 (408)970-9420". __________________________________________________ NAME(S): 1260, V2P1, Variable, Chameleon, Camouflage, Stealth TRANSMISSION VECTOR: COMMAND.COM, .COM applications MODE OF INFECTION CODES: COM, CC, ENC POTENTIAL DAMAGE CODES: PROG, RUN OVERVIEW: This appears to be related to the Vienna virus. The virus infects any COM file in the current directory. __________________________________________________ NAME(S): 1704-Format, Cascade Format TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: ENC, RES, COM POTENTIAL DAMAGE CODES: RUN, PROG, FMT OVERVIEW: Spreads between COM files. Occasionally causes odd screen behavior (the characters on the screen fall into a heap at the bottom of the screen!). One rare variant can destroy data on hard disks. __________________________________________________ NAME(S): 3X3SHR TRANSMISSION VECTOR: 3X3SHR Application? MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: ERHD OVERVIEW: *TROJAN* Time Bomb type trojan wipes the Hard Drive clean. (Is this an application? .EXE or .COM file?) __________________________________________________ NAME(S): 405 TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: COM POTENTIAL DAMAGE CODES: PROG OVERVIEW: The virus spreads itself by overwriting the first 405 bytes of a .COM file. One file is infected each time an infected file is executed. __________________________________________________ NAME(S): 4096, Century, Century Virus,100 Years Virus, Frodo, IDF TRANSMISSION VECTOR: .COM or .EXE applications MODE OF INFECTION CODES: RES, CC, COM, OVR, EXE POTENTIAL DAMAGE CODES: RUN, PROG, DATA, FAT OVERVIEW: It infects both .COM or .EXE applications. It is nearly impossible to detect once it has been installed since it actively hides itself from the scanning packages. Whenever an application such as a scanner accesses an infected file, the virus disinfects it on the fly. __________________________________________________ NAME(S): Advent, 2761 TRANSMISSION VECTOR: .COM or .EXE applications MODE OF INFECTION CODES: COM, EXE, ENC, CC POTENTIAL DAMAGE CODES: RUN OVERVIEW: Spreads between .COM and .EXE files. Beginning on every "Advent"(the 4th Sunday before Christmas until Christmas eve), the virus displays after every "Advent Sunday" one more lit candle in a wreath of four, together with the string "Merry Christmas" and plays the melody of the German Christmas song "Oh Tannenbaum". By Christmas all four candles are lit. This happens until the end of December, whenever an infected file is run. If the environment variable "VIRUS=OFF" is set, the virus will not infect. __________________________________________________ NAME(S): AIDS, Hahaha, Taunt, VGA2CGA TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: COM POTENTIAL DAMAGE CODES: PROG OVERVIEW: It infects .COM fo;es. __________________________________________________ NAME(S): AIDS II, AIDS TRANSMISSION VECTOR: AIDS Information Introductory Diskette Version 2.0 MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: ENDIR OVERVIEW: On Monday, 11th December, several thousand diskettes named "AIDS Information Introductory Diskette Version 2.0" were mailed out containing a program that purported to give you information about AIDS. These diskettes actually contained a trojan that will encrypt the file names on your hard disk after booting your computer about 90 times. If you have installed this program, you should copy any important data files (no executables) and reformat your hard disk. __________________________________________________ NAME(S): Ambulance Car, REDX TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: COM, CC POTENTIAL DAMAGE CODES: PROG, RUN OVERVIEW: When an infected application is run, the virus tries to find two .COM file victims which it randomly selects in the current directory or via the PATH variable in the environment. After some number of executions, an ambulance car runs along the bottom of the screen accompanied by siren sounds. __________________________________________________ NAME(S): Amstrad, Pixel, V-277, V-299, V-345, V-847, V-847B, V-852 TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: COM POTENTIAL DAMAGE CODES: PROG OVERVIEW: Adds code to front of any .COM file in the current directory. The virus contains an advertisement for Amstrad computers. __________________________________________________ NAME(S): Anti Pascal, Anti Pascal 529, Anti Pascal 605, AP 529, AP 605, C 605, V-605 TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: COM POTENTIAL DAMAGE CODES: FILES, RUN, PROG OVERVIEW: May overwrite .BAK and .PAS files if not enough .COM files are available in a directory for it to infect. __________________________________________________ NAME(S): ANTI-PCB TRANSMISSION VECTOR: ANTI-PCB.COM Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: OVERVIEW: The story behind this trojan horse is sickening. Apparently one RBBS-PC sysop and one PC-BOARD sysop started feuding about which BBS system is better, and in the end the PC-BOARD sysop wrote a trojan and uploaded it to the rbbs SysOp under ANTI-PCB.COM. Of course the RBBS-PC SysOp ran it, and that led to quite a few accusations and a big mess in general. Let's grow up! Every SysOp has the right to run the type of BBS that they please, and the fact that a SysOp actually wrote a trojan intended for another simply blows my mind. __________________________________________________ NAME(S): ARC513.EXE, ARC514.COM TRANSMISSION VECTOR: ARC513.EXE, ARC514.COM MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: BOOT, FAT OVERVIEW: ARC513.EXE This hacked version of ARC appears normal, so beware! It will write over track 0 of your [hard] disk upon usage, destroying the disk. ARC514.COM This is totally similar to ARC version 5.13 in that it will overwrite track 0 (FAT Table) of your hard disk. Also, I have yet to see an .EXE version of this program. __________________________________________________ NAME(S): ARC533 TRANSMISSION VECTOR: MODE OF INFECTION CODES: CC POTENTIAL DAMAGE CODES: OVERVIEW: This is a new Virus program designed to emulate Sea's ARC program. __________________________________________________ NAME(S): BACKTALK TRANSMISSION VECTOR: BACKTALK Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: WRHD OVERVIEW: This program used to be a good PD utility, but someone changed it to be trojan. Now this program will write/destroy sectors on your [hard] disk drive. Use this with caution if you acquire it, because it's more than likely that you got a bad copy. __________________________________________________ NAME(S): Brain, Pakistani, Ashar, Shoe, Shoe_Virus, Shoe_Virus_B, Ashar_B, UIUC, UIUC-B, @BRAIN, Jork, Shoe B TRANSMISSION VECTOR: Floppy boot sector MODE OF INFECTION CODES: FDB, RES POTENTIAL DAMAGE CODES: BOOT, RUN, DATA, FMT OVERVIEW: This virus only infects the boot sectors of 360 KB floppy disks. It does no malicious damage, but bugs in the virus code can cause loss of data by scrambling data on diskette files or by scrambling the File Allocation Table. It does not tend to spread in a hard disk environment. __________________________________________________ NAME(S): Cascade, 1701, 1704, 17Y4, 1704 B, 1704 C, Cascade A, Cascade B, Falling Tears, The Second Austrian Virus, Autumn, Blackjack, Falling Leaves, Cunning, Fall, Falling Letters, Herbst TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: ENC, RES, COM POTENTIAL DAMAGE CODES: RUN, PROG OVERVIEW: Spreads between COM files. Occasionally causes odd screen behavior (the characters on the screen fall into a heap at the bottom of the screen!). One rare variant can destroy data on hard disks. __________________________________________________ NAME(S): CDIR TRANSMISSION VECTOR: CDIR.COM Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: FAT OVERVIEW: This program is supposed to give you a color directory of files on your disk, but it in fact will scramble your disk's FAT table. __________________________________________________ NAME(S): Chaos TRANSMISSION VECTOR: Floppy/hard disk boot sectors MODE OF INFECTION CODES: RES, FDB, HDB POTENTIAL DAMAGE CODES: BOOT, RUN, PROG, FAT OVERVIEW: Derivative of Brain __________________________________________________ NAME(S): Christmas, 1539, Father Christmas, Choinka, Tannenbaum, Christmas Tree, XA1, V1539 TRANSMISSION VECTOR: .COM applications, COMMAND.COM MODE OF INFECTION CODES: COM, CC, ENC POTENTIAL DAMAGE CODES: RUN, BOOT OVERVIEW: The virus infects .COM files when an infected application is executed. When an infected program is run between December 24th and 31st (any year), the virus displays a full screen image of a christmas tree and German seasons greetings. When an infected program is run on April 1st (any year), it drops a code into the boot- sectors of floppy A: and B: as well as into the partition table of the hard disk. The old partition sectors are saved but most likely destroyed since running another infected file will save the modified partition table to the same location. On any boot attempt from an infected harddisk or floppy, the text "April April" will be displayed and the PC will hang. __________________________________________________ NAME(S): Clone TRANSMISSION VECTOR: MODE OF INFECTION CODES: POTENTIAL DAMAGE CODES: OVERVIEW: Derivative of Brain __________________________________________________ NAME(S): D-XREF60.COM TRANSMISSION VECTOR: D-XREF60.COM Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: BOOT, FAT OVERVIEW: A Pascal Utility used for Cross-Referencing, written by the infamous `Dorn Stickel. It eats the FAT and BOOT sector after a time period has been met and if the Hard Drive is more than half full. __________________________________________________ NAME(S): DANCERS, DANCERS.BAS TRANSMISSION VECTOR: DANCERS.BAS Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: FAT OVERVIEW: This trojan shows some animated dancers in color, and then proceeds to wipe out your [hard] disk's FAT table. There is another perfectly good copy of DANCERS.BAS on BBSs around the country. __________________________________________________ NAME(S): Dark Avenger, Dark Avenger-B, Black Avenger, Diana, Eddie TRANSMISSION VECTOR: .COM or .EXE applications MODE OF INFECTION CODES: RES, CC, EXE, COM, OVR POTENTIAL DAMAGE CODES: PROG, WRHD OVERVIEW: Infects every executable file that is opened. __________________________________________________ NAME(S): Dark Avenger 3, Dark Avenger II, V2000, Die Young, Travel, V2000-B, Eddie 3 TRANSMISSION VECTOR: .COM applications, .EXE applications MODE OF INFECTION CODES: EXE, COM, CC POTENTIAL DAMAGE CODES: PROG, DATA, RUN OVERVIEW: Every 16 executions of an infected file, the virus will overwrite a new random data sector on disk; the last overwritten sector is stored in boot sector. The system hangs-up, if a program is loaded that contains the string "(c) 1989 by Vesselin Bontchev"; V.Bonchev is a Bulgarian author of anti-virus programs. __________________________________________________ NAME(S): Datacrime, 1280, Columbus Day, DATACRIME Ib TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: COM, ENC POTENTIAL DAMAGE CODES: PROG, FMT, FAT OVERVIEW: Spreads between COM files. After October 12th, it displays the message "DATACRIME VIRUS RELEASE: 1 MARCH 1989", and then the first hard disk will be formatted (track 0, all heads). When formatting is finished the speaker will beep (end-less loop). __________________________________________________ NAME(S): Datacrime II, 1514, Columbus Day TRANSMISSION VECTOR: .COM or .EXE applications MODE OF INFECTION CODES: COM, EXE, ENC POTENTIAL DAMAGE CODES: PROG, FMT, FAT OVERVIEW: Spreads between both COM and EXE files. After October 12th, displays the message "* DATACRIME II VIRUS *", and damages the data on hard disks by attempting to reformat them. __________________________________________________ NAME(S): Datacrime II-B, 1917, Columbus Day TRANSMISSION VECTOR: .COM or .EXE applications MODE OF INFECTION CODES: ENC, COM, EXE, CC POTENTIAL DAMAGE CODES: PROG, FMT OVERVIEW: Spreads between both COM and EXE files. After October 12th, displays the message "* DATACRIME II VIRUS *", and damages the data on hard disks by attempting to reformat them. __________________________________________________ NAME(S): Datacrime-B, 1168, Columbus Day, Datacrime Ia TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: COM, ENC POTENTIAL DAMAGE CODES: PROG, FMT, FAT OVERVIEW: Spreads between COM files. After October 12th, it displays the message "DATACRIME VIRUS RELEASE: 1 MARCH 1989", and then the first hard disk will be formatted (track 0, all heads). When formatting is finished the speaker will beep (end-less loop). __________________________________________________ NAME(S): Dbase, DBF virus TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: RES, COM POTENTIAL DAMAGE CODES: DATA, RUN, PROG OVERVIEW: Infects COM files. Registers all new .DBF files in a hidden file c:\BUGS.DAT. When any of those files are written, it reverses the order of adjacent bytes. When any of those files are read, it again reverses the bytes, making the file appear to be OK, unless it is read on an uninfected system or the file name is changed. __________________________________________________ NAME(S): DenZuk, Venezuelan, Search, DenZuc B TRANSMISSION VECTOR: Floppy boot sector MODE OF INFECTION CODES: RES, FDB POTENTIAL DAMAGE CODES: RUN, BOOT OVERVIEW: Infects floppy disk boot sectors, and displays a purple DEN ZUK graphic on a CGA, EGA or VGA screen when Ctrl-Alt-Del is pressed. __________________________________________________ NAME(S): Devil's Dance, Mexican TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: RES, COM POTENTIAL DAMAGE CODES: RUN, PROG, DATA, FAT OVERVIEW: Infects .COM files. __________________________________________________ NAME(S): Disk Killer, Computer Ogre, Disk Ogre TRANSMISSION VECTOR: Floppy/hard disk boot sectors MODE OF INFECTION CODES: RES, FDB, HDB POTENTIAL DAMAGE CODES: BOOT, RUN, PROG, DATA OVERVIEW: Infects floppy and hard disk boot sectors and after 48 hours of work time, it encrypts everything on the hard disk. The encryption is reversable. __________________________________________________ NAME(S): DISKSCAN, SCANBAD, BADDISK TRANSMISSION VECTOR: DISKSCAN.EXE Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: WRHD OVERVIEW: This was a PC-MAGAZINE program to scan a [hard] disk for bad sectors, but then a joker edited it to WRITE bad sectors. Also look for this under other names such as SCANBAD.EXE and BADDISK.EXE. A good original copy is availble on SCP Business BBS. __________________________________________________ NAME(S): DMASTER TRANSMISSION VECTOR: DMASTER Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: FAT OVERVIEW: This is yet another FAT scrambler. __________________________________________________ NAME(S): Do Nothing, Stupid Virus, 640K Virus TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: COM, RES POTENTIAL DAMAGE CODES: PROG OVERVIEW: Infects .COM files. The virus copies itself to 9800:100h, which means that only computers with 640KB can be infected. Many programs also load themselves to this area and erase the virus from the memory. __________________________________________________ NAME(S): DOSKNOWS TRANSMISSION VECTOR: DOSKNOWS.EXE MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: FAT OVERVIEW: Apparently someone wrote a FAT killer and renamed it DOSKNOWS.EXE, so it would be confused with the real, harmless DOSKNOWS system-status utility. __________________________________________________ NAME(S): DRAIN2 TRANSMISSION VECTOR: MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: FMT OVERVIEW: There really is DRAIN program, but this revised program goes out does Low Level Format while it is playing the funny program. __________________________________________________ NAME(S): DROID TRANSMISSION VECTOR: DROID.EXE MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: OVERVIEW: This trojan appears under the guise of a game. You are supposedly an architect that controls futuristic droids in search of relics. In fact, PC-Board sysops, if they run this program from C:\PCBOARD, will find that it copies C:\PCBOARD\PCBOARD.DAT to C:\PCBOARD\HELP\HLPX. __________________________________________________ NAME(S): DRPTR, WIPEOUT TRANSMISSION VECTOR: DRPTR.ARC MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: FILES OVERVIEW: After running unsuspected file, the only things left in the root directory are the subdirectories and two of the three DOS System files, along with a 0-byte file named WIPEOUT.YUK. COMMAND.COM was located in a different directory; the file date and CRC had not changed. __________________________________________________ NAME(S): EDV TRANSMISSION VECTOR: MODE OF INFECTION CODES: POTENTIAL DAMAGE CODES: OVERVIEW: Derivative of Brain __________________________________________________ NAME(S): EGABTR TRANSMISSION VECTOR: EGABTR Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: FILES OVERVIEW: BEWARE! Description says something like "improve your EGA display," but when run, it deletes everything in sight and prints, "Arf! Arf! Got you!" __________________________________________________ NAME(S): FILES.GBS TRANSMISSION VECTOR: FILES.GBS Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: OVERVIEW: When an OPUS BBS system is installed improperly, this file could spell disaster for the Sysop. It can let a user of any level into the system. Protect yourself. Best to have a sub-directory in each upload area called c:\upload\files.gbs (this is an example only). This would force Opus to rename a file upload of files.gbs and prevent its usage. __________________________________________________ NAME(S): Fish, European Fish,Fish 6 TRANSMISSION VECTOR: COMMAND.COM, .COM applications, .EXE applications MODE OF INFECTION CODES: EXE, COM, RES, ENC, CC POTENTIAL DAMAGE CODES: PROG, RUN, DATA OVERVIEW: If (system date>1990) and a second infected .COM file is executed, a message is displayed: FISH VIRUS #6 - EACH DIFF - BONN 2/90 '~Knzyvo} and then the processor stops (HLT instruction). The virus will attempt to infect some data files, corrupting them in the process. This is a variant of the 4096 virus. __________________________________________________ NAME(S): Flash, 688 TRANSMISSION VECTOR: .COM applications, .EXE applications MODE OF INFECTION CODES: EXE, COM, RES, ENC, CC POTENTIAL DAMAGE CODES: PROG, RUN OVERVIEW: The memory resident virus infects applications when they are run. After June 1990, the virus makes the screen flash. This flash can only be seen on MDA, Hercules, and CGA adapters, but not on EGA and VGA cards. __________________________________________________ NAME(S): FLUSHOT4, FLU4TXT TRANSMISSION VECTOR: FLUSHOT4.ARC Archive MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: OVERVIEW: This Trojan was inserted into the FLUSHOT4.ARC and uploaded to many BBS's. FluShot is a protector of your COMMAND.COM. As to date, 05/14/88 FLUSHOT.ARC FluShot Plus v1.1 is the current version, not the FLUSHOT4.ARC which is Trojaned. __________________________________________________ NAME(S): Friday 13 th COM, South African, 512 Virus, COM Virus, Friday The 13th-B, Friday The 13th-C, Miami, Munich, Number of the Beast, Virus-B TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: COM POTENTIAL DAMAGE CODES: PROG OVERVIEW: Infects all .COM files except COMMAND.COM, and deletes the host program if run on Friday the 13th. __________________________________________________ NAME(S): Fu Manchu, 2086, 2080, Fumanchu TRANSMISSION VECTOR: .COM or .EXE applications MODE OF INFECTION CODES: RES, COM, EXE, OVR POTENTIAL DAMAGE CODES: RUN, PROG OVERVIEW: Infects .COM and .EXE files. The message 'The world will hear from me again! ' is displayed on every warmboot, and inserts insults into the keyboard buffer when the names of certain world leaders are typed at the keyboard. Occasionally causes the system to spontaneously reboot. __________________________________________________ NAME(S): FUTURE TRANSMISSION VECTOR: FUTURE.BAS Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: ERASE OVERVIEW: This "program" starts out with a very nice color picture and then proceeds to tell you that you should be using your computer for better things than games and graphics. After making that point, it trashes your A: drive, B:, C:, D:, and so on until it has erased all drives. __________________________________________________ NAME(S): G-MAN TRANSMISSION VECTOR: G-MAN Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: FAT OVERVIEW: Another FAT killer. __________________________________________________ NAME(S): GATEWAY, GATEWAY2 TRANSMISSION VECTOR: GATEWAY MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: FAT OVERVIEW: Someone tampered with the version 2.0 of the CTTY monitor GATEWAY. What it does is ruin the FAT. __________________________________________________ NAME(S): Ghost TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: COM POTENTIAL DAMAGE CODES: BOOT, PROG OVERVIEW: Infects .COM files. __________________________________________________ NAME(S): GhostBalls, Ghost Boot, Ghost COM TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: RES, COM POTENTIAL DAMAGE CODES: BOOT, RUN, PROG OVERVIEW: Infects floppy and hard disk boot sectors. __________________________________________________ NAME(S): GRABBER TRANSMISSION VECTOR: GRABBER.COM Application MODE OF INFECTION CODES: TRJ, RES POTENTIAL DAMAGE CODES: FILES OVERVIEW: This program is supposed to be SCREEN CAPTURE program that copies the screen to a .COM file to be later run from a DOS command line. As a TSR it will attempt to do a DISK WRITE to your hard drive when you do not want it to. It will wipe out whole Directories when doing a normal DOS command. One sysop who ran it lost all of his ROOT DIR including his SYSTEM files. __________________________________________________ NAME(S): Halloechn, Hello_1a, Hello TRANSMISSION VECTOR: .COM applications, .EXE applications MODE OF INFECTION CODES: COM, EXE POTENTIAL DAMAGE CODES: RUN, DATA OVERVIEW: The virus slows the system down, and corrupts keyboard- entries (pressing an "A" produces a "B"). __________________________________________________ NAME(S): Icelandic, Disk Eating Virus, Disk Crunching Virus, One In Ten, Saratoga 2 TRANSMISSION VECTOR: .EXE applications MODE OF INFECTION CODES: RES, EXE POTENTIAL DAMAGE CODES: RUN, PROG, FAT OVERVIEW: Infects every 10th .EXE file run, and if the current drive is a hard disk larger than10M bytes, the virus will select one cluster and mark it as bad in the first copy of the FAT. Diskettes and 10M byte disks are not affected. __________________________________________________ NAME(S): Icelandic II, One In Ten, System Virus, 642 TRANSMISSION VECTOR: .EXE applications MODE OF INFECTION CODES: RES, EXE POTENTIAL DAMAGE CODES: RUN, PROG OVERVIEW: Every tenth program run is checked, and if it is an uninfected .EXE file it will be infected. The virus modifies the MCBs in order to hide from detection. This virus is a version of the Icelandic-1 virus, modified so that it does not use INT 21 calls to DOS services. This is done to bypass monitoring programs. __________________________________________________ NAME(S): Icelandic III, December 24th TRANSMISSION VECTOR: .EXE applications MODE OF INFECTION CODES: RES, EXE POTENTIAL DAMAGE CODES: RUN, PROG OVERVIEW: It infects one out of every ten .EXE files run. If an infected file is run on December 24th it will stop any other program run later, displaying the message "Gledileg jol" __________________________________________________ NAME(S): Israeli Boot, Swap TRANSMISSION VECTOR: Floppy boot sector MODE OF INFECTION CODES: RES, FDB POTENTIAL DAMAGE CODES: BOOT OVERVIEW: It infects floppy disk boot sectors and reverses the order of letters typed creating typographical errors. __________________________________________________ NAME(S): Jerusalem, Jerusalem A, Black Hole, Blackbox, 1808, 1813, Israeli, Hebrew University, Black Friday, Friday 13th, PLO, Russian TRANSMISSION VECTOR: .COM or .EXE applications MODE OF INFECTION CODES: RES, COM, EXE, OVR POTENTIAL DAMAGE CODES: RUN, PROG, FILES OVERVIEW: Spreads between executable files (.COM or .EXE). On Friday the 13th, it erases any file that is executed, and on other days a two line black rectangle will appear at the bottom of the screen. Once this virus installs itself (once an infected COM or EXE file is executed), any other COM or EXE file executed will become infected. __________________________________________________ NAME(S): Keypress TRANSMISSION VECTOR: .COM applications, .EXE applications MODE OF INFECTION CODES: COM, EXE POTENTIAL DAMAGE CODES: OVERVIEW: Every 10 minutes, the virus looks at INT 09h (keyboard interrupt) for 2 seconds; if a keystroke is recognized during this time, it is repeated depending on how long the key is pressed; it thus appears as a "bouncing key" __________________________________________________ NAME(S): Lehigh, Lehigh-2, Lehigh-B TRANSMISSION VECTOR: COMMAND.COM MODE OF INFECTION CODES: RES, CC POTENTIAL DAMAGE CODES: PROG, FAT, BOOT OVERVIEW: Spreads between copies of COMMAND.COM. After spreading four or ten times, it overwrites critical parts of a disk with random data. __________________________________________________ NAME(S): Macho, MachoSoft, 3555, 3551 TRANSMISSION VECTOR: .COM or .EXE applications MODE OF INFECTION CODES: COM, EXE, ENC POTENTIAL DAMAGE CODES: PROG, DATA OVERVIEW: Spreads between .COM and .EXE files. It scans through data on the hard disk, changing the string "Microsoft" (in any mixture of upper and lower case) to "MACHOSOFT". If the environment variable "VIRUS=OFF" is set, the virus will not infect. __________________________________________________ NAME(S): MAP, FAT EATER TRANSMISSION VECTOR: MAP Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: FAT OVERVIEW: This is another trojan horse written by the infamous "Dorn Stickel." Designed to display what TSR's are in memory and works on FAT and BOOT sector. FAT EATER __________________________________________________ NAME(S): MATHKIDS, FIXIT TRANSMISSION VECTOR: MATHKIDS.ARC Archive MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: CBBS OVERVIEW: This trojan is designed to crack a BBS system. It will attemp to copy the USERS file on a BBS to a file innocently called FIXIT.ARC, which the originator can later call in and download. Believed to be designed for PCBoard BBS's. __________________________________________________ NAME(S): Merritt, Alameda, Yale, Golden Gate, 500 Virus, Mazatlan, Peking, Seoul TRANSMISSION VECTOR: Floppy boot sector MODE OF INFECTION CODES: RES, FDB POTENTIAL DAMAGE CODES: BOOT, FAT OVERVIEW: Track 39 sector 8 is used to save the original boot record, and any file there will be overwritten. Destroys the FAT after some length of time. It spreads when the Ctrl-Alt-Del sequence is used with an uninfected diskette in the boot drive. The Golden Gate variation will reformat drive C: after n infections. Infects Floppies Only. Spreads between floppy disks. __________________________________________________ NAME(S): Mirror, Flip Clone TRANSMISSION VECTOR: .EXE applications MODE OF INFECTION CODES: EXE, RES POTENTIAL DAMAGE CODES: RUN, PROG OVERVIEW: When the virus is triggered, the screen will flip horizontally character for character. __________________________________________________ NAME(S): Mix1, MIX1, MIX/1, Mixer1 TRANSMISSION VECTOR: .EXE applications MODE OF INFECTION CODES: RES, EXE POTENTIAL DAMAGE CODES: RUN, PROG OVERVIEW: The output is garbled on parallel and serial connections, after 6th level of infection booting the computer will crash the system (a bug), num-lock is constantly on, a ball will start bouncing on the screen. __________________________________________________ NAME(S): NOTROJ TRANSMISSION VECTOR: NOTROJ.COM Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: FAT, FMT OVERVIEW: All outward appearances indicate that the program is a useful utility used to FIGHT other trojan horses. Actually, it is a time bomb that erases any hard disk FAT table that IT can find on hard drives that are more than 50% full, and at the same time, it warns: "another program is attempting a format, can't abort! After erasing the FAT(s), NOTROJ then proceeds to start a low level format. __________________________________________________ NAME(S): Oropax, Music, Musician TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: RES, COM POTENTIAL DAMAGE CODES: RUN, PROG OVERVIEW: Infects .COM files and plays musical melodies repeatedly. __________________________________________________ NAME(S): PACKDIR TRANSMISSION VECTOR: PACKDIR Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: FAT OVERVIEW: This utility is supposed to "pack" (sort and optimize) the files on a [hard] disk, but apparently it scrambles FAT tables. (Possibly a bug rather than a deliberate trojan?? w.j.o.) __________________________________________________ NAME(S): PCW271, PC-WRITE 2.71 TRANSMISSION VECTOR: PCW271xx.ARC Archive MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: FAT OVERVIEW: A modified version of the popular PC-WRITE word processor (v. 2.71) that scrambles FAT tables. The bogus version of PC-WRITE version 2.71can be identified by its size; it uses 98,274 bytes whereas the good version uses 98,644. __________________________________________________ NAME(S): Pentagon TRANSMISSION VECTOR: Floppy boot sector MODE OF INFECTION CODES: FDB, RES POTENTIAL DAMAGE CODES: BOOT OVERVIEW: It infects floppy disk boot sectors, and removes the Brain virus from any disk it finds. The virus can survive a warmboot. __________________________________________________ NAME(S): Perfume, 765, 4711 TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: RES, COM, CC POTENTIAL DAMAGE CODES: PROG, RUN OVERVIEW: It infects .COM files, and after 80 executions, it demands a password to run the application. The password is 4711 (the name of a perfume). __________________________________________________ NAME(S): Ping Pong, Bouncing Ball, Italian, Bouncing Dot, Vera Cruz, Turin Virus TRANSMISSION VECTOR: Floppy boot sector MODE OF INFECTION CODES: RES, FDB, HDB POTENTIAL DAMAGE CODES: RUN, BOOT OVERVIEW: Bouncing dot appears on screen. No other intentional damage. Spreads between disks by infecting the boot sectors. __________________________________________________ NAME(S): Ping Pong B, Boot, Falling Letters TRANSMISSION VECTOR: Floppy/hard disk boot sectors MODE OF INFECTION CODES: RES, FDB, HDB POTENTIAL DAMAGE CODES: RUN, BOOT OVERVIEW: Bouncing dot appears on screen. No other intentional damage. Spreads between disks by infecting the boot sectors. __________________________________________________ NAME(S): PKFIX361 TRANSMISSION VECTOR: PKFIX361.EXE Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: FMT OVERVIEW: PKFIX361.EXE *TROJAN* Supposed patch to v3.61 - what it really does is when extracted from the .EXE does a DIRECT access to the DRIVE CONTROLLER and does Low-Level format. Thereby bypassing checking programs. (This would be only XT type disk drive cards. w.j.o.) __________________________________________________ NAME(S): PKPAK/PKUNPAK 3.61, PK362, PK363 TRANSMISSION VECTOR: PKPAK/PKUNPAK V. 3.61 Applications, PK362.EXE Application, PK363.EXE Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: OVERVIEW: PKPAK/PKUNPAK *TROJAN* There is a TAMPERED version of 3.61 that when used interfers with PC's interupts. PK362.EXE This is a NON-RELEASED version and is suspected as being a *TROJAN* - not verified. PK363.EXE This is a NON-RELEASED version and is suspected as being a *TROJAN* - not verified. __________________________________________________ NAME(S): PKX35B35, PKB35B35 TRANSMISSION VECTOR: PKX35B35.ARC Archive, PKB35B35.ARC Archive MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: FAT OVERVIEW: PKX35B35.ARC, PKB35B35.ARC This was supposed to be an update to PKARC file compress utility - which when used *EATS your FATS* and is or at least RUMORED to infect other files so it can spread - possible VIRUS? __________________________________________________ NAME(S): QUIKRBBS TRANSMISSION VECTOR: QUIKRBBS.COM Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: FAT OVERVIEW: This Trojan horse advertises that it will install program to protect your RBBS but it does not. It goes and eats away at the FAT. __________________________________________________ NAME(S): QUIKREF TRANSMISSION VECTOR: QUIKREF.ARC Archive MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: CBBS OVERVIEW: This ARChive contains ARC513.COM. Loads RBBS-PC's message file into memory two times faster than normal. What it really does is copy RBBS-PC.DEF into an ASCII file named HISCORES.DAT. __________________________________________________ NAME(S): RCKVIDEO TRANSMISSION VECTOR: RCKVIDEO Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: ERASE OVERVIEW: After showing some simple animation of a rock star, the program erases every file it can find. After about a minute of this, it creates three ascii files that say "You are stupid to download a video about rock stars". __________________________________________________ NAME(S): RPVS, 453, RPVS-B, TUQ TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: COM POTENTIAL DAMAGE CODES: PROG, RUN OVERVIEW: Whenever an infected application is run, at least one other .COM file in the default directory is infected. __________________________________________________ NAME(S): Saddam TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: COM, RES POTENTIAL DAMAGE CODES: PROG OVERVIEW: This appears to be a variant of the Stupid virus. On every eigth infection, the string: "HEY SADAM"{LF}{CR} "LEAVE QUEIT BEFORE I COME" is displayed. The virus copies itself to [0:413]*40h- 867h, which means that only computers with 640KB can be infected. Many large programs also load themselves to this area and erase the virus from the memory, or hang the system. __________________________________________________ NAME(S): Saratoga, 632, Disk Eating Virus, One In Two TRANSMISSION VECTOR: .EXE applications MODE OF INFECTION CODES: RES, EXE POTENTIAL DAMAGE CODES: RUN, PROG, FAT OVERVIEW: Infects every 10th .EXE file run, and if the current drive is a hard disk larger than10M bytes, the virus will select one cluster and mark it as bad in the first copy of the FAT. Diskettes and 10M byte disks are not affected. __________________________________________________ NAME(S): Scrambler, KEYBGR Trojan TRANSMISSION VECTOR: KEYBGR.COM Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: RUN OVERVIEW: About 60 minutes after the trojan KEYBGR.COM is started a smiley face moves in a random fashion about the screen displacing characters as it moves. __________________________________________________ NAME(S): SECRET TRANSMISSION VECTOR: SECRET.BAS Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: FMT OVERVIEW: BEWARE!! This may be posted with a note saying it doesn't seem to work, and would someone please try it; when you do, it formats your disks. __________________________________________________ NAME(S): SIDEWAYS, SIDEWAYS.COM TRANSMISSION VECTOR: SIDEWAYS.COM Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: BOOT OVERVIEW: Both the trojan and the good version of SIDEWAYS advertise that they can print sideways, but SIDEWAYS.COM trashes a [hard] disk's boot sector instead. __________________________________________________ NAME(S): STAR, STRIPES TRANSMISSION VECTOR: STAR.EXE Application, STRIPES.EXE Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: CBBS OVERVIEW: STAR.EXE Beware RBBS-PC SysOps! This file puts some stars on the screen while copying RBBS-PC.DEF to another name that can be downloaded later! STRIPES.EXE Similar to STAR.EXE, this one draws an American flag (nice touch), while it's busy copying your RBBS-PC.DEF to another file (STRIPES.BQS). __________________________________________________ NAME(S): Stoned, Marijuana, Hawaii,New Zeland, Australian, Hemp, San Diego, Smithsonian, Stoned-B, Stoned-C, Stoned-C TRANSMISSION VECTOR: Floppy/hard disk boot sectors MODE OF INFECTION CODES: RES, FDB, HDB, HDP POTENTIAL DAMAGE CODES: RUN, BOOT, FAT OVERVIEW: Spreads between boot sectors of both fixed and floppy disks. May overlay data. Sometimes displays message "Your PC is now Stoned!" when booted from floppy. Affects partition record on hard disk. No intentional damage is done. __________________________________________________ NAME(S): SUG TRANSMISSION VECTOR: SUG.COM Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: ERFD OVERVIEW: This program is supposed to unprotect copy protected program disks protectedby Softguard Systems, Inc. It trashes the disk and displays: "This destruction constitutes a prima facie evidence of your violation. If you attempt to challenge Softguard Systems Inc..., you will be vigorously counter-sued for copyright infringement and theft of services." It encrypts the Gotcha message so no Trojan checker can scan for it. __________________________________________________ NAME(S): Sunday, Sunday-B, Sunday-C TRANSMISSION VECTOR: .COM or .EXE applications MODE OF INFECTION CODES: RES, COM, EXE, OVR POTENTIAL DAMAGE CODES: RUN, PROG OVERVIEW: Infects .COM and .EXE files. __________________________________________________ NAME(S): Suriv-01, April-1-COM, April 1st, Suriv A, sURIV 1.01 TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: RES, COM POTENTIAL DAMAGE CODES: RUN, PROG OVERVIEW: Spreads between COM files. On April 1st, 1988, writes the message: "APRIL 1ST HA HA HA HA YOU HAVE A VIRUS" and hangs the system. After that, simply writes a message every time any program is run. __________________________________________________ NAME(S): Suriv-02, APRIL-1-EXE, April 1st-B, Suriv02, Suriv 2.01, Suriv A TRANSMISSION VECTOR: .EXE applications MODE OF INFECTION CODES: RES, EXE POTENTIAL DAMAGE CODES: RUN, PROG OVERVIEW: Spreads between .EXE files. On April 1st,1988 and later, writes the message: "APRIL 1ST HA HA HA HA YOU HAVE A VIRUS" and hangs the system. __________________________________________________ NAME(S): Sylvia, Holland TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: RES, COM POTENTIAL DAMAGE CODES: PROG OVERVIEW: Infects .COM files. __________________________________________________ NAME(S): Syslock, Macrosoft TRANSMISSION VECTOR: .COM or .EXE applications MODE OF INFECTION CODES: COM, EXE, ENC POTENTIAL DAMAGE CODES: PROG, DATA OVERVIEW: Spreads between .COM and .EXE files. It scans through data on the hard disk, changing the string "Microsoft" (in any mixture of upper and lower case) to "MACROSOFT". If the environment variable "SYSLOCK=@" is set, the virus will not infect. A variant of Advent. __________________________________________________ NAME(S): Tiny 163 TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: COM, CC POTENTIAL DAMAGE CODES: OVERVIEW: When an infected file is executed, the virus attempts to infect other .COM files in the local directory. __________________________________________________ NAME(S): TIRED TRANSMISSION VECTOR: TIRED Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: FAT OVERVIEW: Another scramble the FAT trojan by Dorn W. Stickel. __________________________________________________ NAME(S): Toothless, W13, W13-A, W13-B TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: RES, COM POTENTIAL DAMAGE CODES: PROG OVERVIEW: Infects .COM files. Infected programs are first padded so their length becomes a multiple of 512 bytes, and then the 637 bytes of virus code is added to the end. It then intercepts any disk writes and changes them into disk reads. __________________________________________________ NAME(S): TOPDOS TRANSMISSION VECTOR: TOPDOS Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: FMT OVERVIEW: This is a simple high level [hard] disk formatter. __________________________________________________ NAME(S): Traceback, 3066, 3066-B, 3066-B2, Traceback-B, Traceback-B2 TRANSMISSION VECTOR: .COM or .EXE applications MODE OF INFECTION CODES: RES, COM, EXE POTENTIAL DAMAGE CODES: PROG OVERVIEW: Spreads between COM and EXE fles. Based on a rather complicated set of criteria, it will sometimes cause the text displayed on the screen to fall to the bottom, and then rise back up. __________________________________________________ NAME(S): Traceback II, 2930, 2930-B, Traceback II-B TRANSMISSION VECTOR: .COM or .EXE applications MODE OF INFECTION CODES: RES, COM, EXE POTENTIAL DAMAGE CODES: PROG OVERVIEW: Spreads between .COM and .EXE files. Based on a rather complicated set of criteria, it will sometimes cause the text displayed on the screen to fall to the bottom, and then rise back up. __________________________________________________ NAME(S): TSRMAP TRANSMISSION VECTOR: TSRMAP Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: BOOT OVERVIEW: TSRMAP *TROJAN* This program does what it's supposed to do: give a map outlining the location (in RAM) of all TSR programs, but it also erases the boot sector of drive "C:". __________________________________________________ NAME(S): Typo, Type Boot TRANSMISSION VECTOR: Floppy/hard disk boot sectors MODE OF INFECTION CODES: RES, FDB, HDB POTENTIAL DAMAGE CODES: BOOT, RUN OVERVIEW: Infects floppy and hard disk boot sectors. __________________________________________________ NAME(S): Typo, Fumble, Typo COM, 867, Mistake TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: RES, COM POTENTIAL DAMAGE CODES: RUN, PROG OVERVIEW: Infects .COM files. __________________________________________________ NAME(S): ULTIMATE TRANSMISSION VECTOR: ULTIMATE.EXE Application, ULTIMATE.ARC Archive MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: FAT OVERVIEW: Another FAT eate __________________________________________________ NAME(S): Vacsina, TP04VIR, TP05VIR, TP06VIR, TP16VIR, TP23VIR, TP24VIR, TP25VIR TRANSMISSION VECTOR: .COM or .EXE applications MODE OF INFECTION CODES: RES, COM, EXE, OVR POTENTIAL DAMAGE CODES: RUN, PROG OVERVIEW: It infects .COM and .EXE files when they are loaded, old versions of the virus will be replaced by newer ones. __________________________________________________ NAME(S): VDIR TRANSMISSION VECTOR: VDIR.COM Application MODE OF INFECTION CODES: TRJ POTENTIAL DAMAGE CODES: ERASE OVERVIEW: This is a disk killer that Jerry Pournelle wrote about in BYTE Magazine. __________________________________________________ NAME(S): Vienna, 648, Lisbon, Vienna-B, Austrian, Dos-62, Unesco, The 648 Virus, The One-in-Eight Virus, 62-B, DOS-68, Vien6, Vienna-B645 TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: COM POTENTIAL DAMAGE CODES: PROG OVERVIEW: The virus infects one .COM file every time it is run. 7/8 of the time it infects the .COM file and 1/8 of the time it inserts a jump to the BIOS initialitation routines that reboot the machine. To mark a file as infected, the virus sets the seconds field of the timestamp to 62 which most utilities (including DIR) skip. __________________________________________________ NAME(S): Zero Bug, Agiplan, 1536, Palette, ZBug TRANSMISSION VECTOR: .COM applications MODE OF INFECTION CODES: RES, COM POTENTIAL DAMAGE CODES: RUN, PROG OVERVIEW: Infects .COM files. All characters "0" (zero) will be exchanged with other characters. Exchange characters are 01h, 2Ah, 5Fh, 3Ch, 5Eh, 3Eh and 30h, in which case the attribute is set to back- ground color (i.e. the character is invisible). This routine uses about 10% of CPU-time (system is slowed down accordingly). ************************************************** The Computer Incident Advisory Capability: Virus Descriptions In Process ____________________________________________________________ Suriv-03, Ohio, Yankee Doodle, Alabama, Vcomm, Virus-90, Jerusalem-B, Frankie, Dark Avenger III, Turbo 448, Tiny virus, Polish 217, Kennedy, Recovery Virus, VFSI, Polish 529, VHP2, Dot Killer, Burger, 512, 646, Oulu, Fellowship, Nomenklatura, Prudents Virus, 1226, Anticad, 1381, 1392, Ten Bytes, 1605, Yankee 2, PSQR, Eight Tunes, UScan Virus, 2131, Taiwan, Plastique, Itavir, 4096-B, The Basic Virus, Print Screen, Aircop, Anthrax, Anti-pascal II, Armagedon, Attention!, Best Wishes, Black Monday, Blood, Bloody!, Carioca, Casper, Christmas in Japan, Cursy, Datalock, Wisconsin, Doom, Durban, Solano 2000, Eddie 3, Evil, F- Word Virus, Swap Boot, Flip, Form, Fere Jacques, Sorry, Groen, Guppy, Joshi, Holocaust, Hymn, Invader, Jeff, Joker, JOJO, July 13th, June 16th, Kamikazi, Kemerovo, Korea, Kukac, Leprosy, Liberty, Live After Death, Lozinsky, Mardi Bros, MGTU, Microbes, ZeroHunt, Monxla, Whale, Murphy, Music, Number 1, Ontario, Phoenix, Paris, Ping Pong-C, Plastique-B, Polimer, Polish 529, Polish 583, Polish 961, Proud, Red Diavolyata, Scott's Valley, SF Virus, Shake, Slow, Spyer, Stoned-II, Subliminal 1.10, Sverdlov, SVir, USSR, V2P2, V2P6, V2P6Z, VHP, Victor, Violator, Virdem, Virus101, Voronezh, VP, Westwood, Wolfman _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin Increasing Security on Your UNICOS System March 5, 1100 PST Number B-17 Critical UNICOS Information ________________________________________________________________________ PROBLEM: Some UNICOS systems have not installed all patches that may have security implications PLATFORM: Many versions of the Cray UNICOS operating system DAMAGE: Possibility that some UNICOS systems are not operating as securely as possible SOLUTIONS: Install UNICOS patches that apply to your version of UNICOS _______________________________________________________________________ CIAC has been working with Cray Research Corporation as well as Cray users in the DOE community to determine which basic set of UNICOS patches provides a baseline level of security in UNICOS systems. The patches described below have been identified as important in assuring that this baseline level has been met. Some of these patches have been the subject of Cray alert bulletins (Cray Field Alerts), each of which (if applicable) will be referenced as each patch is identified. You may contact Cray for additional information in obtaining, installing, and assuring that these patches have been installed on your UNICOS system. The mods listed below are Cray binary files available to correct each described problem. These mods are available on the crayamid system. Each UNICOS mod has a unique identification. For example, Cray mod d15567cmda) and is appropriate to specific versions of the UNICOS operating system. Unless otherwise stated, the mod will apply to the entire family of Cray hardware, including Cray-1, X-MP, Y-MP, and Cray-2. 1. Cray mod d15567cmda, UNICOS version 5.0/5.1 Modifies the command /bin/du . Alternatively, removing the SETUID bit from the /bin/du command by executing the following command as root will effectively replace the need for the above mod: chmod 0755 /bin/du 2. Cray mod d18028, UNICOS version 5.0/5.1 Modifies the command /etc/nu. This mod has been integrated in the baseline operating system for Cray-1/XMP/YMP at version 5.1.8d and Version 5.1.8 for Cray-2. For more details, see Cray Field Alert #93. 3. Cray mod e13159utsa, UNICOS version 4.0, 4.EA, 5.0 This patch was the subject of Cray Field Alert #72. The patch modifies the read/write and reada/writea system calls. A copy of the mod may be found on the crayamid system under /u/mods/unicos_x/5.0/uts/e13159utsa. 4. Limited buffer space in the kernel for some entries. This problem has been corrected with the following mods. CIAC recommends that you install any mods that apply to your system. UNICOS 5.1: XMP d19646utsa Cray-2 d19647inca XMP, Cray-2 d19648tcpa UNICOS 6.0 XMP 60uts07182a XMP 60uts07187a XMP, Cray-2 60uts07186a Cray-2 60uts07184a UNICOS 6.1 XMP 61uts07182a XMP 61uts07187a XMP,Cray-2 61uts07186a Cray-2 61uts07184a CIAC recommends that you install any mods (listed above) appropriate to your UNICOS system. In addition, you should upgrade your version of UNICOS to the most recent available, since many improvements to the security of your system have been integrated into the most recent base operating system. For additional information or assistance, please contact CIAC: Tom Longstaff (415) 423-4416 or (FTS) 543-4416, or Eugene Schultz (415) 422-7781 or (FTS) 532-7781 Call CIAC at (415) 422-8193 or (FTS) 532-8193 or send e-mail to ciac@cheetah.llnl.gov Send FAX messages to: (415) 423-0913 or (FTS) 543-0913 Karis Forster and Chuck Athey provided information contained in this bulletin. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin March 11, 1991, 1330 PST Number B-18 MVS Security Problem with TSO Reconnect Facility ________________________________________________________________________ PROBLEM: MVS security problem with TSO Reconnect Facility PLATFORM: IBM MVS systems running TSO DAMAGE: Allows unintended reconnect to TSO address space from a different term inal without appropriate terminal check or address space modification SOLUTIONS: IBM is working on a permanent solution, but an interim workaround is to set reconnect time (RECONLIM) to 0 in SYS1.PARMLIB (TSOKEYxx) IMPACT OF WORKAROUND: Disallows the use of the TSO Reconnect Facility for all users _______________________________________________________________________ Critical TSO Reconnect Facility Information CIAC has learned of a potential problem that exists in some IBM MVS systems. This potential problem exists in MVS systems that support TSO (Time Sharing Option) and a security package (e.g., RACF), and also use special groups to grant access to information only at designated locations (terminals). If uncorrected, this problem may allow a user to reconnect to a previous session without resetting the special group information. This may allow someone to bypass a security feature that is designed to limit the access to sensitive files to a particular set of terminals. Note that user IDs and passwords are still required to reconnect a session using the TSO Reconnect Facility. The problem, therefore, cannot result in unauthorized access to systems. IBM is aware of this problem, and is working toward a permanent solution. An interim workaround has been devised. When the RECONLIM parameter in the SYS1.PARMLIB(TSOKEYxx)* file is set to zero, any given TSO session will immediately time-out and not allow the reconnect facility to be activated. This will prevent a user from disconnecting and using the Reconnect Facility to resume the session at a later time. Only the Reconnect Facility address space will be modified. No other address spaces will be affected by this change. For additional information or assistance, please contact CIAC: Tom Longstaff (415) 423-4416 or (FTS) 543-4416, or Call CIAC at (415) 422-8193 or (FTS) 532-8193 or send e-mail to ciac@cheetah.llnl.gov. Send FAX messages to: (415) 423-0913 or (FTS) 543-0913 _____ * - The TSOKEY is delivered from IBM with the version TSOKEY00, but many sites have modified this to be some other number, for example TSOKEY01. The RECONLIM parameter should be modified in the appropriate SYS1.PARMLIB file used during the system IPL (Initial Program Load). Tim Harrington provided information contained in this bulletin. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin Vulnerability in UNIX System V on 386/486 Platforms Critical UNIX System V on 386/486 Vulnerability Information -------------------------------------------------------------------------- PROBLEM: UNIX System V security problem on 386/486 platforms (UAREA bug). PLATFORM: UNIX System V for the Intel 80386/80486 based computers. DAMAGE: Allows privileged access to files by non-privileged users. SOLUTIONS: Patch/update available from various vendors. IMPACT OF PATCH: Vulnerability eliminated. No other side-effects reported. -------------------------------------------------------------------------- March 21, 1991, 1200 PST Number B-19 CIAC has learned of a vulnerability that allows privileged access to files on some versions of UNIX System V running on an Intel 80386/80486 based computer. This problem known as the UAREA bug, has been corrected by AT&T. Most vendors of UNIX System V based on the AT&T software have recently released patches specifically designed for their products. This bulletin provides a partial list of vendors that are providing patches for this problem, as well as vendors whose product never had the vulnerability in a specified release. The following vulnerability matrix table lists each of vendor/version combination for which CIAC has received information. For each vendor, the listed versions were tested for this vulnerability, and a patch was developed for those versions found to be vulnerable. If the vendor/version combination does not exhibit the vulnerability, "No" appears in the third column. Vendor Version Exhibits vulnerability ------------------------ --------- --------------------- Dell SVR3.2/1.0.6 Yes - patch available Dell SVR3.2/1.1 No Dell SVR4.0/2.0 No Interactive 2.0.2 Yes - patch available Interactive 2.2 Yes - patch available Interactive 2.2.1 Yes - patch available Everex (ESIX) Rev. D Yes - patch available AT&T SVR3.2.0 Yes - patch available AT&T SVR3.2.1 No SCO all versions No Microport 2.2 No Most vendors are aware of this bug, and have taken steps to correct the problem. If your vendor/version of UNIX is not listed, or is listed as one of those that exhibits the vulnerability, you should contact your UNIX System V vendor for the patch. For additional information or assistance, please contact CIAC: Hal Brand (415) 422-6312 or (FTS) 532-6312 During working hours call CIAC at (415) 422-8193 or (FTS) 532-8193 or send e-mail to ciac@cheetah.llnl.gov. Send FAX messages to: (415) 423-0913 or (FTS) 543-0913 This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin March 26, 1991, 1330 PST Number B-20 Patch Available for SunOS in.telnetd ________________________________________________________________________ PROBLEM: SunOS versions 4.0.3 through 4.1.1 in.telnetd exhibits may send output to an authorized user. PLATFORM: All Sun3 and Sun4 computers running SunOS 4.0.3, 4.1 or 4.1.1. DAMAGE: May allow unauthorized access to the system. SOLUTIONS: Patch/update available from Sun. IMPACT OF PATCH: Vulnerability eliminated. No other side-effects reported. _______________________________________________________________________ Critical Information about in.telnetd Patch Sun Microsystems has recently announced the availability of a new patch for the utility in.telnetd (the daemon that controls the remote login program, telnet). If not patched this utility may allow unauthorized access to systems. The patch is available from Sun Microsystems as Patch ID# 100125-02 (this number is required to order this patch from the Sun Answer Center). This patch is also available via anonymous ftp at uunet.uu.net (IP# 192.48.96.2) in the file sun-dist/100125-02.tar.Z. If you obtain the patch using anonymous ftp, no additional installation instructions are necessary. If you obtain the patch in some other manner (e.g., from CIAC), we suggest that you use the following installation procedure: 1. Log in as root on the system to be repaired. 2. Disable the flawed version of in.telnetd with the following commands: # mv /usr/etc/in.telnetd /usr/etc/in.telnetd.FCS # chmod 600 /usr/etc/in.telnetd.FCS 3. Obtain the patch file 100125-02.tar.Z (either from Sun or a trusted anonymous FTP site such as uunet.uu.net). 4. Uncompress the patch file: # uncompress 100125-02.tar.Z 5. Extract the patch file appropriate to your architecture (either 3, 3x, 4, or 4c -- contact your Sun representative if you do not know which architecture you have) # tar xf 100125-02.tar {architecture}/in.telnetd where {architecture} is one of 3, 3x, 4, or 4c. 6. Copy the patch file to the appropriate directory, and set the ownership and permissions of the utility: # cp {architecture}/in.telnetd /usr/etc/in.telnetd # chown root.staff /usr/etc/in.telnetd # chmod 755 /usr/etc/in.telnetd 7. Kill any existing telnet processes that may be running. # ps ugax | grep in.telnetd # kill -9 #### where #### is the number of each in.telnetd process found in the previous command. Please note that this command may disrupt ongoing sessions of users attempting to use the system. As an alternative to this step, you may consider rebooting the computer, allowing time for all current users to log out. Once you have verified that the new version of telnet is operational, it is advisable to delete the unpatched version of the utility (/usr/etc/in.telnetd.FCS) to prevent its unauthorized use. For additional information or assistance, please contact CIAC: Tom Longstaff (415) 423-4416 or (FTS) 543-4416 Call CIAC at (415) 422-8193 or (FTS) 532-8193 or send e-mail to ciac@cheetah.llnl.gov. Send FAX messages to: (415) 423-0913 or (FTS) 543-0913 Sun Microsystems provided information contained in this bulletin. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin March 28, 1991, 1200 PST Number B-21 Patch Available for SunOS 4.0.3 in.telnetd and in.rlogind ________________________________________________________________________ PROBLEM: SunOS versions 4.0.3 in.telnetd and in.rlogind may send output to an unauthorized user. PLATFORM: All Sun3 and Sun4 computers running SunOS 4.0.3. DAMAGE: May allow unauthorized access to the system. SOLUTIONS: Patch/update available from Sun as patch file 100125-03.tar.Z IMPACT OF PATCH: Vulnerability eliminated. No other side-effects reported. Critical Information about in.telnetd and in.rlogind Patch ________________________________________________________________________ Critical Information about in.telnetd and in.rlogind Patch CIAC information bulletin B-20 describes a problem with in.telnetd on Sun 3 and Sun 4 computers. The current bulletin contains a correction to part of the information in the previous bulletin concerning the applicability and installation of a patch for Sun OS 4.0.3 systems. Bulletin B-21 also provides information on an additional patch for a similar problem with in.rlogind in Sun OS 4.0.3 systems. Sun OS 4.1 or 4.1.1 systems are subject to the problem with in.telnetd but not to the problem with in.rlogind. For these systems, in.telnetd should be patched using the procedures listed in bulletin B-20. The Sun Microsystems patch described in bulletin B-20 may not work on some SunOS 4.0.3 systems. This vendor has, therefore, created a fix for the in.telnetd and in.logind utilities to patch SunOS 4.0.3 systems. If not patched, these utilities may allow unauthorized access to systems. The patch is available from Sun Microsystems as the updated Patch ID# 100125-03 (this number is required to order this patch from the Sun Answer Center). This patch is also available via anonymous ftp at uunet.uu.net (IP# 192.48.96.2) in the file sun-dist/100125-03.tar.Z. This patch file does not contain installation instructions. We recommend the following installation procedures, which supersede the procedures listed in bulletin B-20 for Sun OS 4.0.3 systems: 1. Log in as root on the system to be repaired. 2. Disable the flawed version of in.telnetd and in.rlogind with the following commands: # mv /usr/etc/in.telnetd /usr/etc/in.telnetd.FCS # mv /usr/etc/in.rlogind /usr/etc/in.rlogind.FCS # chmod 600 /usr/etc/in.telnetd.FCS /usr/etc/in.rlogind.FCS 3. Obtain the patch file 100125-03.tar.Z (either from Sun or a trusted anonymous FTP site such as uunet.uu.net). 4. Uncompress the patch file: # uncompress 100125-03.tar.Z 5. Extract the patch file appropriate to your architecture (either sun3, sun3x, sun4, or sun4c -- contact your Sun representative if you do not know which architecture you have) and your operating system level (either 4.0.3 or 4.0.3c) # tar xf 100125-03.tar {architecture}/4.0.3/in.telnetd # tar xf 100125-03.tar {architecture}/4.0.3/in.rlogind where {architecture} is one of sun3, sun3x, sun4, or sun4c*. 6. Copy the patch file to the appropriate directory, and set the ownership and permissions of the utility: # cp {architecture}/4.0.3/in.telnetd /usr/etc/in.telnetd # cp {architecture}/4.0.3/in.rlogind /usr/etc/in.rlogind # chown root.staff /usr/etc/in.telnetd /usr/etc/in.rlogind # chmod 711 /usr/etc/in.telnetd /usr/etc/in.rlogind 7. Kill any existing telnet and rlogin processes that may be running. # ps gax | grep in.telnetd # ps gax | grep in.rlogind # kill -9 #### where #### is the number of each in.telnetd process found in the previous ps commands. Please note that this command may disrupt ongoing sessions of users attempting to use the system. As an alternative to this step, you may consider rebooting the computer, allowing time for all current users to log out. Once you have verified that the new version of telnet is operational, it is advisable to delete the unpatched version of the utilities /usr/etc/in.telnetd.FCS and /usr/etc/in.rlogind.FCS to prevent their unauthorized use. For additional information or assistance, please contact CIAC: Tom Longstaff (415) 423-4416 or (FTS) 543-4416 During working hours call CIAC at (415) 422-8193 or (FTS) 532-8193 or send e-mail to ciac@cheetah.llnl.gov. Send FAX messages to: (415) 423-0913 or (FTS) 543-0913. _____ * - Note that for Sun4c systems, the correct file is sun4c/4.0.3c/in.telnetd and sun4c/4/0/3c/in.rlogind CERT/CC provided some of the information used in this bulletin. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin April 4, 1991, 1630 PST Number B-22 Attempts by Network Intruders to Obtain Passwords _______________________________________________________________________ PROBLEM: Network intruders are sending bogus e-mail messages or calling users, instructing them to change or supply their password. PLATFORM: Computers connected to the Internet DAMAGE: May allow unauthorized access to user accounts. SOLUTIONS: Inform users to contact site authorities in case of such attempts; do not comply with any such requests without appropriate verification. ______________________________________________________________________ Critical Information about Attempts to Obtain Passwords We have received numerous reports that network intruders have recently been attempting to deceive Internet users into supplying their passwords. These intruders are using the passwords obtained to gain unauthorized access to systems. The two patterns used by these intruders include sending bogus e-mail messages instructing users to change passwords to a designated password (known by the intruders), and calling users and instructing them to reveal their password: 1. A bogus electronic mail message instructs users of UNIX systems to change their password to a new password supplied in the mail message. Although these messages appear to originate from the local root account, they usually originate from a remote machine used by the sender. If a user follows the instructions given in the mail message, the intruder is able to gain unauthorized access to the user's account from a remote location. Several variations of these e-mail messages have been observed. One such example follows: Sample Bogus Electronic Mail Message (includes grammatical and spelling errors) {Header, which may or may not appear to originate locally} From: root To: user Subject: This is the system administration: Because of security faults, we request that you change your password to "systest001". This change is MANDATORY and should be done IMMEDIATLY. You can make this change by typing "passwd" at the shell prompt. Then, follow the directions from there on. Again, this change should be done IMMEDIATLY. We will inform you when to change your password back to normal, which should not be longer than ten minutes. Thank you for your cooperation, The system administration (root) - ------------------ End of Bogus Electronic Mail Message ----------------------- There is currently no practical method to prevent delivery of these bogus messages. It is important, therefore, for users to understand that messages received via electronic mail are not necessarily from the identified sender, and that they should phone or personally contact their system manager and/or site security officer immediately after receiving such a request. 2. Network intruders have been telephoning users and system managers, masquerading as computer security officers or maintenance personnel. These intruders typically invent a story about a serious problem with a user's system or account. The intruder then asks (or demands) the user's password immediately for the alleged purpose of fixing this problem. Again, it is important for users to understand this threat, and to directly contact the appropriate authority at your site immediately after receiving such a phone call. Should either of the above attempts to compromise systems be observed at your site, please also contact CIAC to assist us in tracking the current rash of network intrusions. For additional information or assistance, please contact CIAC: Tom Longstaff (415) 423-4416 or (FTS) 543-4416 longstaf@cheetah.llnl.gov During working hours call CIAC at (415) 422-8193 or (FTS) 532-8193 or send e-mail to ciac@cheetah.llnl.gov. Send FAX messages to: (415) 423-0913 or (FTS) 543-0913. Several anonymous users and CERT/CC; provided part of the information contained in this bulletin. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin May 1, 1991, 1200 PDT Number B-24 Ultrix V4.0 and V4.1 Vulnerability ________________________________________________________________________ PROBLEM: /usr/bin/chroot is installed with the setuid bit set. PLATFORM: DEC Ultrix V4.0 and V4.1, all architectures. DAMAGE: Allows authorized users to gain unauthorized privileges. SOLUTIONS: Fixed in Ultrix V4.2. Manually change file mode of /usr/bin/chroot to 700 for Ultrix V4.0 and V4.1 IMPACT OF WORKAROUND: Non-privileged users no longer have access to the chroot command. _______________________________________________________________________ Critical /usr/bin/chroot Vulnerability Facts CIAC has been advised of a vulnerability in DEC's Ultrix V4.0 and V4.1 operating systems running on all architectures. DEC is aware of this problem, and has corrected it in Ultrix V4.2. The DEC provided fix for Ultrix V4.0 and V4.1 is: (login as root) # chmod 700 /usr/bin/chroot # ls -l /usr/bin/chroot (verify the file protections are "-rwx------") For additional information or assistance, please contact CIAC: Hal Brand (415) 422-6312 or (FTS) 532-6312, or Call CIAC at (415) 422-8193 or (FTS) 532-8193 or send e-mail to ciac@cheetah.llnl.gov. Send FAX messages to: (415) 423-0913 or (FTS) 543-0913 _____ The CERT/CC and Digital Equipment Corporation provided information contained in this bulletin. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin May 15, 1991, 1500 PDT Number B-25 Configuration Problems in the NeXT Operating System _______________________________________________________________________ PROBLEM: Three separate configuration problems exist in the NeXT operating system. PLATFORM: NeXT computers using all NeXT Software Releases through and including Release 2.1. DAMAGE: May allow unauthorized or unintended access to system resources. SOLUTIONS: Implement enclosed configuration modifications described below if warranted by the needs of your operational environment. ______________________________________________________________________ CIAC has been informed of three separate configuration problems in the NeXT operating system that can affect the security of these systems: 1. rexd(8C), the remote program execution daemon, is enabled by default. The NeXT remote program execution daemon, rexd(8C), allows remote users to execute processes on a NeXT computer. It is enabled by default. The rexd server provides only minimal authentication and is often not enabled by sites concerned about security. No software provided by NeXT is known to use rexd. Therefore, unless you currently use the rexd facility, CIAC recommends that you comment out the line in the Internet services daemon's configuration file (note 1). To do this, login to your NeXT computer as the root user. You should be prompted by a system prompt that ends in the character "#". Edit the file /etc/inetd.conf and locate the line: rexd/1 stream rpc/tcp wait root /usr/etc/rpc.rexd rpc.rexd Then, insert a "#" character before rexd/1 to change the line to the following: #rexd/1 stream rpc/tcp wait root /usr/etc/rpc.rexd rpc.rexd Save this file and return to the root system prompt. Then either reboot your system (note 2) or instruct inetd to use the updated /etc/inetd.conf by entering the following command: kill -HUP where is the process identifier for inetd that can be found by entering the command: ps -aux | grep inetd | grep -v grep The number displayed in the second column is your . 2. The NeXT supplied username "me" is a member of the "wheel" group. A user who logs into a NeXT computer using the username "me" can use the su(8) command to become the root user. Although the user must still enter the root password, CIAC believes that you should be aware of this default configuration because "me" is the only user account (besides "root") supplied with a NeXT computer. (The "me" and "root" accounts are also supplied without passwords. Please ensure that you properly password these accounts after your initial bootup.) To remove this potential problem, edit the /etc/group file as the root user to remove "me" from the "wheel" group. Change the line: wheel:*:0:root,me to wheel:*:0:root and save your changes. You will need to reboot your NeXT computer because this file is only read during system bootstrap. 3. The "wheel" group has write permission on /private/etc Default permissions on the /private/etc directory allow all members of the group "wheel" to remove and add files to that directory, although this does not constitute a serious problem. To remove group write permission from /private/etc, enter the following command as root: chmod g-w /private/etc _____ 1 This modification is unnecessary in releases earlier than 2.0 because the program invoked by inetd via this configuration file (/usr/etc/rpc.rexd or /usr/etc/rexd) is not preloaded on versions earlier than 2.0 (exception--Version 0.9--please call us for more information about this version). You may, however, nevertheless want to make this modification to assure yourself or other system managers that rexd is disabled. 2 Changes specified in the next section of this bulletin also require a reboot. Therefore, if you intend to implement these additional modifications as well, you need to reboot only once after all changes are applied. For additional information or assistance, please contact CIAC: Kenneth L. Pon (415) 422-1783 or (FTS) 532-1783 pon@cheetah.llnl.gov During working hours call CIAC at (415) 422-8193 or (FTS) 532-8193 or send e-mail to ciac@cheetah.llnl.gov. Send FAX messages to: (415) 423-0913 or (FTS) 543-0913. The Computer Emergency Response Team/Coordination Center (CERT/CC) and Alan Marcum provided some of the information contained in this bulletin. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin May 16, 1991, 1330 PST Number B-26 Inconsistent Directory and File Permissions in SunOS 4.1 and 4.1.1 ________________________________________________________________________ PROBLEM: SunOS versions 4.1 and 4.1.1 have several inconsistent file and directory permissions. PLATFORM: Sun computer architectures sun3, sun3x, sun4, and sun4c that run SunOS 4.1 or SunOS 4.1.1. DAMAGE: May allow unauthorized or unintended user access to files. SOLUTIONS: Patch/update available from Sun via Patch-ID# 100103-06 or through anonymous ftp from uunet.uu.net or from CIAC IMPACT OF PATCH: File and directory permissions set to intended permissions. No other side-effects reported. ________________________________________________________________________ Critical Information about Inconsistent Directory and File Permissions CIAC has discovered inconsistent directory and file permissions on Sun Microsystems computers that run the SunOS 4.1 and 4.1.1 operating systems. A patch is available from Sun Microsystems as the updated Patch ID# 100103-06 (this number is required to order this patch from the Sun Answer Center). Sun Microsystems, Inc. states that this patch is applicable to Sun architectures sun3, sun3x, sun4, and sun4c. This patch is also available via anonymous ftp at uunet.uu.net (IP address 192.48.96.2) in the file sun-dist/100103-06.tar.Z or from CIAC. If you need assistance in obtaining this patch by anonymous ftp or extracting compressed files, please use the instructions in the appendix of this bulletin. For additional information or assistance, please contact CIAC: Kenneth L. Pon (415) 422-1783 or (FTS) 532-1783 pon@cheetah.llnl.gov or Hal Brand (415) 422-0039 or (FTS) 532-0039 brand@addvax.llnl.gov During working hours call CIAC at (415) 422-8193 or (FTS) 532-8193 or send e-mail to ciac@llnl.gov. Send FAX messages to: (415) 423-0913 or (FTS) 543-0913. _________________________________________________________________________ Appendix Instructions for Obtaining Patch using ftp anonymous and Extracting Compressed Files The string "%" is the default UNIX csh(1) prompt; the string "ftp>" is the ftp(1C) prompt. In the procedure described below, the text displayed after these prompts on the same line as the prompts is what you must enter. Text displayed on any line without a prompt is what the system replies in response. System dialogue is indented to distinguish it from surrounding comments. First log into your system and find a place (e.g., a writeable directory) to put the patch. In this example, a directory is made for the patch. Note that you do not need to login as root to obtain the patch. However, you need to be root to apply the patch. % mkdir newpatch % cd newpatch Next ftp to uunet.uu.net. Login as "anonymous" and enter your identity (in the following example, "pon") as your password. Your password will not be echoed. Then use the following procedure to obtain 100103-06.tar.Z. % ftp uunet.uu.net Connected to uunet.uu.net. 220 uunet FTP server (Version 5.100 Mon Feb 11 17:13:28 EST 1991) ready. Name (uunet.uu.net:pon): anonymous 331 Guest login ok, send ident as password. Password: 230 Guest login ok, access restrictions apply. ftp> cd sun-dist 250 CWD command successful. ftp> ls 200 PORT command successful. 150 Opening ASCII mode data connection for file list. 100100-01.tar.Z 100108-01.tar.Z 100125-04.tar.Z 100133-01.tar.Z 100184-02.tar.Z 100187-01.tar.Z 100188-01.tar.Z 100201-02.tar.Z 100224-02.tar.Z 100251-01.tar.Z 100103-06.tar.Z README.sendmail 226 Transfer complete. 204 bytes received in 0.033 seconds (6 Kbytes/s) ftp> binary 200 Type set to I. ftp> get 100103-06.tar.Z 200 PORT command successful. 150 Opening BINARY mode data connection for 100103-06.tar.Z (3830 bytes). 226 Transfer complete. local: 100103-06.tar.Z remote: 100103-06.tar.Z 3830 bytes received in 0.0039 seconds (9.7e+02 Kbytes/s) ftp> quit 221 Goodbye. % Now extract the usable files from the compressed (evident by the "Z" suffice), tar (tape archive) file that you just ftp'ed. % uncompress 100103-06.tar.Z This will uncompress 100103-06.tar.Z into 100103-06.tar. To see what files are archived on the 100103-06.tar file, use the following command: % tar tvf 100103-06.tar rw-r--r-- 0/0 8106 May 14 10:23 1991 4.1secure.sh rw-r--r-- 0/0 692 May 9 10:30 1991 README Now extract the two files from tar format: % tar xvf 100103-06.tar x 4.1secure.sh, 8106 bytes, 16 tape blocks x README, 692 bytes, 2 tape blocks The README file contains instructions for applying the patch. Note that the patch needs to be applied by user root. __________________________________________________________________________ Brad Powell provided some of the information used in this bulletin. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin May 16, 1991, 1500 PST Number B-27 sunsrc setuid Installation Problem _________________________________________________________________________ PROBLEM: Setuid security problem resulting from installing sunsrc PLATFORM: SunOS systems in which Sun Source tapes have been installed DAMAGE: May allow unauthorized root access SOLUTIONS: Modify permissions for /usr/release/bin/ and/or edit the makefile in sunsrc/release and change SETUID definition _________________________________________________________________________ Critical Facts about sunsrc setuid Installation Problem Sun Microsystems has recently released a security bulletin (#00107) describing a problem resulting from installing sunrc (distribution of sources). It is important to note that this problem affects only SunOS systems that have installed Sun Source tapes. A directory, /usr/release/bin, is created when sunsrc is installed. Two binary files, makeinstall and winstall, are then installed in this directory. Both of these files are setuid root. Because these files exec other programs, "make -k install" (makeinstall) and "install" (winstall), an unauthorized user may become root. The Sun Bug ID is 1059621. To fix this problem, Sun Microsystems recommends that you follow both of the following procedures as root: 1. If the sources have already been installed, use the command: chmod ug-s /usr/release/bin/{makeinstall, winstall} to reset setuid bits in makeinstall and winstall. 2. Remove the makeinstall and winstall entries from the SETUID definition in sunsrc/release/makefile. This will insure that new setuid programs called makeinstall and winstall will not be re-installed inadvertently the next time root does a make(1). The line in the makefile should be changed from SETUID=makeinstall unmount winstall .mountit to SETUID=unmount .mountit For additional information or assistance, please contact CIAC: Eugene Schultz (415) 422-7781 or (FTS) 532-7781 gschultz@cheetah.llnl.gov Call CIAC at (415) 422-8193 or (FTS) 532-8193 or send e-mail to ciac@cheetah.llnl.gov. Send FAX messages to: (415) 423-0913 or (FTS) 543-0913. Sun Microsystems provided some of the information used in this bulletin. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin May 23, 1991, 0900 PST Number B-28 AT&T System V Release 4 Patch for /bin/login ----------------------------------------------------------------------------- PROBLEM: /bin/login may be improperly installed in System V Release 4 based systems PLATFORM: All systems based on System V Release 4 may be affected DAMAGE: May allow unauthorized root access SOLUTIONS: Modify permissions for /bin/login and/or install a patch provided by the vendor ----------------------------------------------------------------------------- Critical Facts about System V Release 4 problem CIAC has learned of a potential vulnerability in the AT&T System V Release 4 version of the /bin/login program. This program is used to initially log users into the system, and if unpatched, may be used to gain unauthorized system privileges (root). For AT&T computer system customers, a patch is available to replace the /bin/login program. Contact AT&T Computer Systems at (800) 922-0354 to obtain the patch. The patch numbers are #156 for 3.5" media, or #157 for 5.25" media. If this patch is not available for your system, AT&T and CIAC recommends the following workaround be used until a patch becomes available from the individual vendor providing system software support. 1) Login to the system as root and execute the command: chmod 500 /bin/login The impact of this workaround will be to disallow the use of the login command from non-root users (this will not effect the login sequence normally used by the system). For additional information or assistance, please contact CIAC: Tom Longstaff (415) 423-4416 or (FTS) 543-4416 longstaf@llnl.gov During working hours call CIAC at (415) 422-8193 or (FTS) 532-8193 or send e-mail to ciac@cheetah.llnl.gov. For non-working hour emergencies, call (800) SKY PAGE, then enter 855-0070 or 855-0074. (THIS IS A NEW EMERGENCY NUMBER!) Send FAX messages to: (415) 423-0913 or (FTS) 543-0913. The assistance of the Computer Emergency Response Team/Coordination Center (CERT/CC) and AT&T is gratefully acknowledged. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin June 3, 1991, 1100 PST Number B-30 SunOS lpd Problem _________________________________________________________________________ PROBLEM: The SunOS 4.1 and 4.1.1 line printer spooler daemon (lpd) has a flaw that allows unauthorized deletion of files. PLATFORM: Sun3, sun3x, sun4, sun4c architectures running SunOS 4.1 and 4.1.1 DAMAGE: Unauthorized file deletions can occur SOLUTIONS: Apply patch-ID# 100305-01 _________________________________________________________________________ Critical Facts About lpd Problem Sun Microsystems has recently released a security bulletin (#00108) concerning a problem with the line printer spooler daemon (lpd). This problem can allow an unauthorized person to use the SunOS 4.1 and 4.1.1 lpd to delete files. Sun Microsystems has provided corrected lpd files for the various architectures and versions of SunOS affected. These files are in the compressed tarfile 100305-01.tar.Z This file can be obtained from Sun by specifying "Patch-ID# 100305-01". Alternately, the file can be obtained via anonymous FTP from ftp.uu.net as "sun-dist/100305-01.tar.Z". The checksum (sum(1V)) of the file 100305-01.tar.Z is "31440 239". Instructions for obtaining this patch from ftp.uu.net are: (Login as root) # ftp ftp.uu.net ... Name (ftp.uu.net:root): anonymous 331 Guest login ok, send ident as password. Password: 230 Guest login ok, access restrictions apply. ftp> cd sun-dist ftp> binary ftp> get 100305-01.tar.Z ... ftp> quit # Instruction for applying this patch are: (Login as root) (cd to directory containing the compressed tar patch file) (Verify the integrity of the compressed tar patch file. # sum 100305-01.tar.Z 31440 239 (If the numbers you get are not these, DO NOT proceed! You have a bad ( patch file. Delete the patch file and try to obtain a proper copy. # uncompress 100305-01.tar.Z # mkdir sunpatch # cd sunpatch # tar xvf ../100305-01.tar (Kill the running lpd: # ps -ax | grep lpd (You should see something like: ( 134 ? IW 0:00 /usr/lib/lpd ( 26753 p5 S 0:00 grep lpd ( Insert the "pid" (the first number on the line) of /usr/lib/lpd into ( the next command, i.e. in this case, one would substitute 134. ( If you have more than one copy of lpd running, repeat the "kill -9" ( command for each "pid" found. # kill -9 {pid of /usr/lib/lpd} (Save old lpd # mv /usr/lib/lpd /usr/lib/lpd.FCS # chmod 100 /usr/lib/lpd.FCS (copy the upgraded lpd file to /usr/lib ( Substitute as appropriate for your architecture and SunOS version: # cp sun{3,3x,4,4c}/{4.1,4.1.1}/lpd /usr/lib/lpd # chmod 6755 /usr/lib/lpd # chown root /usr/lib/lpd # chgrp daemon /usr/lib/lpd (Verify your work: # ls -lg /usr/lib/lpd -rwsr-sr-x 1 root daemon ????? ??? ?? ??:?? /usr/lib/lpd (Restart the lpd daemon: # rm -f /dev/printer /var/spool/lpd.lock # /usr/lib/lpd (Verify that the lpd daemon restarted: # ps -ax | grep lpd (Cleanup: # cd .. # rm -r sunpatch # rm 100305-01.tar For additional information or assistance, please contact CIAC: Hal Brand (415) 422-6312 or (FTS) 532-6312 brand@addvax.llnl.gov Call CIAC at (415) 422-8193 or (FTS) 532-8193 or send e-mail to ciac@cheetah.llnl.gov. Send FAX messages to: (415) 423-0913 or (FTS) 543-0913. Sun Microsystems provided some of the information used in this bulletin. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin June 25, 1991, 1500 PST Number B-31 CRAY UNICOS 6.0 and 6.1 accton vulnerability _________________________________________________________________________ PROBLEM: A flaw in accton allows unauthorized users limited root privileges PLATFORM: 6.0 and later versions of CRAY UNICOS DAMAGE: Unauthorized read access to files, including sensitive and system files; any user can turn system accounting on or off SOLUTIONS: Obtain and apply appropriate Cray mod as specified below _________________________________________________________________________ Critical Facts About accton Problem CIAC has learned of a bug in 6.0 and later versions of the CRAY UNICOS operating system (CRAY SPR 45291) which allows an unauthorized user to obtain read access to sensitive and system files. The bug also allows a normal user to turn system accounting on or off. Cray Research has developed architecture specific patches for this vulnerability in the accton(1) command. The mod numbers and the archi- tectures for which they apply are listed below and can be obtained by contacting your local technical support representative from Cray Research. Architecture mod ------------ --- X/Y 6.0 60c1act20477b C2 6.0 60c2act20477c X/Y 6.E/6.1 (any Y-MP/2E site would 6Ec1act20477b be running this level of UNICOS) C2 6.1 mod (this is not yet a 6Ec2act20477c released level of UNICOS but it is running at field test sites) For additional information or assistance, please contact CIAC: Kenneth L. Pon (415) 422-1783 or (FTS) 532-1783 pon@cheetah.llnl.gov Call CIAC at (415) 422-8193 or (FTS) 532-8193 or send e-mail to ciac@.llnl.gov. Send FAX messages to: (415) 423-0913 or (FTS) 543-0913. James Ellis, Bryan Koch, and Elaine Stuber provided some of the information used in this bulletin. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin July 8, 1991, 1100 PDT Number B-32 ________________________________________________________________________ PROBLEM: Bug in /usr/bin/mail may allow users unauthorized access to a root shell PLATFORM: DEC VAX and RISC (DECStation and DECSystem) computers running versions of Ultrix prior to 4.2. DAMAGE: Potential for significant damage to system and unauthorized access to users' files once an intruder has gained root access. SOLUTIONS: Patch available through DEC Customer Support Center (1-800-332-8000) or CIAC. ________________________________________________________________________ Critical Facts about /usr/bin/mail Security Problem A recently discovered bug in Ultrix /usr/bin/mail may allow a non-privileged user to obtain unauthorized access to a root shell. This problem applies to all Ultrix versions prior to 4.2 running on both the VAX and DEC RISC (i.e. DECStation and DECSystem) architectures. DEC has determined that the /usr/bin/mail program provided in Ultrix 4.2 does not contain this bug, and is compatible with Ultrix 4.1 systems. However, version 4.2 of /usr/bin/mail has not been shown to be compatible with versions of Ultrix previous to Ultrix version 4.1; upgrading to Ultrix 4.2 or upgrading to Ultrix 4.1 and using the Ultrix 4.2 /usr/bin/mail program is required to eliminate this bug in these older versions of Ultrix. To update an Ultrix 4.1 system, you must first obtain the Ultrix 4.2 binary of /usr/bin/mail for your computer's architecture from DEC, CIAC, or another compatible Ultrix 4.2 system and store it in a temporary location (e.g., /tmp/mail). Next, use the following procedure: (Login as root - you must have root privilege to make this update.) # cd /usr/bin # mv mail mail-4.1 # chmod 600 mail-4.1 (Copy the Ultrix 4.2 binary to /usr/bin/mail, e.g., mv /tmp/mail /usr/bin/mail) # chown root mail # chgrp kmem mail # chmod 6755 mail For additional information or assistance, please contact CIAC Hal Brand (415) 422-6312 or (FTS) 532-6312 brand@addvax.llnl.gov Call CIAC at (415) 422-8193 or (FTS) 532-8193 or send e-mail to ciac@cheetah.llnl.gov. Send FAX messages to: (415) 423-0913 or (FTS) 543-0913. Tsutomu Shimomura and Digital Equipment Corportation (DEC) provided some of the information contained in this bulletin. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. From BRAND@addvax.llnl.gov Tue Jul 9 15:39:37 1991 Return-Path: Received: from addvax.llnl.gov by (4.1/SMI-4.1) id AA12802; Tue, 9 Jul 91 15:32:33 PDT Date: Tue, 9 Jul 91 15:30 PST From: "Hal R. Brand, LLnL, 415-422-6312" Subject: CIAC Bulletin B-33 - New SunOS lpd Problem To: external@cheetah.llnl.gov, cert-system-info@nist.GOV Message-Id: <4A75AD40177500EB27@addvax.llnl.gov> X-Envelope-To: external@cheetah.llnl.GOV X-Vms-To: in%"external@cheetah.llnl.gov",in%"cert-system-info@nist.gov" Status: RO NO RESTRICTIONS _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin July 9, 1991, 1500 PDT Number B-33 New SunOS lpd Problem _________________________________________________________________________ PROBLEM: The SunOS 4.1 and 4.1.1 line printer spooler daemon (lpd) has a flaw that allows unauthorized deletion of files. PLATFORM: Sun3, sun3x, sun4, sun4c, and sun386i architectures running SunOS 4.1 and 4.1.1. DAMAGE: Unauthorized file deletions can occur. SOLUTIONS: Apply patch-ID# 100305-03. _________________________________________________________________________ Critical Facts About New lpd Problem In CIAC Bulletin B-30 we described a patch (100305-01) available from Sun Microsystems to fix security bugs in the line printer spooler daemon (lpd). We have since learned, however, that this patch does not eliminate all security bugs in lpd. Sun Microsystems has recently released a new patch (100305-03) to lpd. This new patch supersedes the old patch, and prevents an unauthorized person from using lpd to delete files. You should install this new patch (100305-03), even if you have installed the old patch (100305-01). Sun Microsystems has provided corrected lpd files for the various architectures and versions of SunOS affected. These files are in the compressed tarfile 100305-03.tar.Z This file can be obtained from Sun by specifying "Patch-ID# 100305-03". Alternately, the file can be obtained via anonymous FTP from ftp.uu.net as "sun-dist/100305-03.tar.Z". The checksum (sum(1V)) of the file 100305-03.tar.Z is "40955 380". Instructions for obtaining this patch from ftp.uu.net are: (Login as root # ftp ftp.uu.net ... Name (ftp.uu.net:root): anonymous 331 Guest login ok, send ident as password. Password: 230 Guest login ok, access restrictions apply. ftp> cd sun-dist ftp> binary ftp> get 100305-03.tar.Z ... ftp> quit Instruction for applying this patch are: (Login as root (cd to directory containing the compressed tar patch file (Verify the integrity of the compressed tar patch file. # sum 100305-03.tar.Z 40955 380 (If the numbers you get are not these, DO NOT proceed! You have a bad ( patch file. Delete the patch file and try to obtain a proper copy. (Expand the tar file # uncompress 100305-03.tar.Z # mkdir sunpatch # cd sunpatch # tar xvf ../100305-03.tar (Kill the running lpd: # ps -ax | grep lpd (You should see something like: ( 134 ? IW 0:00 /usr/lib/lpd ( 26753 p5 S 0:00 grep lpd ( Insert the "pid" (the first number on the line) of /usr/lib/lpd into ( the next command, i.e. in this case, one would substitute 134. ( If you have more than one copy of lpd running, repeat the "kill -9" ( command for each "pid" found. # kill -9 (Save old lpd - if you have already installed the 100305-01 patched lpd ( you can ignore this step, or better yet, rename the -01 lpd to ( something like /usr/lib/lpd.Patch-01 # mv /usr/lib/lpd /usr/lib/lpd.FCS # chmod 100 /usr/lib/lpd.FCS (copy the upgraded lpd file to /usr/lib ( Substitute as appropriate for your architecture and SunOS version: # cp sun{3,3x,4,4c,386i}/{4.1,4.1.1}/lpd /usr/lib/lpd # chown root.daemon /usr/lib/lpd # chmod 6711 /usr/lib/lpd (Verify your work with /usr/lib/lpd: # ls -lg /usr/lib/lpd -rws--s--x 1 root daemon ... /usr/lib/lpd (Modify some other line printer utility program protections # chmod 6711 /usr/ucb/lpr # chmod 6711 /usr/ucb/lpq # chmod 6711 /usr/ucb/lprm # chmod 2711 /usr/etc/lpc (Prepare for usage of new /usr/lib/lpd # rm -f /dev/printer /var/spool/lpd.lock # mkdir /dev/lpd # chown root.daemon /dev/lpd # chmod 710 /dev/lpd # ln -s /dev/lpd/printer /dev/printer (Restart the new lpd # /usr/lib/lpd (Verify that the lpd daemon restarted: # ps -ax | grep lpd (Modify /etc/rc and/or /etc/rc.local to reflect new location of the ( printer socket to be cleaned-up on boot. ( To do this, use your favorite editor on /etc/rc and /etc/rc.local ( and change: if [ -f /usr/lib/lpd ]; then rm -f /dev/printer /var/spool/lpd.lock ( to: if [ -f /usr/lib/lpd ]; then rm -f /dev/lpd/printer /var/spool/lpd.lock ( new ^^^^ (Cleanup: # cd .. # rm -r sunpatch # rm 100305-03.tar For additional information or assistance, please contact CIAC: Hal Brand (415) 422-6312 or (FTS) 532-6312 brand@addvax.llnl.gov During work hours call CIAC at (415) 422-8193 or (FTS) 532-8193 or send e-mail to ciac@llnl.gov. For non-working hour emergencies, call 1-800-SKY PAGE, then enter 855-0070 or 855-0074. Send FAX messages to: (415) 423-8002 or (FTS) 543-8002 (THIS IS A NEW FAX NUMBER). The CIAC BUlletin Board, FELIX, can be accessed at 1200 or 2400 baud at (415) 423-4753 or (FTS) 543-4753. (9600 baud access can be obtained from Lawrence Berkeley and Lawrence Livermore laboratories at 423-9885.) Sun Microsystems provided some of the information used in this bulletin. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. From longstaf Thu Jul 11 10:44:19 1991 Return-Path: Received: by (4.1/SMI-4.1) id AA15771; Thu, 11 Jul 91 10:37:02 PDT Date: Thu, 11 Jul 91 10:37:02 PDT From: longstaf (Tom Longstaff) Message-Id: <9107111737.AA15771@> To: external, cert-system-info@nist.gov Subject: RE: New SunOS lpd Problem -- Correction to original instructions Status: R NO RESTRICTIONS _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin July 10, 1991, 1500 PDT Number B-33-Addendum RE: New SunOS lpd Problem -- Correction to original instructions CIAC has recieved information indicating that the checksum numbers reported in bulletin B-33 have been modified since the release of B-33. This is because Sun Microsystems has updated the patch file available on ftp.uu.net as of July 10, 1991 to correct a minor problem found in that file. As a result of this change, the checksum numbers (resulting from the sum(1V) command) verifying the correctness of the patch file have changed. The result of the command "sum 100305-03.tar.Z" is now "58052 380". This new patch file is now available via anonymous ftp (as described in CIAC bulletin B-33). Sun Microsystems reserves the right to modify this file again in the future. Should you obtain the file and find the checksum does not match the number found above, please call CIAC or Sun Microsystems to verify the correctness of the patch before it is installed. For additional information or assistance, please contact CIAC: Hal Brand (415) 422-6312 or (FTS) 532-6312 brand@addvax.llnl.gov During work hours call CIAC at (415) 422-8193 or (FTS) 532-8193 or send e-mail to ciac@llnl.gov. Sun Microsystems provided some of the information used in this bulletin. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. From karyn Thu Aug 1 14:16:36 1991 Return-Path: Received: by (4.1/SMI-4.1) id AA00450; Thu, 1 Aug 91 14:12:47 PDT From: karyn (Karyn Pichnarczyk) Message-Id: <9108012112.AA00450@> Subject: CIAC Bulletin B-35: Brunswick Virus on MS DOS Computers To: external Date: Thu, 1 Aug 91 14:12:47 PDT Cc: ciac, karyn (Karyn Pichnarczyk) X-Mailer: ELM [version 2.3 PL0] Status: RO _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin Brunswick Virus on MS DOS Computers August 1, 1991, 1430 PDT Number B-35 _________________________________________________________________________ Name: Brunswick virus Aliases: Brunswick, 910129 Types: Two known variants Platform: MS-DOS computers Damage: May overwrite Master Boot Record Symptoms: Not apparent until attack phase when Master Boot Record is destroyed and disk will not boot First Discovered: January 1991 Detection: VIRHUNT v. 1.3D-1, VIRSCAN v.2.0.2 and others (contact CIAC for information about these products) Eradication: VIRHUNT v. 1.3D-1, VIRSCAN v.2.0.2 and others _________________________________________________________________________ Critical Brunswick Virus Facts The Brunswick virus infects the boot sector/master boot record of hard disks and floppies in drives A: and B: only. Once resident, this virus covertly infects all floppies and hard disks it contacts. An infected machine does not display any obvious indications of infection; therefore it can be very difficult to determine if your system is infected until the attack phase commences. Brunswick usually enters a machine through the boot-up of an infected floppy. (This entry method is similar to that employed by the "Stoned" virus described in CIAC Advisory A-28.) The virus immediately infects the Master Boot Record through Interrupt 13. Thereafter, all disks placed in floppy A: or B: will become infected until the machine is re-booted from a clean disk. Infection occurs differently for hard disks and floppies. On hard disks, the original boot record is moved to Cylinder 0 Sector 16 Head 0. On floppy drives, the original boot record is relocated to Cylinder 0 Sector 3 Head 1. If hard disks have last been partitioned under DOS 2.0, the virus will overwrite portions of the File Allocation Table. The virus contains logic to prevent re-infection of disks and code to save the BIOS Parameter block so that 3.5 inch 1.44 MB floppies will remain readable after infection (unlike "Stoned"). The Brunswick virus mechanics are fairly straightforward. It retains a generation counter which is decremented within each new infection. Upon boot-up, the virus compares this counter to an internal constant. If the counter is larger than the constant, no action is taken; else the virus destroys the master boot record by overwriting it with random characters. This generation counter is never changed within a particular infection; therefore, if an infection and a successful boot-up have occurred, this particular infection will NEVER destroy the Master boot record (although infections will still take place). Newer versions of anti-viral products mentioned above will detect the virus. An unauthorized write attempt to a write-protected floppy is another indication that this virus may be resident. Removal is a simple process of running any of the previously mentioned virus removal utilities. If none of these are available, contact CIAC to obtain manual removal instructions. Infections can be easily prevented by adopting sound protection procedures, such as write-protecting all floppies and checking all diskettes before use with a trusted scanning utility. Also, always open the floppy door before booting a PC because booting with an infected NON-BOOTABLE floppy WILL CAUSE INFECTION to the hard disk. For additional information or assistance, please contact CIAC: Karyn Pichnarczyk (415) 422-1779 or (FTS) 532-1779 karyn@cheetah.llnl.gov During working hours call CIAC at (415) 422-8193 or (FTS) 532-8193 or send e-mail to ciac@llnl.gov. Send FAX messages to: (415) 423-8002 or (FTS) 543-8002 This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. From longstaf Wed Aug 14 22:25:45 1991 Return-Path: Received: by (4.1/SMI-4.1) id AA14944; Wed, 14 Aug 91 22:24:12 PDT Date: Wed, 14 Aug 91 22:24:12 PDT From: longstaf (Tom Longstaff) Message-Id: <9108150524.AA14944@> To: external Cc: Subject: CIAC bulletin B-36: New patch available for /usr/ucb/telnet on ULTRIX systems Status: RO _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin New patch available for /usr/ucb/telnet on ULTRIX systems August 14, 1991, 1300 PDT Number B-36 Critical Facts about /usr/ucb/telnet patch ------------------------------------------------------------------------------- PROBLEM: ULTRIX 4.1 and 4.2 systems running the Lat-Telnet gateway software (lattelnet) may allow unauthorized privileged access. PLATFORM: ULTRIX 4.1 and 4.2 systems on RISC and VAX architectures. DAMAGE: Potential for considerable damage (e.g., creating bogus accounts, installing trojan horse, etc.) once unauthorized privileged access is obtained. SOLUTIONS: Obtain and install new telnet program from DEC or CIAC. ------------------------------------------------------------------------------- A new patch to close a vulnerability in the Lat-Telnet gateway software for ULTRIX 4.1 and 4.2 systems is now available. This patch will close a vulnerability in the telnet software that may allow unauthorized privileged access to the ULTRIX system running the Lat-Telnet gateway software (lattelnet). The method used to exploit this patch has recently been posted to the Internet, so it is important that you install this patch if your system supports the LAT-Telnet gateway software. Since there is no apparent harm in applying this patch to any ULTRIX 4.2 system, CIAC encourges all sites to install this patch. The LAT/Telnet software requires special installation and is NOT part of the default ULTRIX configuration. To determine if this software is active on your system, execute the following command: > grep lattelnet /etc/ttys If this command returns a result similar to the one below, you are running the Lat-Telnet gateway software. tty## "/usr/etc/lattelnet std.9600" vt100 on nomodem Patches for both the VAX and RISC architectures are available from DEC or CIAC (e.g., via anonymous FTP). To obtain the patch from the DEC Customer Support Center, sites within the USA should call 1-800-525-7100. Other sites should contact DEC through their normal channels. If you have Internet access, the following procedure will transfer the patches from the CIAC anonymous FTP server: > ftp irbis.llnl.gov user: anonymous password: {your e-mail address} ftp> binary ftp> get pub/ciac/unix/ultrix/usr-ucb-telnet.vax ftp> get pub/ciac/unix/ultrix/usr-ucb-telnet.risc ftp> quit Once you have obtained the version of /usr/ucb/telnet appropriate to your architecture, use the following procedure to install the new telnet program: Become "root" on the system to be patched. (i.e., use the su command). Rename the original telnet program (to avoid overwriting this code with a new patch) by entering: # mv /usr/ucb/telnet /usr/ucb/telnet-dist Copy the new version of telnet to /usr/ucb (The filename shown below is for VAX architectures. Substitute "risc" for "vax" if you are using a RISC architecture): # cp /{download location}/usr-ucb-telnet.vax /usr/ucb/telnet Assure that the permissions and ownership of the new telnet program are the same as the original (the program sizes shown below may not be the same as those from your system): # chown bin.bin /usr/ucb/telnet # chmod 755 /usr/ucb/telnet # ls -lg /usr/ucb/telnet* -rwxr-xr-x 1 bin bin 280224 {date and time} /usr/ucb/telnet -rwxr-xr-x 1 bin bin 172032 {date and time} /usr/ucb/telnet-dist You can then verify the operation of the new /usr/ucb/telnet program by using the telnet command to connect to other hosts with which you have permission to connect. For additional information or assistance, please contact CIAC: Tom Longstaff (415) 423-4416 or (FTS) 543-4416 longstaf@llnl.gov During working hours call CIAC at (415) 422-8193 or (FTS) 532-8193 or send e-mail to ciac@llnl.gov. Digital Equipment Corporation (DEC) and the Computer Emergency Response Team (CERT) provided some of the information contained in this bulletin. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. From longstaf Mon Aug 26 10:18:37 1991 Return-Path: Received: by (4.1/SMI-4.1) id AA03143; Mon, 26 Aug 91 10:17:13 PDT Date: Mon, 26 Aug 91 10:17:13 PDT From: longstaf (Tom Longstaff) Message-Id: <9108261717.AA03143@> To: external Cc: cert@cert.sei.cmu.edu, first-reps@nist.gov, ciac Subject: CIAC Bulletin B-37: Security Problem with UNIX Trusted System Files Status: RO _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin Security Problems with /etc/hosts.equiv, /etc/hosts.lpd, and .rhosts files on UNIX Systems August 26, 1991, 1000 PDT Number B-37 Critical Facts about the Security Problem with UNIX Trusted System Files ------------------------------------------------------------------------------- PROBLEM: Some configurations of files providing trusted access to the host including the /etc/hosts.equiv, /etc/hosts.lpd, and .rhosts files may allow unauthorized access to the system. PLATFORM: Many UNIX-based operating systems and platforms including System V and BSD based UNIX systems. DAMAGE: Potentially severe due to unauthorized access to the system. SOLUTIONS: Assure that a character other than '-' is the first character of these files. ------------------------------------------------------------------------------- CIAC has learned of a security problem with files supporting the trusted access on many UNIX-based computers. If your system uses the /etc/hosts.equiv, /etc/hosts.lpd, or .rhosts files (in each user's home directory) for trusted access from other systems, your system may be vulnerable to unauthorized access. This information has recently been posted to a large mailing list and news group on the Internet, so it is important that you check your systems for this vulnerability. To assure that your system does not contain this vulnerability, check for a '-' sign as the first character of any file providing trusted access to the system. These trusted access files include /etc/hosts.equiv , /etc/hosts.lpd, and each user's .rhosts file. Any files containing a '-' as the first character should be rearranged (using a file editor such as 'vi') so that some other entry (without a '-' as the first character) is listed as the first entry of the file. If all entries in one of these files contain a '-' as the first character, the file should be removed. The use of these trusted access files allows access to the system without authentication, and for security reasons, these trusted access files should be removed if not absolutely required. In addition, as mentioned in CIAC Bulletin A-1, the inclusion of a '+' sign alone on a line in any of these files will allow trusted access from *any* system that may connect to the machine. Also note that users may modify their local .rhosts file so as to re-introduce this vulnerability at a later time. CIAC recommends that any system that allows the use of individual .rhosts files inform users of these problems and periodically check to assure that these vulnerabilities have not been re-introduced in an individual's .rhosts file. CIAC has prepared a shell script that may assist system managers in finding files containing this vulnerability on SunOS and some BSD based platforms. For details on obtaining this tool, please send electronic mail to CIAC. For additional information or assistance, please contact CIAC: Tom Longstaff (415) 423-4416 or send e-mail to longstaf@llnl.gov During working hours call CIAC at (415) 422-8193 or (FTS) 532-8193 or send e-mail to ciac@llnl.gov. The assistance of the Computer Emergency Response Team/Coordination Center (CERT/CC) and Sun Microsystems in drafting this bulletin is gratefully acknowledged. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin Vulnerability in Silicon Graphics Inc. "IRIX" /usr/sbin/fmt August 29, 1991 08:15 PDT Number B-38 ------------------------------------------------------------------------------- PROBLEM: Misconfiguration of /usr/sbin/fmt on some SGI platforms causes a breakdown of privacy for files in group MAIL. PLATFORM: Silicon Graphics Inc. IRIX versions prior to 4.0 (including all 3.2 and 3.3.X versions). DAMAGE: A non-privileged user may read mail belonging to any user, including root. SOLUTIONS: Apply patch described below. ------------------------------------------------------------------------------- Critical Facts about Vulnerability in /usr/sbin/fmt CIAC has learned of a security problem with the text formatting program /usr/sbin/fmt supplied by Silicon Graphics. The program will allow any user to read mail messages or other files owned by group "mail" on IRIX versions prior to 4.0 (including all 3.2 and 3.3.X versions). This problem has been fixed in version 4.0. CIAC expects this vulnerability to be widely exploited due to the recent release of this information on various Internet information services. We highly recommend that you apply this patch immediately. Silicon Graphics has provided the enclosed patch instructions, and they have been verified on our SGI IRIX System V Release 3.3.1 machine. To correct this vulnerability, execute the following command as root: chmod 755 /usr/sbin/fmt Optionally, you could also change the owner and group of the file, however, SGI has informed us that this change is not necessary: chown root.sys /usr/sbin/fmt If system software should ever be reloaded from a 3.2 or 3.3.* installation tape or from a backup tape created before the patch was applied, repeat the above procedure immediately after the software has been reloaded (before enabling logins by normal users). SGI customers can contact 1-800-800-4SGI for additional assistance. For additional information or assistance, please contact CIAC: David Brown (415) 423-9878 or (FTS) 543-9878 before Sept 1, 1991 (510) 423-9878 or (FTS) 543-9878 after Sept 1, 1991 FAX: (415) 423-8002 or (FTS) 543-8002 before Sept 1, 1991 FAX: (510) 423-8002 or (FTS) 543-8002 after Sept 1, 1991 Note: On September 1, 1991, CIAC's area code will change to 510. or send e-mail to: ciac@llnl.gov The assistance of Silicon Graphics, CERT/CC, and Chuck Athey of Lawrence Livermore National Laboratory is gratefully acknowledged. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. From pon Thu Aug 29 15:28:28 1991 Return-Path: Received: by (4.1/SMI-4.1) id AA11876; Thu, 29 Aug 91 15:28:28 PDT From: pon (Ken Pon) Message-Id: <9108292228.AA11876@> Subject: New B-39 To: gschultz (Gene Schultz) Date: Thu, 29 Aug 91 15:28:27 PDT X-Mailer: ELM [version 2.3 PL0] Status: RO ROUGH DRAFT VENDOR RESTRICTED--FOR DEPARTMENT OF ENERGY CRAY SITES ONLY DO NOT DISTRIBUTE _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin Latest Security Mods for CRAY UNICOS August 29, 1215 PST Number B-39 __________________________________________________________________________ PROBLEM: UNICOS security holes in cleantmp, cron, mail, nfs/automount, and MLS rexec/remsh/rshd PLATFORM: Many versions of the Cray UNICOS operating system (as described below for each SPR) DAMAGE: The UNICOS bugs allow unauthorized system privileges to non-privileged users SOLUTIONS: Install UNICOS mods that apply to your version of UNICOS __________________________________________________________________________ Critical Information About UNICOS Security Holes CIAC has been working with Cray Research Incorporated on the resolution of several critical security holes in the Cray UNICOS operating system. These UNICOS bugs may allow unauthorized system privileges to normal users. More explicit information on these problems can be found in Cray Field Alerts #122 ADDENDUM, #123 ADDENDUM, and #126, or by contacting CIAC or Cray Research International Software Technical Support directly. The mods listed below are Cray binary files available to correct each problem described. A valid user on crayamid.cray.com can use the FTP "put" command to transfer mods to another system. Note that crayamid.cray.com does not support the FTP "get" command. Alternatively, contact your Cray support representative to facilitate access to the appropriate mods. Mods are available on crayamid.cray.com in the specified file and directory. Each UNICOS mod has a unique identification and may be specific to a particular version of the UNICOS operating system. Unless otherwise stated, the mod will apply to the entire family of Cray hardware, including Cray-1, X-MP, Y-MP, and Cray-2. 1. Cray SPR 45292 - CLEANTMP allows any user to remove any file Reference Cray Field Alert #123 - ADDENDUM UNICOS version Cray Mod # crayamid Directory 5.1 d20705cmda /u/mods/unicos.common/5.1/cmd 6.0 60cmd21458a /u/mods/unicos.common/6.0/cmd 6.1 6Ecmd21458a /u/mods/unicos.common/6.1/cmd 2. Cray SPR 45753 - CRON allows any user to read protected files Reference Cray Field Alert #123 - ADDENDUM UNICOS version Cray Mod # crayamid Directory 5.1 51cmd22270c, /u/mods/unicos.common/5.1/cmd 51cmd22562d 6.0 60cmd22671c /u/mods/unicos.common/6.0/cmd 6.1 6Ecmd22671a /u/mods/unicos.common/6.1/cmd 3. Cray SPR 45743 - /BIN/MAIL allows users to read protected files Reference Cray Field Alert #123 - ADDENDUM UNICOS version Cray Mod # crayamid Directory 5.1 51cmd22391b /u/mods/unicos.common/5.1/cmd 6.0 60cmd22391a /u/mods/unicos.common/6.0/cmd 6.1 6Ecmd22391a /u/mods/unicos.common/6.1/cmd 4. Cray SPR 45455 - PORTMAP allows forwarding of mount requests Reference Cray Field Alert #122, #122 - ADDENDUM Cray Field Alert #122 discusses how one can obtain a file handle and access files from an unauthorized machine using NFS. The following mods closed this vulnerability by modifying portmap to disable the forwarding of mount requests on a server: UNICOS version Cray Mod # crayamid Directory 5.1 d20688rpca /u/mods/nfs/5.1 6.0 60RPC22343A /u/mods/rpc/6.0 6.1 6ERPC22329A /u/mods/rpc/6.1 However, the above mods may affect RPC applications that depend on portmap to forward their RPC requests to mountd. One of these applications is the automount command, which will not work if the mod from Field Alert #122 is installed. The appropriate mods to allow automount to work for Cray NFS clients is given below. For non-Cray systems, contact your vendor specific technical support representative to obtain a version of the automounter that does not make its requests via portmap. (Note that the SunOS 4.1 version of automount already contains this fix.) Refer to Cray Field Alert #122 - Addendum for more information. UNICOS version Cray Mod # crayamid Directory 5.1 NONE, automounter not supported in release 5.1 6.0 60nfs23984a /u/mods/nfs/6.0 6.1 6Enfs23984a /u/mods/nfs/6.E 5. Cray SPR 45405 - RSHD under UNICOS MLS grants unauthorized MLS privileges Cray SPR 46445 - REMSH/REXEC allows users to obtain permits, levels, and compartments not in the UDB Reference Cray Field Alert #126 UNICOS version Cray Mod # crayamid Directory 5.1 e20716tcpa, /u/mods/tcp_ip e20717cmda 6.0 60tcp21801a /u/mods/tcp_ip 6.1 6Etcp21801a /u/mods/tcp_ip CIAC recommends that you upgrade your version of UNICOS to the most recent available, since many improvements to the security of your system have been integrated into the most recent base operating system. In addition, you should install all mods (listed above) appropriate to your UNICOS system. For additional information or assistance, please contact CIAC: Kenneth L. Pon (415) 422-1783 until Sept. 1; afterwards call (510) 422-1783 or (FTS) 532-1783 send e-mail to pon@cheetah.llnl.gov Call CIAC at (415) 422-8193 until Sept. 1; afterwards call (510) 422-8193 or (FTS) 532-8193 send e-mail to ciac@.llnl.gov. Send FAX messages to: (415) 423-0913 or (FTS) 543-0913. James Ellis, Karis Forster, and Cray Research provided some of the information used in this bulletin. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. From karyn Mon Sep 9 10:26:09 1991 Return-Path: Received: by (4.1/SMI-4.1) id AA24465; Mon, 9 Sep 91 10:25:21 PDT Date: Mon, 9 Sep 91 10:25:21 PDT From: karyn (Karyn Pichnarczyk) Message-Id: <9109091725.AA24465@> To: external Cc: karyn, dave.martin@ebay.sun.com, meg.heller@corp.sun, com Subject: CIAC Bulletin B-40: Virus distributed in PCNFS software fix for MS-DOS computers Status: RO _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin Virus distributed in PCNFS software fix for MS-DOS computers September 9, 1991, 1030 PDT Number B-40 Critical Information about Virus in PCNFS software fix ------------------------------------------------------------------------------- PROBLEM: The Jerusalem-B Virus has inadvertently been distributed with some copies of one version of PCNFS software fix. PLATFORM: MS-DOS computers SOFTWARE: Sun PCNFS software fix PCNFS 3.5b, file NET.EXE DAMAGE: File deletion, file corruption, system slowdown DETECTION: File size of newly distributed PCNFS 3.5b file NET.EXE not equal to 100181 bytes; or use of VIRHUNT, VIRSCAN, FPROT, and others ERADICATION: VIRHUNT, VIRSCAN and others; replacement of NET.EXE ------------------------------------------------------------------------------- CIAC has been notified of the inadvertent distribution of a virus in a Sun Microsystems PCNFS software fix for MS-DOS computers. This distribution, which was sent to a limited user community, contained a file NET.EXE which may have been infected with the Jerusalem-B virus. This fix, entitled "PCNFS 3.5b," was distributed between July and August, 1991 to those requesting a patch for PCNFS 3.5. Sun has contacted all customers who had received the suspect file, and has distributed a new virus-free NET.EXE to all parties. If NET.EXE from PCNFS 3.5b does not have a file size of 100181, this file is probably infected with the Jerusalem-B virus. It is very important to execute a virus detection/eradication package if a suspect NET.EXE file is located. If your site has received the suspect file and follow-up letter, call CIAC, Sun's support number (1-800-USA-4SUN), or your local Sun office for assistance. NOTE: For more information on the Jerusalem virus, see CIAC bulletin "Virus Propagation in Novell and Other Networks" (A-33) or "Little Black Box (Jerusalem) virus alert" (un-numbered series, 1989). CIAC recommends anti-viral scanning of all software (including new software and upgrades to existing software) before installation is initiated. For additional information or assistance, please contact CIAC: Karyn Pichnarczyk (510) 422-1779 or (FTS) 532-1779 * note new area code replacing 415 Send e-mail to karyn@cheetah.llnl.gov Call CIAC at (510) 422-8193 or (FTS) 532-8193 Send e-mail to ciac@llnl.gov Thanks to Sun Microsystems for assistance in providing information described in this bulletin. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. NO RESTRICTIONS _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin Vulnerability in SunOS SPARC Integer Division September 17, 1991, 1200 PDT Number B-41 ------------------------------------------------------------------------------- PROBLEM: Integer division bug can be used to gain root PLATFORM: sun4, sun4c: SunOS release: 4.1, 4.1.1 DAMAGE: Unauthorized root access and potential system crash SOLUTIONS: Apply Sun Patch-ID# 100376-01 for SunOS 4.1 and 4.1.1; rebuild and install the operating system kernel with patched object file ------------------------------------------------------------------------------- Critical Facts About Sun Integer Division Bug CIAC has learned of a security problem with the integer division exception handling on SPARC (Including Sun 4 and 4c architectures) based computers running SunOS 4.1 and 4.1.1. This vulnerability can be used to gain unauthorized root access and can also result in system crashes. Sun is providing a patch (Sun Patch-ID# 100376-01) to correct this problem. This patch is available from Sun (call 1-800-USA-4SUN), or through anonymous ftp at uunet.uu.net (ip address 137.39.1.2) in the directory ~ftp/sun-dist (see bulletin B-33 for details on obtaining files from uunet.uu.net). The patch filename is 100376-01.tar.Z, and has a checksum (using the command "sum 100376-01.tar.Z") of "09989 11". Please note that Sun Microsystems sometimes updates patch files, resulting in a changed checksum result. If you find that the checksum is different from the one given above, please contact Sun Microsystems or CIAC for verification. The patch file must be uncompressed, and the tar files extracted. To apply the patch, replace the file /sys/sun{4,4c}/OBJ/crt.o with the crt.o file appropriate to your system which is contained in the patch. You must then rebuild the kernel, replace your copy of /vmunix, and reboot the system. Since the installation of this patch will vary depending on your individual system configuration, please refer to the System and Network Administration Manual on building and configuring a custom kernel for details on this procedure. For additional information or assistance, please contact CIAC: David Brown (510) 423-9878** or (FTS) 543-9878 FAX: (510) 423-8002** or (FTS) 543-8002 **Note: On September 1, 1991, CIAC's area code changed from 415 to 510 or send e-mail to: ciac@llnl.gov Previous CIAC bulletins are available via anonymous FTP from irbis.llnl.gov (ip number 128.115.19.60) CIAC gratefully acknowledges the timely response of Sun Microsystems in responding to this problem. Thanks also to the Computer Emergency Response Team at Carnegie-Mellon for some of the material used in this bulletin. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. NO RESTRICTIONS _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin Security Issues with Macintosh System 7 September 18, 1991, 930 PDT Number B-42 Critical Information about Security Issues with Macintosh System 7 ---------------------------------------------------------------------------- PROBLEM: Several security issues exist with Macintosh System 7 PLATFORM: Macintosh System 7 Operating System DAMAGE: Potential for unauthorized modification/misuse of all files SOLUTIONS: User education of issues involved ---------------------------------------------------------------------------- CIAC has been working with Apple, Inc, to identify areas of security concern within the Macintosh System 7 Operating System. The default installation provides very good security in general. However, user customization raises several security issues. System 7 allows an individual Macintosh to provide network access to the local file system ("File Sharing"). When file sharing is enabled all files within shared folders are accessible over the network. Thus, users should be aware of what is available to others. Control over file sharing is provided through the utilities of "Sharing Setup" and "Users & Groups", by default located in the Control Panel, and through the "Sharing..." dialogue located in the File menu of the Finder. Each of these is discussed below. Sharing Setup To start file sharing on a Macintosh, the "Sharing Setup" control panel device is utilized. Once file sharing is turned on by selecting the "start" button, the entire network has access to the machine with no capability to deny access to a particular host. Users & Groups Access Control is defined using the "Users & Groups" control panel device. There are two users defined when file sharing is initially activated: the Owner and . The Owner had been previously defined when "Sharing Setup" was first initiated. By default, is given the same privileges as the Owner. Passwords are unavailable to . If sharing access to a disk volume is allowed through the use of the "Sharing..." dialogue (see below) this default access will allow anyone on the network to have total access to that disk volume by simply selecting your machine. CIAC recommends disallowing guest access by opening the icon and de-selecting "Allow Guests to Connect". When first created, a new user has by default no password; a password can be given by choosing the user, then inserting a password in the appropriate box. Sharing... The final step to file sharing using System 7 is to select a volume to share, then select "Sharing..." from the File menu, and check the box entitled "Share this item and it's contents". At this point, all folders and files become available to use by anyone who has access to your Macintosh, as defined in "Users & Groups" above. The default access is Everyone has the ability to See Files, See Folders and Make Changes. CIAC recommends removing all access to Everyone and User/Group immediately, by ensuring the six boxes for Everyone and User/Group are not selected. Also, to remove access to current folders on the shared item, CIAC recommends clicking the box "Make all currently enclosed folders like this one". This will protect all current folders residing in the shared volume. At this point, access to folders can be given on a case-by-case basis for each user or group. Note: if you have turned on sharing for a volume, then configured your system, and for some reason turn OFF sharing for that volume, the configuration for the volume and all items dependent on the volume are reset to the initial default protections as described above. Miscellaneous Since the Macintosh does not have any advanced control of password creation, any password (including no password) would be accepted as adequate; thus users should be aware of proper password creation techniques. No aging of access controls is possible; therefore an account set up for temporary access, then forgotten, can remain open for long periods of time without being noticed. Advanced security features, such as auditing, password aging, password filtering, and host authentication are not present. All the vulnerabilities of TCP/IP and Appleshare exist since they are also available. Physical security of the machine is an important issue since no local user authentication exists; therefore anyone can walk up to a machine and modify the sharing setup, add a user, etc. and unless the owner is very diligent this change can remain undetected. For additional information or assistance, please contact CIAC: Karyn Pichnarczyk or Tom Longstaff (510) 422-1779 ** (510) 423-4416 ** Send e-mail to ciac@llnl.gov or call CIAC at (510) 422-8193 ** FAX messages to: (510) 423-8002 ** ** note new area code 510 replaces 415 Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. NO RESTRICTIONS _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin Vulnerability in ULTRIX DECnet-Internet Gateway Software September 26, 1991, 1300 PDT Number B-43 ________________________________________________________________________ PROBLEM: The ULTRIX DECNet-Internet Gateway software can be exploited to obtain root privilege on ULTRIX Gateway machines. PLATFORM: ULTRIX Version 4.0, 4.1, and 4.2, both RISC and VAX architectures. DAMAGE: Unauthorized root privilege may result in loss of system and file integrity. SOLUTIONS: Change the "guest" account entry in /etc/passwd to specify /bin/false as the shell. This vulnerability will be fixed in a future release of Ultrix. ________________________________________________________________________ Critical DECnet-Internet Gateway Vulnerability Facts The ULTRIX V4.0, V4.1, and V4.2 DECnet-Internet Gateway software can be exploited to gain root privilege on the ULTRIX Gateway host. This vulnerability exists on both the VAX and RISC architectures. It can only be exploited on ULTRIX V4.0, V4.1, and V4.2 machines running DECnet/ULTRIX with the DECnet gateway functionality enabled. To determine if your ULTRIX host running DECnet/ULTRIX is currently vulnerable, execute the command: /usr/bin/ncp show exec char Note: if your system doesn't have the file /usr/bin/ncp, it does not have DECnet/ULTRIX installed. Find the "Gateway Access" line. It should look like: Gateway Access = Disabled or Gateway Access = Enabled If gateway access is "Enabled", your machine is vulnerable. Digital Equipment Corporation (DEC) is aware of this vulnerability and will correct the problem in a future release of Ultrix. To protect ULTRIX V4.0, V4.1, and V4.2 systems, DEC has provided the following workaround: Edit /etc/passwd to specify "/bin/false" in the shell field of the "guest" account. Note that this action will effectively disable interactive use of the "guest" account. For example, the /etc/passwd entry guest:Nologin:269:31:DECnet Guest:/usr/users/guest:/bin/csh should become guest:Nologin:269:31:DECnet Guest:/usr/users/guest:/bin/false ^^^^^ ^^^^^^^^^^ Note that the fields highlighted above must appear verbatim; the other fields may vary depending on your local configuration. However, CIAC and DEC strongly recommend that the password field be "Nologin" (the ULTRIX/DECnet default). ULTRIX uses the "guest" account solely to facilitate DECnet/ULTRIX. Any other use of the "guest" account is not supported and is strongly discouraged. CIAC and DEC recommend this workaround be applied to all ULTRIX V4.0, V4.1, and V4.2 machines running DECnet/ULTRIX, even those with the gateway functionality disabled, as a prudent precaution. For additional information or assistance, please contact CIAC: Hal R. Brand (510)** 422-6312 or (FTS) 532-6312 brand1@llnl.gov During work hours call CIAC at (510)** 422-8193 or (FTS) 532-8193 or send e-mail to ciac@llnl.gov. Send FAX messages to: (510)** 423-8002 or (FTS) 543-8002 (THIS IS A NEW FAX NUMBER). Previous CIAC bulletins are available via anonymous FTP from irbis.llnl.gov (128.115.19.60) ** (510) is CIAC's new area code. It was (415). CIAC thanks Becky Bolling and Curt Bemis of Oak Ridge National Laboratory for bringing this problem to our attention. CIAC also thanks Digital Equipment Corporation for the workaround information. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Advisory Notice Automated tftp Probe Attacks on UNIX Systems Connected to the Internet September 27, 1991, 1700 PDT Number B-44 ________________________________________________________________________ PROBLEM: Many systems connected to the Internet have been probed by tftp to allow intruders to copy the /etc/passwd and /etc/rc files. PLATFORM: UNIX systems supporting tftp. DAMAGE: Potential disclosure of easily-guessed passwords leading to unauthorized access to user accounts. SOLUTIONS: Either disable tftp if possible or limit the access of tftp if this utility is required. Assure that there are no easily guessed passwords on your systems. ________________________________________________________________________ Critical Facts about the Automated tftp Probes CIAC has learned of a series of Internet-based probes involving the tftp (trivial file transfer protocol) facility available on many UNIX platforms. An unpatched vulnerability in this facility can be used to obtain a copy of the /etc/passwd and /etc/rc files of remote systems (see CIAC bulletin of June 22, 1989). If successful, these probes fetch the /etc/passwd file (and potentially the /etc/rc file) on victim systems to crack passwords, resulting in unauthorized access to systems. There have been a large number of these attacks reported to CIAC, since an automated probe program is generating these attacks. Thus, it is possible for many systems at a site to be probed in a short time. If your system is connected to the Internet, you should assure that the tftp service is disabled on systems that do not require this functionality. (Typically, tftp is useful mainly for boot servers of diskless machines at boot-up). To disable tftp service, comment out the tftp entry in the /etc/inetd.conf file (or similar configuration file used by your UNIX operating system) by pre-pending a pound "#" sign to the line beginning "tftp..." Consult your operating system documentation concerning tftpd for additional details in disabling this service. If it is necessary for your system to support tftp, you should restrict tftp to a secure home directory. On many systems this is done automatically when the tftp daemon is invoked. For example, the tftp -s option within SunOS 4.X is used to ensure that a change to the home directory is successful and will also change its root directory to the home directory (chroot) to limit access to the remainder of the file system. In order to detect this form of attack, we recommend that you use a monitoring package that will log tftp and other service requests. The type of package appropriate to your site will depend on your specific network architecture. If you suspect your system has been probed (with unrestricted tftp), you should check your password file with a password guessing utility such as the Security Profile Inspector (SPI--available only to DOE sites), CRACK or COPS packages. We also recommend that you require a change of passwords on the root and user accounts. If you are an employee or contractor at a DOE site, you may have been contacted about these probes by other agencies' response teams. We request that any replies to these contacts be made directly to CIAC instead of other agencies' teams so that we can coordinate responding both within the DOE community and with other agencies' response teams. For additional information or assistance (including assistance on installing a monitoring package), please contact CIAC: David S. Brown Tom Longstaff (510) 423-9878**/(FTS) 543-9878 Or (510) 423-4416**/(FTS) 543-4416 dsbrown@llnl.gov longstaf@llnl.gov Send e-mail to ciac@llnl.gov or call CIAC at (510) 422-8193**/(FTS) 532-8193. FAX messages to: (510) 423-8002**/(FTS) 543-8002. **Note area code has changed from 415 CIAC would like to thank Doug Mildran and Craig Leres for their assistance. DARPA's Computer Emergency Response Team Coordination Center also provided some of the information used in this bulletin. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin September 30, 1991, 1700 PST Number B-45 End of FY91 Update During this fiscal year, CIAC team members have engaged in a number of activities, including assisting sites in recovering from incidents and helping sites prepare for future incidents by presenting the CIAC workshops. Our involvement has led to a number of valuable lessons learned--things that can improve your site's computer security as well as enhance the DOE community's coordination and handling of incidents. 1. Internet Attacks and Probes. Many DOE sites are now connected to the Internet and have all of the additional functionality and risks associated with this connection. We have found that DOE sites tend to be better protected against attacks originating from the Internet than many other agencies and institutions connected to the Internet. Systems designed to protect and partially isolate a site's network from Internet attackers (known as firewall systems) have been installed at many sites. CIAC has found that these sites have fewer network intrusions, and that those attacks have been readily detected by these firewall systems. In addition, security tools such as the Security Profile Inspector (SPI) and network monitoring software have increased the ability of individual sites to rapidly detect and analyze attacks coming from outside the site. This has resulted in ability to gather evidence and, in some cases, to assist investigative agencies in criminal prosecution. Therefore, we recommend that Internet sites institute a policy of network monitoring and consider restructuring the network architecture to support the firewall concept. CIAC has also drafted a set of guidelines to assist sites in the determination of policy and procedure in preparation for and handling of computer security incidents. These guidelines are structured as a short overview followed by technical recommendations for the implementation of network monitoring, security tools on individual systems, and firewall systems. While this document is still in draft form, it is expected to be released to the DOE community during the 1992 fiscal year. We also have a sample user accountability statements that may be used to define conditions of authorized and unauthorized use of computer systems for users of these systems. The Department of Justice has urged us to advise sites of the increasing legal necessity of having users sign statements of accountability. To obtain this user accountability statement, please contact CIAC. 2. Vulnerabilities. During the past 12 months, CIAC has placed an increased emphasis on analyzing and patching vulnerabilities. CIAC worked with with the appropriate software or hardware vendors to assure that these problems were closed in a short time throughout the community. CIAC has assisted vendors and sites in the timely distribution of security patches and work-around solutions as a liaison between the vendors and the sites. As an aid to people at your site to locate and eliminate security bugs, we have prepared a detailed summary of patches and workarounds described in all unclassified CIAC information bulletins and advisory notices to date. If you are a DOE site or contractor, contact CIAC for this information. 3. Viruses. During the past year, viruses on MS-DOS and Macintosh computers continued to infect a small but significant number of systems throughout DOE. In the MS-DOS arena, the Jerusalem-B, Cascade, and Disk-Killer viruses continued to be most prevalent. Of these viruses, Disk Killer and Jerusalem-B were most likely to cause damage to systems. During this last fiscal year, the Stoned-2, Horse, and Horse-2 viruses emerged as new threats. In the Macintosh arena, WDEF and nVIR continued to be the major source of threat, but with the advent of Macintosh System-7, the WDEF threat has been reduced since this virus will not run on this version of the operating system. Networked file systems and demonstration software continues to be the main source of these virus infections, and we continued to receive reports of infected vendor software (see CIAC bulletin B-40). CIAC Bulletin B-16 provided an updated list of viruses and their symptoms (updated from information provided in A-15). CIAC assisted DOE in evaluating an anti-viral product to be purchased and licenced throughout DOE. This product, "Data Physician Plus," is very effective in finding and eradicating viruses on MS-DOS platforms. For the Macintosh, Disinfectant (the latest version is 2.5.2) continues to be a good anti-viral freeware package. Contact CIAC for assistance in obtaining anti-virus packages. Note that information about the current virus threat and anti-viral software may be obtained from the CIAC anonymous FTP server irbis.llnl.gov (ip address 128.115.19.60) to sites connected to the Internet. 4. Getting Information to CIAC. One of the major difficulties facing CIAC over the past year has been obtaining information from sites currently involved in a multi-site Internet or virus attack. Some system and network managers are not allowed to contact CIAC when such incidents occur, and this has prevented effective coordination of the tracing and prevention of these attacks across the DOE computing community. Other network and system managers have sometimes contacted another agencies' response teams instead of CIAC. This results not only in the spread of information about DOE security incidents outside of our own community, but also deprives CIAC of the information it needs to assist and alert you! Please keep CIAC aware of major computer security developments at your site. 5. Training and Awareness. During the past fiscal year, CIAC has expanded its training and awareness capability in several ways. In addition to the two-day workshop on incident handling, there are now workshops of varying length designed to educate and inform administrative managers on the problems of computer security and of handling these problems. There is also an Internet version of the workshop designed to provide technical information on incident handling to those sites connected to the Internet. All of these workshops can be tailored according to time and expertise constraints, and have been very well received at sites throughout the community during the past 12 months. To bring these workshops to your site, please contact CIAC. As a parenthetical note, please be advised that the identification number for CIAC bulletins issued on or after October 1, 1991 will begin with "C." Thus, the first bulletin will be C-1, the second will be C-2, etc. For additional information, please contact CIAC or any of the team members listed below. Please note that on Sept. 1, 1991 the area code for CIAC changed from 415 to 510. There has been some difficulty in reaching CIAC using the new 510 area code. If you cannot reach CIAC through this area code, you may substitute 415 until February, 1992, at which time the 415 area code will become invalid. The CIAC Team: Gene Schultz, Project Leader Karyn Pichnarczyk (510) 422-7781/(FTS) 532-7781 (510) 422-1779/(FTS) 532-1779 gschultz@cheetah.llnl.gov karyn@cheetah.llnl.gov Tom Longstaff Hal Brand (510) 423-4416/(FTS) 543-4416 (510) 422-0039/(FTS) 532-0039 longstaf@llnl.gov brand@cheetah.llnl.gov David Brown Bill Orvis (510) 423-9878/(FTS) 543-9878 (510) 422-8649/(FTS) 532-8649 dsbrown@llnl.gov orvis@icdc.llnl.gov Ken Pon (510) 422-1783/(FTS) 532-1783 pon@cheetah.llnl.gov Send e-mail to ciac@llnl.gov or call CIAC at (510) 422-8193/(FTS) 532-8193. FAX messages to: (510) 423-8002/(FTS) 543-8002. Previous CIAC bulletins and other information is available via anonymous FTP on the Internet from the system irbis.llnl.gov (ip address 128.115.19.60). Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes.