From nickkral@cal.alumni.berkeley.edu Tue Jul 9 02:51:33 1996 Received: from cal.alumni.berkeley.edu (nickkral@cal.Alumni.Berkeley.EDU [128.32.115.42]) by suburbia.net (8.7.4/Proff-950810) with ESMTP id CAA14289 for ; Tue, 9 Jul 1996 02:51:20 +1000 Received: (from nickkral@localhost) by cal.alumni.berkeley.edu (8.7.1/8.7.1) id JAA27300; Mon, 8 Jul 1996 09:50:32 -0700 Date: Mon, 8 Jul 1996 09:50:32 -0700 (PDT) From: Nick Kralevich To: best-of-security@suburbia.net Subject: CERT Advisory CA-96.13 - Alien/OS Vulnerability Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Newsgroups: comp.security.announce,rec.humor Message: <4rjri1$86s@helios.herts.ac.uk> >============================================================================= >CERT(sm) Advisory CA-96.13 >July 4, 1996 > >Topic: ID4 virus, Alien/OS Vulnerability > >- ----------------------------------------------------------------------------- > >The CERT Coordination Center has received reports of weaknesses in >Alien/OS that can allow species with primitive information sciences >technology to initiate denial-of-service attacks against MotherShip(tm) >hosts. One report of exploitation of this bug has been received. > >When attempting takeover of planets inhabited by such races, a trojan >horse attack is possible that permits local access to the MotherShip >host, enabling the implantation of executable code with full root access >to mission-critical security features of the operating system. > >The vulnerability exists in versions of EvilAliens' Alien/OS 34762.12.1 >or later, and all versions of Microsoft's Windows/95. CERT advises >against initiating further planet takeover actions until patches >are available from these vendors. If planet takeover is absolutely >necessary, CERT advises that affected sites apply the workarounds as >specified below. > >As we receive additional information relating to this advisory, we will >place it in > > ftp://info.cert.org/pub/cert_advisories/CA-96.13.README > >We encourage you to check our README files regularly for updates on >advisories that relate to your site. > >- ----------------------------------------------------------------------------- > >I. Description > > Alien/OS contains a security vulnerability, which strangely enough > can be exploited by a primitive race running Windows/95. Although > Alien/OS has been extensively field tested over millions of years by > EvilAliens, Inc., the bug was only recently discovered during a > routine invasion of a backwater planet. EvilAliens notes that > the operating system had never before been tested against a race > with "such a kick-ass president." > > The vulnerability allows the insertion of executable code with > root access to key security features of the operating system. In > particular, such code can disable the NiftyGreenShield (tm) > subsystem, allowing child processes to be terminated by unauthorized > users. > > Additionally, Alien/OS networking protocols can provide a > low-bandwidth covert timing channel to a determined attacker. > > >II. Impact > > Non-privileged primitive users can cause the total destruction of > your entire invasion fleet and gain unauthorized access to > files. > > >III. Solution > > EvilAliens has supplied a workaround and a patch, as follows: > > A. Workaround > > To prevent unauthorized insertion of executables, install a > firewall to selectively vaporize incoming packets that do not > contain valid aliens. Also, disable the "Java" option in > Netscape. > > To eliminate the covert timing channel, remove untrusted > hosts from routing tables. As tempting as it is, do not use > target species' own satellites against them. > > > B. Patch > > As root, install the "evil" package from the distribution tape. > > (Optionally) save a copy of the existing /usr/bin/sendmail and > modify its permission to prevent misuse. > > >- --------------------------------------------------------------------------- >The CERT Coordination Center thanks Jeff Goldblum and Fjkxdtssss for >providing information for this advisory. >- --------------------------------------------------------------------------- > >If you believe that your system has been compromised, contact the CERT >Coordination Center or your representative in the Forum of Incident >Response and Security Teams (FIRST). > >We strongly urge you to encrypt any sensitive information you send by email. >The CERT Coordination Center can support a shared DES key and PGP. Contact the >CERT staff for more information. > >Location of CERT PGP key > ftp://info.cert.org/pub/CERT_PGP.key > >CERT Contact Information >- ------------------------ >Email cert@cert.org > >Phone +1 412-268-7090 (24-hour hotline) > CERT personnel answer 8:30-5:00 p.m. EST > (GMT-5)/EDT(GMT-4), and are on call for > emergencies during other hours. > >Fax +1 412-268-6989 > >Postal address > CERT Coordination Center > Software Engineering Institute > Carnegie Mellon University > Pittsburgh PA 15213-3890 > USA > >CERT publications, information about FIRST representatives, and other >security-related information are available for anonymous FTP from > http://www.cert.org/ > ftp://info.cert.org/pub/ > >CERT advisories and bulletins are also posted on the USENET newsgroup > comp.security.announce > >To be added to our mailing list for CERT advisories and bulletins, send your >email address to > cert-advisory-request@cert.org > > >Copyright 1996 Carnegie Mellon University >This material may be reproduced and distributed without permission provided it >is used for noncommercial purposes and the copyright statement is included. > >CERT is a service mark of Carnegie Mellon University.