[Previous] [Next] [Index]
[Thread]
Re: Email Hack: Help.
> Cert is great assuming that you do not mind hearing about
> possible exploits weeks or months *AFTER* it as been posted to
> most above and underground lists.
What do you mean? Here is a CERT advisory that came out just days
after the July fourth discovery of this bug (in a theater near you):
[Sorry. Couldn't help myself.]
=======================================
CERT(sm) Advisory CA-96.13
July 4, 1996
Topic: ID4 virus, Alien/OS Vulnerability
- - ------------------------------------------------------------------------
- - -----
The CERT Coordination Center has received reports of
weaknesses in Alien/OS that can allow species with
primitive information sciences technology to initiate
denial-of-service attacks against MotherShip(tm)
hosts. One report of exploitation of this bug has been
received.
When attempting takeover of planets inhabited by such
races, a trojan horse attack is possible that permits
local access to the MotherShip host, enabling the
implantation of executable code with full root access
to mission-critical security features of the operating
system.
The vulnerability exists in versions of EvilAliens'
Alien/OS 34762.12.1 or later, and all versions of
Microsoft's Windows/95. CERT advises against initiating
further planet takeover actions until patches are
available from these vendors. If planet takeover is
absolutely necessary, CERT advises that affected sites
apply the workarounds as specified below.
As we receive additional information relating to this
advisory, we will place it in
ftp://info.cert.org/pub/cert_advisories/CA-96.13.README
We encourage you to check our README files regularly for
updates on advisories that relate to your site.
I. Description
Alien/OS contains a security vulnerability, which
strangely enough can be exploited by a primitive race
running Windows/95. Although Alien/OS has been
extensively field tested over millions of years by
EvilAliens, Inc., the bug was only recently discovered
during a routine invasion of a backwater planet.
EvilAliens notes that the operating system had never
before been tested against a race with "such a kick-ass
president."
The vulnerability allows the insertion of executable
code with root access to key security features of the
operating system. In particular, such code can disable
the NiftyGreenShield (tm) subsystem, allowing child
processes to be terminated by unauthorized users.
Additionally, Alien/OS networking protocols can
provide a low-bandwidth covert timing channel to a
determined attacker.
II. Impact
Non-privileged primitive users can cause the total
destruction of your entire invasion fleet and gain
unauthorized access to files.
III. Solution
EvilAliens has supplied a workaround and a patch, as
follows:
A. Workaround
To prevent unauthorized insertion of executables,
install a firewall to selectively vaporize
incoming packets that do not contain valid
aliens. Also, disable the "Java" option in
Netscape.
To eliminate the covert timing channel, remove
untrusted hosts from routing tables. As tempting
as it is, do not use target species' own
satellites against them.
B. Patch
As root, install the "evil" package from the
distribution tape.
(Optionally) save a copy of the existing
/usr/bin/sendmail and modify its permission to
prevent misuse.
- - ------------------------------------------------------------------------
- - ---
The CERT Coordination Center thanks Jeff Goldblum and Fjkxdtssss for
providing information for this advisory.
- - ------------------------------------------------------------------------
- - ---
If you believe that your system has been compromised,
contact the CERT Coordination Center or your
representative in the Forum of Incident Response and
Security Teams (FIRST).
We strongly urge you to encrypt any sensitive information
you send by email. The CERT Coordination Center can
support a shared DES key and PGP. Contact the CERT staff
for more information.
Location of CERT PGP key
ftp://info.cert.org/pub/CERT_PGP.key
CERT Contact Information
- - ------------------------
Email cert@cert.org
Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST
(GMT-5)/EDT(GMT-4), and are on call for
emergencies during other hours.
Fax +1 412-268-6989
Postal address
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
USA
CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from
http://www.cert.org/
ftp://info.cert.org/pub/
CERT advisories and bulletins are also posted on the USENET newsgroup
comp.security.announce
To be added to our mailing list for CERT advisories and bulletins, send
your
email address to
cert-advisory-request@cert.org
Copyright 1996 Carnegie Mellon University
This material may be reproduced and distributed without permission
provided it
is used for noncommercial purposes and the copyright statement is
included.
CERT is a service mark of Carnegie Mellon University.
Dave Burr
daveb@ufl.edu, http://grove.circa.ufl.edu/~daveb
--
Dave Dittrich Client Services, Computing & Communications
dittrich@cac.washington.edu University of Washington
<a href="http://www.washington.edu/People/dad/">
Dave Dittrich / dittrich@cac.washington.edu</a>
References: