home *** CD-ROM | disk | FTP | other *** search

---

/ Hacker's Arsenal - The Cutting Edge of Hacking / Hacker's Arsenal - The Cutting Edge of Hacking.iso / texts / linuxfaq.txt

< prev

next >

Wrap

Text File  |  2001-07-11  |  14KB  |  349 lines

---

1. Date: Tue, 29 Oct 1996 17:18:46 -0500
2. From: CERT Bulletin <cert-advisory@cert.org>
3. To: cert-advisory@cert.org
4. Subject: CERT Vendor-Initiated Bulletin VB-96.17 - Linux Security FAQ Update
5. ============================================================================
6. CERT(sm) Vendor-Initiated Bulletin VB-96.17
7. October 29, 1996
8.  
9. Topic: Linux Security FAQ Update  
10. Source: Alexander O. Yuriev
11.  
12. To aid in the wide distribution of essential security information, the CERT
13. Coordination Center is forwarding the following information from Alexander
14. Yuriev. He urges you to act on this information as soon as possible. His
15. contact information is included in the forwarded text below; please contact
16. him if you have any questions or need further information.
17.  
18. ==============FORWARDED TEXT STARTS HERE===============
19.  
20. - -----BEGIN PGP SIGNED MESSAGE-----
21.  
22. $Id: mount-umount,v 1.5 1996/10/24 21:17:29 alex Exp $
23.  
24. Linux Security FAQ Update
25. mount/umount Vulnerability v1.5
26. Thu Oct 24 17:15:10 EDT 1996
27. Copyright (C) 1995,1996 Alexander O. Yuriev (alex@bach.cis.temple.edu)
28. CIS Laboratories
29. TEMPLE  UNIVERSITY
30. U.S.A.
31. ===========================================================================
32. LOG ( This section is maintained by Revision Control System )
33.  
34. $Log: mount-umount,v $
35. Revision 1.5  1996/10/24 21:17:29  alex
36. Tarsier's URL fixed
37.  
38. Revision 1.4  1996/10/24 00:32:42  alex
39. Red Hat URLs updated per CERT's request
40.  
41.  
42. ABSTRACT
43.  
44.  
45.         This update fixes several URLs of the Linux Security FAQ Update#13
46.         "mount/umount vulnerability" dated Tue Sep Wed Oct 23 20:09:59 EDT
47.         1996. There are no major updates to the text of the document.
48.  
49.         A vulnerability exists in the mount/umount programs of the
50.         util-linux 2.5 package. If installed suid-to-root, these programs
51.         allow local users to gain super-user privileges.
52.  
53. RISK ASSESSMENT
54.  
55.         Local users can gain root privileges. The exploits that exercise
56.         this vulnerability were made available.
57.  
58. VULNERABILITY ANALYSIS
59.  
60.         mount/umount utilities from the util-linux 2.5 suffer from the
61.         buffer overrun problem. Installing mount/umount as suid-to-root
62.         programs is necessary to allow local users to mount and unmount
63.         removable media without having super-user privileges. If this
64.         feature is not required, it is recommended that suid bit is removed
65.         from both mount and umount programs. If this feature is required,
66.         one might want to consider the other ways of implementing it. Such
67.         approaches include but are not limited to using auto-mounter or sudo
68.         mechanism.
69.  
70. DISTRIBUTION FIXES
71.  
72.                 Red Hat Commercial Linux
73.  
74.                         RedHat 2.1, RedHat 3.0.3 (Picasso) and RedHat 3.0.4
75.                         (Rembrandt) contain vulnerable umount utilities.
76.  
77.                         Red Hat Software advises users of Red Hat 2.1 to
78.                         upgrade to Red Hat 3.0.3 (Picasso)
79.  
80.                         The replacement RPMs are available from the
81.                         following URLs:
82.  
83.                         Red Hat Linux 3.0.3 (Picasso) i386 architecture
84.  
85. 
    ftp://ftp.redhat.com/pub/redhat/old-releases/redhat-3.0.3/i386/updates/RPMS/util-linux-2.5-
    
86. 11fix.i386.rpm
87. 
    ftp://ftp.redhat.com/pub/redhat/old-releases/redhat-3.0.3/i386/updates/RPMS/mount-2.5k-1.i3
    
88. 86.rpm
89.  
90. 
    ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/RedHat/util-linux-2.5-11fix
    
91. .i386.rpm
92. 
    ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/RedHat/mount-2.5k-1.i386.rp
    
93. m
94.  
95. 
    ftp://tarsier.cv.nrao.edu/pub/linux/security/DISTRIBUTION-FIXES/RedHat/util-linux-2.5-11fix
    
96. .i386.rpm
97. 
    ftp://tarsier.cv.nrao.edu/pub/linux/security/DISTRIBUTION-FIXES/RedHat/mount-2.5k-1.i386.rp
    
98. m
99.  
100.                         RedHat Linux 3.0.3 (Picasso) Alpha architecture
101.  
102. 
     ftp://ftp.redhat.com/pub/redhat/old-releases/redhat-3.0.3/axp/updates/RPMS/util-linux-2.5-1
     
103. 1fix.axp.rpm
104. 
     ftp://ftp.redhat.com/pub/redhat/old-releases/redhat-3.0.3/axp/updates/RPMS/mount-2.5k-1.axp
     
105. .rpm
106.  
107. 
     ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/RedHat/util-linux-2.5-11fix
     
108. .axp.rpm
109. 
     ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/RedHat/mount-2.5k-1.axp.rpm
     
110.  
111. 
     ftp://tarsier.cv.nrao.edu/pub/linux/security/DISTRIBUTION-FIXES/RedHat/util-linux-2.5-11fix
     
112. .axp.rpm
113. 
     ftp://tarsier.cv.nrao.edu/pub/linux/security/DISTRIBUTION-FIXES/RedHat/mount-2.5k-1.axp.rpm
     
114.  
115.                         RedHat Linux 3.0.4 Beta (Rembrandt) i386 architecture 
116.  
117. 
     ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/RedHat/mount-2.5k-2.i386.rp
     
118. m
119. 
     ftp://tarsier.cv.nrao.edu/pub/linux/security/DISTRIBUTION-FIXES/RedHat/mount-2.5k-2.i386.rp
     
120. m
121.  
122.                         RedHat Linux 3.0.4 Beta (Rembrandt) SPARC architecture 
123.  
124. 
     ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/RedHat/mount-2.5k-2.sparc.r
     
125. pm
126. 
     ftp://tarsier.cv.nrao.edu/pub/Linux/security/DISTRIBUTION-FIXES/RedHat/mount-2.5k-2.sparc.r
     
127. pm
128.  
129.                         Please verify the MD5 fingerprint of the RPMs
130.                         prior to installing them.
131.  
132. ad9b0628b6af9957d7b5eb720bbe632b  mount-2.5k-1.axp.rpm
133. 12cb19ec4b3060f8d1cedff77bda7c05  util-linux-2.5-11fix.axp.rpm
134.  
135. 26506a3c0066b8954d80deff152e0229  mount-2.5k-1.i386.rpm
136. f48c6bf901dd5d2c476657d6b75b12a5  util-linux-2.5-11fix.i386.rpm
137.  
138. 7337f8796318f3b13f2dccb4a8f10b1a  mount-2.5k-2.i386.rpm
139. e68ff642a7536f3be4da83eedc14dd76  mount-2.5k-2.sparc.rpm
140.  
141.                         The Red Hat Software Inc notes that the only
142.                         difference between mount-2.5k-1 and mount-2.5k-2 is
143.                         in the packaging format.
144.  
145.                         Please note that due to the release of Red Hat 4.0,
146.                         the FTP site of Red Hat Software removed fixes for
147.                         a beta release of Rembrandt.
148.  
149.                 Caldera Network Desktop 
150.  
151.                         Caldera Network Desktop version 1.0 contains
152.                         vulnerable mount and umount programs.
153.  
154.                         Caldera Inc issued Caldera Security Advisory 96.04
155.                         where it recommends removing setuid bit from
156.                         mount and umount commands using command
157.  
158.                                 chmod 755 /bin/mount /bin/umount.
159.  
160.                         Users of Caldera Network Desktop 1.0 upgraded to
161.                         RedHat 3.0.3 (Picasso) are advised to follow the
162.                         instructions in the Red Hat Commercial Linux section
163.                         of this LSF Update.
164.  
165.                 Debian
166.  
167.                         Debian/GNU Linux 1.1 contains the vulnerable
168.                         mount/umount programs. The Debian Project provided
169.                         the information that an updated package fixes this
170.                         problem.
171.  
172.                         The fix-kit can be obtained from the following URLs:
173.  
174. 
     ftp://ftp.debian.org/debian/stable/binary-i386/base/mount_2.5l-1.deb
     
175. 
     ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/Debian/mount_2.5l-1.deb
     
176. 
     ftp://tarsier.cv.nrao.edu/pub/linux/security/DISTRIBUTION-FIXES/Debian/mount_2.5l-1.deb
     
177.  
178.                         Please verify the MD5 signature of the RPM prior
179.                         to installing the fix-kit
180.  
181.                         6672530030f9a6c42451ace74c7510ca  mount_2.5l-1.deb
182.  
183.                         WARNING: The message that contained information
184.                         about MD5 hash of the mount_2.5l-1.deb package was
185.                         not signed. We were unable to verify the integrity
186.                         of the message.
187.  
188.                 Slackware
189.  
190.                         There is no official information available about
191.                         vulnerability of Slackware 3.0 or Slackware 3.1
192.                         distributions from distribution maintainer.
193.  
194.                         The testing indicates that both Slackware 3.0 and
195.                         Slackware 3.1 distributions contains the vulnerable
196.                         mount and umount programs.
197.  
198.                         Until the official fix-kit for Slackware 3.0 and 3.1
199.                         becomes available system administrators are advised
200.                         to follow the instructions in the Other Linux
201.                         Distributions section of this LSF Update
202.  
203.                 Yggdrasil
204.  
205.                         Yggdrasil Computing Inc neither confirmed not denied
206.                         vulnerability of Plug and Play Fall'95 Linux.
207.  
208.                         The testing indicates that Plug and Play Fall'95
209.                         Linux distribution contains the vulnerable mount
210.                         and umount program.
211.  
212.                         Until the official fix-kit for Yggdrasil Plug and
213.                         Play Linux becomes available system administrators
214.                         are advised to follow the instructions in the Other
215.                         Linux Distributions section of this LSF Update
216.  
217.                 Other Linux Distributions
218.  
219.                         It is believed at this moment that all Linux
220.                         distributions using util-linux version 2.5 or prior
221.                         to that contain the vulnerable mount and umount 
222.                         programs.
223.  
224.                         Administrators of systems based on distributions
225.                         not listed in this LSF Update or distributions that
226.                         do not have fix-kits available at the moment are
227.                         urged to contact their support centers requesting
228.                         the fix-kits to be made available to them. 
229.  
230.                         In order to prevent the vulnerability from being
231.                         exploited in the mean time, it is recommended that
232.                         the suid bit is removed from mount and umount
233.                         programs using command
234.  
235.                                 chmod u-s /bin/mount /bin/umount
236.  
237.                         Until the official fix-kits are available for those
238.                         systems, it is advised that system administrators
239.                         obtain the source code of fixed mount program used
240.                         in Debian/GNU Linux 1.1, compile it and replace the
241.                         vulnerable binaries.
242.  
243.                         The URLs for the source code of the Debian/GNU Linux
244.                         1.1 package which fixes the security problem of
245.                         mount utility can be obtained from the following
246.                         URLs:
247.  
248. 
     ftp://ftp.debian.org/debian/stable/source/base/mount_2.5l-1.tar.gz
     
249. 
     ftp://bach.cis.temple.edu/pub/Linux/Security/DISTRIBUTION-FIXES/OTHER/mount_2.5l-1.tar.gz
     
250. 
     ftp://tarsier.cv.nrao.edu/pub/linux/security/DISTRIBUTION-FIXES/OTHER/mount_2.5l-1.tar.gz
     
251.  
252.                         Warning: We did not receive MD5 hash of the 
253.                         mount_2.5l-1.tar.gz file.
254.  
255. CREDITS
256.  
257.         This LSF Update is based on the information originally posted to
258.         linux-alert. The information on the fix-kit for Red Hat commercial
259.         Linux was provided by Elliot Lee (sopwith@redhat.com) of Red Hat
260.         Software Inc,; for the Caldera Network Desktop by Ron Holt of
261.         Caldera Inc.; for Debian/GNU Linux 1.1 by Guy Maor
262.         (maor@ece.utexas.edu) 
263.  
264. - -----BEGIN PGP SIGNATURE-----
265. Version: 2.6.2
266.  
267. iQCVAwUBMm/dIIxFUz2t8+6VAQFAawP+PmYCYpOcX+bnG9Sh37Iq0mWHlPDaOzjB
268. dPAr6kcAuP60jHd9jIwYKiTiGsWrr5h7L8G8+CrD8BjHBF2RCwII9q/KlWukk96v
269. 3Mb0eJUoxf4xqDYXPqcsl54/xe8s3q0+JcKvQf2UKvHhEYshp+Z6oY2Eg3I7w85m
270. oPLjd/SidQE=
271. =CrbU
272. - -----END PGP SIGNATURE-----
273.  
274.  
275.  
276. ========================FORWARDED TEXT ENDS HERE=============================
277.  
278. If you believe that your system has been compromised, contact the CERT
279. Coordination Center or your representative in the Forum of Incident Response
280. and Security Teams (FIRST).  
281.  
282. We strongly urge you to encrypt any sensitive information you send by email.
283. The CERT Coordination Center can support a shared DES key and PGP. Contact 
284. the CERT staff for more information.
285.  
286. Location of CERT PGP key
287.          
     ftp://info.cert.org/pub/CERT_PGP.key
     
288.  
289.  
290. CERT Contact Information
291. - ------------------------
292. Email    cert@cert.org
293.  
294. Phone    +1 412-268-7090 (24-hour hotline)
295.                 CERT personnel answer 8:30-5:00 p.m. EST
296.                 (GMT-5)/EDT(GMT-4), and are on call for
297.                 emergencies during other hours.
298.  
299. Fax      +1 412-268-6989
300.  
301. Postal address
302.         CERT Coordination Center
303.         Software Engineering Institute
304.         Carnegie Mellon University
305.         Pittsburgh PA 15213-3890
306.         USA
307.  
308. CERT publications, information about FIRST representatives, and other
309. security-related information are available from
310.         
     http://www.cert.org/
     
311.         
     ftp://info.cert.org/pub/
     
312.  
313. CERT advisories and bulletins are also posted on the USENET newsgroup
314.         comp.security.announce
315.  
316. To be added to our mailing list for CERT advisories and bulletins, send your
317. email address to
318.         cert-advisory-request@cert.org
319.  
320.  
321. CERT is a service mark of Carnegie Mellon University.
322.  
323. This file: 
     ftp://info.cert.org/pub/cert_bulletins/VB-96.17.linux
     
324.  
325.  
326.  
327. -----BEGIN PGP SIGNATURE-----
328. Version: 2.6.2
329.  
330. iQCVAwUBMnZrHHVP+x0t4w7BAQGnFAP+OoWtOA9jBGQEeM8uVqrsBvckhUzIiZpb
331. hrz361KqeRdSNgqUg3UJLqIqJ+km3bdFPoB6zcelM8IU0xwc4tkUW9mCq+PVFcVR
332. tchJa5OR5Uvy9ZEQO00thFBO+2/OP220ld+iaDoT37Jl5qUnqncD0dxWqKoq/CC4
333. tZHLvfSefo4=
334. =d/UU
335. -----END PGP SIGNATURE-----
336.  
337. --------------------------------------------------------------------
338. This message is from the HappyHacker mailing list.  To unsubscribe,
339. send mail to majordomo@edm.net saying "unsubscribe happyhacker". The
340. HappyHacker page is at 
     http://www.feist.com/~tqdb/evis-unv.html
     . This
341. mailing list is provided by The EDM Network (
     http://www.edm.net/
     ) as
342. a public service and is not responsible for its content.
343. --------------------------------------------------------------------
344.  
345.  
346.  
347.  
348.  
349. ... texts ...