home *** CD-ROM | disk | FTP | other *** search
-
- -----BEGIN PGP SIGNED MESSAGE-----
-
- =============================================================================
- CERT(sm) Advisory CA-96.18
- Original issue date: August 14, 1996
- Last revised: August 30, 1996
- Information previously in the README was inserted
- into the advisory.
-
- A complete revision history is at the end of this file.
-
- Topic: Vulnerability in fm_fls
- - -----------------------------------------------------------------------------
-
- The CERT Coordination Center has received reports of a configuration problem
- in the floating license server for Adobe FrameMaker (fm_fls) that enables
- non-privileged users to make any file world-readable and world-writable.
- Exploitation scripts are publicly available.
-
- Any system that includes a setuid version of fm_fls is vulnerable.
- Adobe Systems reports that the following Adobe products use fm_fls:
-
- Frame Products, version 4
- FrameMaker
- FrameViewer
- FrameBuilder
-
- Frame Products, version 5
- FrameMaker
- FrameMaker+SGML
-
- The CERT/CC team recommends installing a patch from your vendor. Until you
- can obtain a patch, we urge you to remove the setuid bit from all instances
- of fm_fls.
-
- We will update this advisory as we receive additional information.
- Please check advisory files regularly for updates that relate to your site.
- - -----------------------------------------------------------------------------
-
- I. Description
-
- FrameMaker is a commercial text-processing software package
- available from Adobe Systems, Inc. It is also available from other
- vendors as part of their product line offering.
-
- When FrameMaker versions 4.X or 5.X are installed, the installation
- script provided with FrameMaker installs a file named fm_fls that is
- setuid to installing user, typically the root user. fm_fls is typically
- found in the FrameMaker installation tree. Consult your documentation
- for precise location of fm_fls.
-
- When fm_fls runs, it opens up a log file, which by default is
- /tmp/fm_fls.log. In normal operation, fm_fls writes logging information
- about license usage to the named log file. However, when given invalid
- arguments, fm_fls writes these arguments to the log file, changes the
- owner of the log file to root or whoever installed fm_fls, changes the
- permissions to world-readable and world-writable, and then exits.
- Therefore, by giving fm_fls invalid arguments and naming another file as
- the log file, a user can make that file world-readable and world-writable.
-
- Adobe Systems reports that fm_fls is installed as setuid root because
- it registers the license manager program with the the program number
- mapper, also known as portmap or rpcbind. On some platforms, only the
- original user (in this case root) or the root user has permission to
- remove a registration. fm_fls will attempt to remove a previous
- registration when it is restarted. With fm_fls setuid root, restarting
- fm_fls ensures that all changes made in the program number mapper are
- successful because they are done by the same user.
-
- The floating license servers shipped with and installed by FrameMaker
- 4.X and 5.X are vulnerable. Similarly, any other system that includes
- a setuid version of fm_fls is vulnerable. Exploitation scripts are
- publicly available.
-
- II. Impact
-
- Anyone with access to an account on an unpatched system can create
- world-writable and world-readable files; this can lead to gaining
- root access.
-
- III. Solution
-
- A. Obtain and install a vendor patch when it becomes available.
-
- In the meantime, remove the setuid bit from all instances of fm_fls.
- To determine if a system is vulnerable and to disable the programs that
- are believed to be vulnerable, use the find command we provide below or
- a variant. Consult your local system documentation to determine how to
- tailor the find program on your system.
-
- You will need to run the find command on each system you maintain
- because the command examines files on the local disk only. Substitute
- the names of your local file systems for FILE_SYSTEM_NAMES in the
- example. Example local file system names are /, /usr, and /var.
-
- To find all instances of fm_fls and then to remove the setuid bit from
- them, do the following as root. Note that this is one long command,
- though we have separated it onto two lines using a back-slash.
-
- find FILE_SYSTEM_NAMES -xdev -type f -name fm_fls -perm -04000 \
- -print -ok chmod u-s '{}' \;
-
- This command will find all files on a system that are
- - only in the file system you name (FILE_SYSTEM_NAMES -xdev)
- - regular files (-type f)
- - named fm_fls
- - setuid (-perm -04000)
-
- Once found, those files will
- - have their names printed (-print)
- - have the setuid mode removed, but only if you type `y'
- in response to the prompt (-ok chmod u-s '{}' \;)
-
- With the setuid root bit removed, fm_fls must then be started each
- time by the same user. That user should be root so that the previous
- registration can be successfully removed no matter what platform
- fm_fls is running on.
-
- In addition, the log file, license.log, should be stored in a
- non-public directory; specify this new location with the -log command
- line argument. Consult the documentation that comes with FrameMaker
- versions 4.X and 5.X to learn how to do this on your system.
-
- B. Another possible solution is to create a new userid and group, say UID
- frame and GID frame, with no one in group frame except for UID frame,
- and make fm_fls mode 4110. For example, on Solaris 2.4, 2.5, or 2.5.1:
-
- - - ---s--x--- 1 frame frame 145736 Aug 24 1995 /usr/local/frame5.0/bin/sunxm.s5.sparc/fm_fls
-
- In this case the log file has to be created manually just once by root
- (if you keep it permanently in /var/log instead of /tmp) and
- chown'd/chgrp'd to frame/frame with mode 644 (though fm_fls resets
- that to 666).
-
- At boot time root runs the frame5.0/bin/fm_fls wrapper which ends up
- invoking the setuid-frame fm_fls binary. That could be done instead
- using 'su - frame -c frame_startup_command...' as an extra precaution
- if UID frame has a real shell. In that case you might as well remove
- the setuid bit too.
-
- This has been working for about a year.
-
- ..............................................................................
- Appendix A
-
- The following is vendor-supplied information.
- For the most up-to-date information, contact your vendor.
-
- BSDI
- Does not ship Frame with BSD/OS.
-
- Digital Equipment Corporation
- Does not distribute this product with it's operating
- systems.
-
- Open Software Foundation (OSF)
- Does not support the software with this problem.
-
- Sun Microsystems, Inc.
- Does not ship FrameMaker.
-
-
- - ---------------------------------------------------------------------------
- The CERT Coordination Center staff thanks Adobe Systems for their support
- in the development of this advisory.
- - ---------------------------------------------------------------------------
-
- If you believe that your system has been compromised, contact the CERT
- Coordination Center or your representative in the Forum of Incident
- Response and Security Teams (FIRST).
-
- We strongly urge you to encrypt any sensitive information you send by email.
- The CERT Coordination Center can support a shared DES key and PGP. Contact
- the CERT staff for more information.
-
- Location of CERT PGP key
- ftp://info.cert.org/pub/CERT_PGP.key
-
- CERT Contact Information
- - ------------------------
- Email cert@cert.org
-
- Phone +1 412-268-7090 (24-hour hotline)
- CERT personnel answer 8:30-5:00 p.m. EST
- (GMT-5)/EDT(GMT-4), and are on call for
- emergencies during other hours.
-
- Fax +1 412-268-6989
-
- Postal address
- CERT Coordination Center
- Software Engineering Institute
- Carnegie Mellon University
- Pittsburgh PA 15213-3890
- USA
-
- CERT publications, information about FIRST representatives, and other
- security-related information are available for anonymous FTP from
- http://www.cert.org/
- ftp://info.cert.org/pub/
-
- CERT advisories and bulletins are also posted on the USENET newsgroup
- comp.security.announce
-
- To be added to our mailing list for CERT advisories and bulletins, send your
- email address to
- cert-advisory-request@cert.org
-
-
- Copyright 1996 Carnegie Mellon University
- This material may be reproduced and distributed without permission provided
- it is used for noncommercial purposes and the copyright statement is
- included.
-
- CERT is a service mark of Carnegie Mellon University.
-
- This file: ftp://info.cert.org/pub/cert_advisories/CA-96.18.fm_fls
- http://www.cert.org
- click on "CERT Advisories"
-
-
- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- Revision history
-
- Aug. 30, 1996 Information previously in the README was inserted into the
- advisory.
- Aug. 21, 1996 Added Section III.B (provides another possible solution).
- Aug. 15, 1996 Added Appendix A - vendor information.
-
-
-
- -----BEGIN PGP SIGNATURE-----
- Version: 2.6.2
-
- iQCVAwUBMiTF33VP+x0t4w7BAQHPmgP/RLeosEzy5WdXSW8AAGqWdHmzcXEmloct
- UCuHD58DjMeUkVvgqzQBncRjuBAbcrvR/VwBek1/uuE0D/o+zLjOiceAIs9/S+1b
- 3WWddYi3Zh/snSODn2kH+SzAnA/CqKWRHmTlUCiTh0hmixAe5oOyHVPmJCyJPVNJ
- hJI0VPJGVwE=
- =sb6e
- -----END PGP SIGNATURE-----
-
-