[Search for users]
[Overall Top Noters]
[List of all Conferences]
[Download this site]
| Title: | DIGITAL UNIX�(FORMERLY KNOWN AS DEC OSF/1) |
| Notice: | Welcome to the Digital UNIX Conference |
| Moderator: | SMURF::DENHAM |
|
| Created: | Thu Mar 16 1995 |
| Last Modified: | Fri Jun 06 1997 |
| Last Successful Update: | Fri Jun 06 1997 |
| Number of topics: | 10068 |
| Total number of notes: | 35879 |
Hi
Customer is got information about a new patch (CA-97.06) for "rlogin" from
CERT.
He need this patch for Digital Unix V3.2C and V3.2G.
Here is the description of the CERT Advisory 97.06 :
CERT(sm) Advisory CA-97.06
Original issue date: February 6, 1997
Last revised: --
Topic: Vulnerability in rlogin/term
-
-----------------------------------------------------------------------------
The CERT Coordination Center has received reports of a vulnerability in many
implementations of the rlogin program, including eklogin and klogin. By
exploiting this vulnerability, users with access to an account on the system
can cause a buffer overflow and execute arbitrary programs as root.
The CERT/CC staff recommends installing a vendor patch for this problem
(Sec. III.A). Until you can do so, we urge you to turn off rlogin or replace
it with a wrapper (see Sec. III.B.2).
We will update this advisory as we receive additional information.
Please check advisory files regularly for updates that relate to your site.
-
-----------------------------------------------------------------------------
I. Description
The rlogin program provided by many UNIX systems, as well as some
non-UNIX
systems, is described in RFC 1282. Here is an excerpt from that RFC that
describes its elemental functionality:
"The rlogin facility provides a remote-echoed, locally flow-
controlled virtual terminal with proper flushing of output.
It is widely used between Unix hosts because it provides
transport of more of the Unix terminal environment semantics
than does the Telnet protocol, and because on many Unix hosts
it can be configured not to require user entry of passwords
when connections originate from trusted hosts."
The key point from this description is that the rlogin program passes
the terminal type description from the local host to the remote host.
This functionality allows terminal-aware programs such as full-screen
text editors to operate properly across a computer-to-computer
connection created with rlogin.
To do this, the rlogin program uses the current terminal definition as
identified by the TERM environment variable. The protocol described in
RFC 1282 explains how this terminal information is transferred from the
local machine where the rlogin client program is running to the remote
machine where service is sought.
Unfortunately, many implementations of the rlogin program contain a
defect whereby the value of the TERM environment variable is copied to
an internal buffer without due care. The buffer holding the copied value
of TERM can be overflowed. In some implementations, the buffer is a local
variable, meaning that the subroutine call stack can be overwritten and
arbitrary code executed. The executed code is under the control of the
user running the rlogin program.
In addition, the rlogin program is set-user-id root. rlogin requires
these increased privileges so it can allocate a port in the required
range, as described in the in.rlogind (or rlogind) manual page:
"The server checks the client's source port. If the port is not
in the range 0-1023, the server aborts the connection."
In summary, rlogin is a set-user-id root program that in many
implementations contains a programming defect whereby an internal buffer
can be overflowed and arbitrary code can be executed as root.
II. Impact
Users can become root if they have access to an account on the system.
III. Solution
Install a patch from your vendor if one is available (Section A).
Until you can take one of those actions, we recommend applying the
workaround described in Section B.
A. Obtain and install a patch for this problem.
Below is a list of vendors who have provided information about
rlogin. Details are in Appendix A of this advisory; we will update
the appendix as we receive more information. If your vendor's name is
not on this list, the CERT/CC did not hear from that vendor. Please
contact your vendor directly.
Berkeley Software Design, Inc. (BSDI)
Cray Research - A Silicon Graphics Company
Digital Equipment Corporation
FreeBSD, Inc.
Hewlett-Packard Corporation
IBM Corporation
Linux Systems
Digital Equipment Corporation
FreeBSD, Inc.
Hewlett-Packard Corporation
IBM Corporation
Linux Systems
NEC Corporation
NeXT Software, Inc.
The Open Group
The Santa Cruz Operation (SCO)
Digital Equipment Corporation
=============================
At the time of writing this document, patches(binary kits) are
available from your normal Digital Support Channel.
rlogin patches are available for:
DIGITAL UNIX V3.2c, V3.2de1/de2, V3.2g, V3.2g, V4.0, V4.0a, V4.0b.
DIGITAL ULTRIX V4.4 VAX & MIPS, V4.5 VAX and MIPS
DIGITAL EQUIPMENT CORPORATION
-----------------------------
Does anybody know if this patch is available and if so , where I can find this
??
thanks in advance
/Walter
[Posted by WWW Notes gateway]
| T.R | Title | User | Personal
Name | Date | Lines |
|---|
| 8774.1 | | NETRIX::"[email protected]" | Ann Majeske | Wed Feb 12 1997 13:36 | 3 |
| It says right in the CERT that the Digital UNIX patches are available
"from your normal Digital Support Channel".
[Posted by WWW Notes gateway]
|
| 8774.2 | the CERT advisory isn't quite correct | RHETT::MOORE | | Wed Feb 12 1997 14:10 | 9 |
| Re .1 -- we in the "normal Digital Support Channel" would like to point
out that we have *not* been provided patches to 3.2f or 3.2g, or
any version of Ultrix, despite the CERT advisory's information to the
contrary. And the 3.2c patch entails installation of the 3.2c setld
patch kit; the patch is not available separately.
Martin Moore
Digital UNIX Support Group
Atlanta CSC
|
| 8774.3 | | BSS::BOREN | | Wed Feb 12 1997 20:03 | 4 |
|
see note 8745.*
|