[Search for users]
[Overall Top Noters]
[List of all Conferences]
[Download this site]
| Title: | DIGITAL UNIX�(FORMERLY KNOWN AS DEC OSF/1) |
| Notice: | Welcome to the Digital UNIX Conference |
| Moderator: | SMURF::DENHAM |
|
| Created: | Thu Mar 16 1995 |
| Last Modified: | Fri Jun 06 1997 |
| Last Successful Update: | Fri Jun 06 1997 |
| Number of topics: | 10068 |
| Total number of notes: | 35879 |
9890.0. "CERT* Advisory CA-97.11 Topic: Vulnerability in libXt... ETA for patch ?" by ANDICE::BRIDGES (MCS where the rubber meets the road) Tue May 20 1997 10:57
Greetings,
The CSC is receiving customer calls concerning this advisory (appended
to this note). Is the patch available ? One customer alleged that
they received a flash saying it is... If the patch is not yet available,
does anyone have a ETA for the patch ? If not, does this problem have
a QAR/IPMT number assigned so that the CSC might track the issue ?
Any information is appreciated...
Kindest regards,
Bruce
+++++++++++++++++++++++++++++ CERT* Advisory CA-97.11 +++++++++++++++++++++++++++
------------- Begin Forwarded Message -------------
From [email protected] Thu May 8 21:55:05 1997
Date: Wed, 7 May 1997 08:56:41 -0700 (PDT)
From: [email protected] (CIAC Mail User)
To: [email protected]
Subject: CIAC Bulletin H-51: Vulnerability in libXt
Sender: [email protected]
Content-Length: 19446
-----BEGIN PGP SIGNED MESSAGE-----
__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
Vulnerability in libXt
May 5, 1997 23:00 GMT
Number H-51
_______________________________________________________________________
_______
PROBLEM: A vulnernability exist for a buffer overflow condition
in the
Xt library and the file xc/lib/Xt/Error.c.
PLATFORM: See "Appendix A - Vendor Information" below for
platforms
effected.
DAMAGE: Allows unauthorized file access possibly gaining root
privilege.
SOLUTION: Apply the patches and workarounds listed
_______________________________________________________________________
_______
VULNERABILITY Exploit details involving this vulnerability have been
made
ASSESSMENT: publicly available.
_______________________________________________________________________
_______
[ Start CERT Advisory ]
=======================================================================
======
CERT* Advisory CA-97.11
Original issue date: May 1, 1997
Last revised: --
Topic: Vulnerability in libXt
-
-----------------------------------------------------------------------
-------
There have been discussions on public mailing lists about buffer
overflows in
the Xt library of the X Windowing System made freely available by The
Open
Group (and previously by the now-defunct X Consortium). The specific
problem
outlined in those discussions was a buffer overflow condition in the Xt
library, and the file xc/lib/Xt/Error.c. Exploitation scripts were made
available.
Since then (the latter half of 1996), The Open Group has extensively
reviewed
the source code for the entire distribution to address the potential
for
further buffer overflow conditions. These conditions can make it
possible for
a local user to execute arbitrary instructions as a privileged user
without
authorization.
The programs that pose a potential threat to sites are those programs
that
have been built from source code prior to X11 Release 6.3 and have
setuid or
setgid bits set. Some third-party vendors distribute derivatives of the
X
Window System, and if you use a distribution that includes X tools that
have
setuid or setgid bits set, you may be vulnerable as well.
The CERT/CC team recommends upgrading to X11 Release 6.3 or installing
a
patch from your vendor. If you cannot do one of these, then as a last
resort
we recommend that you remove the setuid or setgid bits from any
executable
files contained in your distribution of X; this may have an adverse
effect on
some system operations.
We will update this advisory as we receive additional information.
Please check advisory files regularly for updates that relate to your
site.
-
-----------------------------------------------------------------------
-------
I. Description
There have been discussions on public mailing lists about buffer
overflows in the Xt library of the X Windowing System made freely
available by The Open Group (and previously by the now-defunct X
Consortium). During these discussions, exploitation scripts were
made
available for some platforms.**
The specific problem outlined in those discussions was a buffer
overflow
condition in the Xt library and the file xc/lib/Xt/Error.c. It was
possible for a user to execute arbitrary instructions as a
privileged
user using a program built by this distribution with setuid or
setgid
bits set.
Note that in this case a root compromise was only possible when
programs built from this distribution (e.g., xterm) were setuid
root.
Since then The Open Group has extensively reviewed the source code
for
the entire distribution to address the potential for further
buffer
overflow condition.
If you use a distribution of the X Windowing System earlier than
X11 Release 6.3 that you downloaded and compiled yourself, we
encourage you to take the steps outlined in either Section IV A or
C.
If you use third-party vendor-supplied distributions of the X
Windowing System containing setuid root programs, we encourage
you to take the steps outlined in Sections IV B or C.
** Note: Discussions of this specific instance of the
vulnerability
appeared on mailing lists during the second half of 1996.
Exploitation
scripts were made public at that time.
II. Impact
Platforms that have X applications built with the setuid or setgid
bits
set may be vulnerable to buffer overflow conditions. These
conditions can
make it possible for a local user to execute arbitrary
instructions as a
privileged user without authorization. Access to an account on the
system
is necessary for exploitation.
III. Finding Potentially Vulnerable Distributions
A. For Sites That Download and Build Their Own Distributions
As discussed earlier, the programs that pose a potential threat to
sites
are those programs that have been built from source code, prior to
X11
Release 6.3 and have setuid or setgid bits set.
Sites that have downloaded the X source code from the X Consortium
should be able to identify such programs by looking in the
directory
hierarchy defined by the "ProjectRoot" constant described in the
xc/config/cf/site.def file in the source code distribution. The
default is /usr/X11R6.3. The X11R6.3 Installation Guide states:
"ProjectRoot
The destination where X will be installed. This variable
needs to be set before you build, as some programs that
read
files at run-time have the installation directory
compiled
in to them. Assuming you have set the variable to some
value
/path, files will be installed into /path/bin,
/path/include/X11, /path/lib, and /path/man."
B. For Vendor-Supplied Distributions
Some third-party vendors distribute derivatives of the X Window
System. If you use a distribution that includes X tools that have
setuid or setgid bits set, then you may need to apply Solution B
or C
in Section IV.
If you use a distribution that does not have setuid or setgid bits
enabled on any X tools, then you do not need to take any of the
steps
listed below.
Below is a list of vendors who have provided information about
this
problem. If your vendor's name is not on this list and you need
clarification, you should check directly with your vendor.
IV. Solution
If any X tools that you are using are potentially vulnerable (see
Section
III), we encourage you to take one of the following steps. If the
setuid
or setgid bits are not enabled on any of the tools in your
distribution,
you do not need to take any of the steps listed below.
For distributions that were built directly from the source code
supplied by The Open Group (and previously by the X Consortium),
we
encourage you to apply either Solutions A or C. For
vendor-supplied
distributions, we encourage you to apply either Solutions B or C.
A. Upgrade to X11 Release 6.3
If you download and build your own distributions directly from
the
source code, we encourage you to install the latest version,
X11
Release 6.3. The source code can be obtained from
ftp://ftp.x.org/pub/R6.3/tars/xc-1.tar.gz
ftp://ftp.x.org/pub/R6.3/tars/xc-2.tar.gz
ftp://ftp.x.org/pub/R6.3/tars/xc-3.tar.gz
Note that these distributions are very large. The compressed
files consume about 40M of disk space. The uncompressed tar
files
consume about 150M of disk space.
B. Install a patch from your vendor
Below is a list of vendors who have provided information about
this problem. Details are in Appendix A of this advisory; we
will
update the appendix as we receive more information. If your
vendor's name is not on this list, the CERT/CC did not hear
from
that vendor. Please contact your vendor directly.
Berkeley Software Design, Inc. (BSDI)
Digital Equipment Corporation (DEC)
FreeBSD, Inc.
Hewlett-Packard Company
IBM Corporation
NEC Corporation
NeXT Software, Inc.
The Open Group (formerly OSF/X Consortium)
The Santa Cruz Operation, Inc. (SCO)
Sun Microsystems, Inc.
C. Remove the setuid bit from affected programs
If you are unable to apply Solutions A or B, then as a last
resort
we recommend removing the setuid or setgid bits from the
executable files in your distribution of X.
Note that this may have an adverse effect on some system
operations. For instance, on some systems the xlock program
needs
to have the setuid bit enabled so that the shadow password
file
can be read to unlock the screen. By removing the setuid bit
from
this program, you remove the ability of the xlock program to
read
the shadow password file. This means that particular version
of
the xlock program should not be used at all, or it should be
killed from another terminal when necessary.
_____________________________________________________________________
Appendix A - Vendor Information
Below is a list of the vendors who have provided information for this
advisory. We will update this appendix as we receive additional
information.
If you do not see your vendor's name, the CERT/CC did not hear from
that
vendor. Please contact the vendor directly.
Berkeley Software Design, Inc. (BSDI)
=====================================
We released a patch for this for the 2.1 BSD/OS release,
and it's already fixed in our current release.
Digital Equipment Corporation (DEC)
===================================
At the time of writing this document, patches(binary kits) are in
progress and
final testing is expected to begin soon. Digital will provide notice
of the
completion/availability of the patches through AES services (DIA,
DSNlink
FLASH) and be available from your normal Digital Support channel.
FreeBSD, Inc.
=============
We're aware of the problem and are trying to correct it with a new
release of
the Xt library.
Hewlett-Packard Company
=======================
For HP-UX, Install the applicable patches:
PHSS_10167 9.X X11R5/Motif1.2 Runtime
PHSS_10168 9.X X11R5/Motif1.2 Development
PHSS_9809 10.0X/10.10 X11R5/Motif1.2 Runtime
PHSS_9810 10.0X/10.10 X11R5/Motif1.2 Development
PHSS_10688 10.20 X11R5/Motif1.2 Runtime
PHSS_9813 10.20 X11R5/Motif1.2 Development
PHSS_10789 10.20 X11R6/Motif1.2 Runtime
PHSS_9815 10.20 X11R6/Motif1.2 Development
Apply the library patches and relink any suid/sgid programs
that are linked with the archived version of libXt.
IBM Corporation
===============
See the appropriate release below to determine your action.
AIX 3.2
-------
Apply the following fix to your system:
APAR - IX61784,IX67047,IX66713 (PTF - U445908,U447740)
To determine if you have this PTF on your system, run the following
command:
lslpp -lB U445908 U447740
AIX 4.1
-------
Apply the following fix to your system:
APAR - IX61031 IX66736 IX66449
To determine if you have this APAR on your system, run the
following
command:
instfix -ik IX61031 IX66736 IX66449
Or run the following command:
lslpp -h X11.base.lib
Your version of X11.base.lib should be 4.1.5.2 or later.
AIX 4.2
-------
Apply the following fix to your system:
APAR - IX66824 IX66352
To determine if you have this APAR on your system, run the
following
command:
instfix -ik IX66824 IX66352
Or run the following command:
lslpp -h X11.base.lib
Your version of X11.base.lib should be 4.2.1.0 or later.
To Order
--------
APARs may be ordered using Electronic Fix Distribution (via
FixDist)
or from the IBM Support Center. For more information on FixDist,
reference URL:
http://service.software.ibm.com/aixsupport/
or send e-mail to [email protected] with a subject of
"FixDist".
IBM and AIX are registered trademarks of International Business
Machines
Corporation.
NEC Corporation
===============
EWS-UX/V(Rel4.2) R7.x - R10.x vulnerable
EWS-UX/V(Rel4.2MP) R10.x vulnerable
UP-UX/V(Rel4.2MP) R5.x - R7.x vulnerable
UX/4800 R11.x - current vulnerable
Patches for this vulnerability are in progress.
For further information, please contact by e-mail:
[email protected]
NeXT Software, Inc.
===================
X-Windows is not part of any NextStep or OpenStep release. We are not
vulnerable to this problem.
The Open Group (formerly OSF/X Consortium)
================================
Not vulnerable.
The Santa Cruz Operation, Inc. (SCO)
====================================
We are investigating this problem and will provide updated
information for this advisory when it becomes available.
Sun Microsystems, Inc.
======================
We are investigating.
[ End CERT Advisory ]
_______________________________________________________________________
_______
CIAC wishes to acknowledge the contributions of CERT & Kaleb Keithly of
The
Open Group for the information contained in this bulletin.
_______________________________________________________________________
_______
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 510-422-8193
FAX: +1 510-423-8002
STU-III: +1 510-423-2604
E-mail: [email protected]
For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://ciac.llnl.gov/
Anonymous FTP: ciac.llnl.gov (128.115.19.53)
Modem access: +1 (510) 423-4753 (28.8K baud)
+1 (510) 423-3331 (28.8K baud)
CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
information and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector
(SPI) software updates, new features, distribution and
availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the
use of SPI products.
Our mailing lists are managed by a public domain software package
called Majordomo, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
ciac-bulletin, ciac-notes, spi-announce OR spi-notes for list-name:
E-mail to [email protected] or [email protected]:
subscribe list-name
e.g., subscribe ciac-notes
You will receive an acknowledgment email immediately with a
confirmation
that you will need to mail back to the addresses above, as per the
instructions in the email. This is a partial protection to make sure
you are really the one who asked to be signed up for the list in
question.
If you include the word 'help' in the body of an email to the above
address,
it will also send back an information file on how to
subscribe/unsubscribe,
get past issues of CIAC bulletins via email, etc.
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
H-42: HP MPE/iX with ICMP Echo Request (ping) Vulnerability
H-44: Solaris 2.x fdformat Buffer Overflow Vulnerability
H-45: Windows NT SAM permission Vulnerability
H-46: Vulnerability in IMAP and POP
H-47A: AOL4FREE.COM Trojan Horse Program Destroys Hard Drives
H-48: Internet Information Server Vulnerability
H-49: NLS Buffer Overflow Vulnerability
H-22a: talkd Buffer Overrun Vulnerability
H-29a: HP-UX sendmail Patches Vulnerability
H-50: HP-UX SYN Flood and libXt patches
-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition
iQCVAwUBM29okrnzJzdsy3QZAQFPjgP+MiGhmM4zHUMphoRCrClwAKezPrgJNbjP
iU4WI3KIEskYW/GcPg28BUDrT7x78Pn27mVCdvTRobfyzlv5BSeWMtzVqjCyJXbl
iXwwO4bHlmqfxyP3WfNTDWPohq0H+fQbhFFGICSRm/JaNR09e4u460qe48/MlcEF
HbHtGoQKtxY=
=8tTi
-----END PGP SIGNATURE-----
------------- End Forwarded Message -------------
Tracey Heffelfinger
Digital UNIX Support
US Customer Support Center
[email protected]
Cogito ergo spud -- I think therefore I yam.
| T.R | Title | User | Personal
Name | Date | Lines |
|---|
| 9890.1 | CERT Advisory 97.11 | NNTPD::"[email protected]" | Joe Watzko | Wed Jun 04 1997 06:47 | 19 |
| Hi,
i also have a customer demand on this.
As i can see there is a security patch
in the last V3.2C Patches:
(QAR 47205) (Patch ID: OSF350X-021)
Does this patch address the problem described
in the CERT Advisory and if, when
will this patch made be available for
Digital UNIX V3.2g and V4.0a.
General, where can i get information
relating CERT Advisories and Digital UNIX
patches?
Regards
Joe
[Posted by WWW Notes gateway]
|
| 9890.2 | | BIGUN::nessus.cao.dec.com::Mayne | Meanwhile, back on Earth... | Wed Jun 04 1997 19:15 | 4 |
| Try minotr::security_advisory, but be warned that they only produce the
advisories. If you ask any technical questions, they profess ignorance.
PJDM
|