********************************************************************** DDN Security Bulletin 06 DCA DDN Defense Communications System 1 Nov 89 Published by: DDN Security Coordination Center (SCC@NIC.DDN.MIL) (800) 235-3155 DEFENSE DATA NETWORK SECURITY BULLETIN The DDN SECURITY BULLETIN is distributed by the DDN SCC (Security Coordination Center) under DCA contract as a means of communicating information on network and host security exposures, fixes, & concerns to security & management personnel at DDN facilities. Back issues may be obtained via FTP (or Kermit) from NIC.DDN.MIL [26.0.0.73 or 10.0.0.51] using login="anonymous" and password="guest". The bulletin pathname is SCC:DDN-SECURITY-nn (where "nn" is the bulletin number). ********************************************************************** SUN RCP VULNERABILITY + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the Computer ! ! Emergency Response Team (CERT) and is being relayed via the Defense ! ! Communications Agency's Security Coordination Center distribution ! ! system as a means of providing DDN subscribers with useful ! ! security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + CERT Advisory October 26, 1989 Sun RCP vulnerability A problem has been discovered in the SunOS 4.0.x rcp. If exploited, this problem can allow users of other trusted machines to execute root-privilege commands on a Sun via rcp. This affects only SunOS 4.0.x systems; 3.5 systems are not affected. A Sun running 4.0.x rcp can be exploited by any other trusted host listed in /etc/hosts.equiv or /.rhosts. Note that the other machine exploiting this hole does not have to be running Unix; this vulnerability can be exploited by a PC running PC/NFS, for example. This bug will be fixed by Sun in version 4.1 (Sun Bug number 1017314), but for now the following workaround is suggested by Sun: Change the 'nobody' /etc/passwd file entry from nobody:*:-2:-2::/: to nobody:*:32767:32767:Mismatched NFS ID's:/nonexistant:/nosuchshell If you need further information about this problem, please contact CERT by electronic mail or phone. J. Paul Holbrook Computer Emergency Response Team (CERT) Carnegie Mellon University Software Engineering Institute Internet: (412) 268-7090 (24 hour hotline) ******************************************************************* X-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-X Another file downloaded from: NIRVANAnet(tm) &TOTSE 510/935-5845 Walnut Creek, CA Taipan Enigma Burn This Flag 408/363-9766 San Jose, CA Zardoz realitycheck 415/666-0339 San Francisco, CA Poindexter Fortran Governed Anarchy 510/226-6656 Fremont, CA Eightball New Dork Sublime 805/823-1346 Tehachapi, CA Biffnix Lies Unlimited 801/278-2699 Salt Lake City, UT Mick Freen Atomic Books 410/669-4179 Baltimore, MD Baywolf Sea of Noise 203/886-1441 Norwich, CT Mr. Noise The Dojo 713/997-6351 Pearland, TX Yojimbo Frayed Ends of Sanity 503/965-6747 Cloverdale, OR Flatline The Ether Room 510/228-1146 Martinez, CA Tiny Little Super Guy Hacker Heaven 860/456-9266 Lebanon, CT The Visionary The Shaven Yak 510/672-6570 Clayton, CA Magic Man El Observador 408/372-9054 Salinas, CA El Observador Cool Beans! 415/648-7865 San Francisco, CA G.A. Ellsworth DUSK Til Dawn 604/746-5383 Cowichan Bay, BC Cyber Trollis The Great Abyss 510/482-5813 Oakland, CA Keymaster "Raw Data for Raw Nerves" X-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-X