CIAC documents FY 1994 Series E intro.txt ciac-introduction-to cdb.txt CIAC-Virus-Database-11-93 ciacreq.txt ciac-doe requirements HPACCESS.TXT how-to-download-HP-patches xtermpat.txt xterm-patch-status e-01.txt ciac-sun-sendmail-tar-audio-vulnerabilities e-03.txt ciac-unix-sendmail-vulnerabilities e-04.txt ciac-xterm-logfile-vulnerability e-05.txt ciac-sunos-solbourne-loadmodule-modload-vulnerability e-06.txt ciac-solaris-system-startup-vulnerability e-07.txt ciac-unix-sendmail-update e-08.txt ciac-restricted-distribution e-09.txt ciac-network-monitoring-attacks e-11.txt ciac-lotus-ccmail-security-upgrade e-12.txt ciac-network-monitoring-attacks-update e-13.txt ciac-patches-for-etc-utmp-vulnerability e-14.txt ciac-wuarchive-ftpd-trojan-horse e-15.txt ciac-restricted-distribution e-16.txt ciac-restricted-distribution e-17.txt ciac-ftp-daemon-vulnerabilities e-18.txt ciac-sun-automountd-patch e-19.txt ciac-nvir-a-virus-on-CD-ROM e-20.txt ciac-chinon-cd-it.zip-trojan e-21.txt ciac-restricted-distribution e-22.txt ciac-restricted-distribution e-23.txt ciac-HP-Vue-3.0 e-24.txt ciac-patches-for-ULTRIX-DECnet_ULTRIX-OSF_1 e-25.txt ciac-BSD-lpr-vulnerability-in-SGI-IRIX e-26.txt ciac-UNIX-bin-login-vulnerability e-27.txt ciac-restricted-distribution e-28.txt ciac-restricted-distribution e-29.txt ciac-IBM-AIX-bsh-queue-vulnerability e-30.txt ciac-Majordomo-vulnerabilities e-31.txt ciac-sendmail-d-oE-vulnerabilities e-32.txt ciac-KAOS4-virus e-33.txt e-34.txt ciac One_half virus (MS-DOS) _____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ ADVISORY NOTICE (1) Security vulnerability in sendmail under SunOS 4.1.x and 5.x (2) Security vulnerability in tar under SunOS 5.x (3) Potential misuse of Sun microphones October 21, 1993 1130 PDT Number E-01 __________________________________________________________________________ (1) Security vulnerability in sendmail under SunOS 4.1.x and 5.x PROBLEM: Remote users may access system files using sendmail. PLATFORM: SunOS 4.1.x and SunOS 5.x (Solaris 2.x). DAMAGE: Unauthorized access to system files. SOLUTION: Apply appropriate patch from Sun. __________________________________________________________________________ Critical Information about Security Vulnerability in sendmail The /usr/lib/sendmail utility under SunOS 4.1.x and SunOS 5.x permits unauthorized access to some system files by remote users. This access may allow compromise of the system. Note that this vulnerability is being actively exploited. CIAC strongly recommends that sites take immediate corrective action. Sun Microsystems has released patched versions of the sendmail program for all affected versions of SunOS: BSD SVR4 System Patch ID Filename Checksum Checksum ----------- --------- --------------- --------- ---------- SunOS 4.1.x 100377-07 100377-07.tar.Z 36122 586 11735 1171 SunOS 5.1 100840-03 100840-03.tar.Z 01153 194 39753 388 SunOS 5.2 101077-03 101077-03.tar.Z 49343 177 63311 353 The checksums shown above are from the BSD-based checksum (on SunOS 4.1.x, /bin/sum; on SunOS 5.x, /usr/ucb/sum) and from the SVR4 version that Sun has released on SunOS 5.x (/usr/bin/sum). Individuals with support contracts may obtain these patches from their local Sun Answer Center or from SunSolve Online. Security patches are also available without a support contract via anonymous FTP from ftp.uu.net (IP 192.48.96.9) in the directory /systems/sun/sun-dist. __________________________________________________________________________ (2) Security vulnerability in tar under SunOS 5.x PROBLEM: Archives created with the tar utility contain extraneous user information. PLATFORM: SunOS 5.x (Solaris 2.x). DAMAGE: User and system information may be unintentionally disclosed. SOLUTION: Apply appropriate patch from Sun. __________________________________________________________________________ Critical Information about Security Vulnerability in tar Archive files created with the /bin/tar utility under SunOS 5.x contain extraneous user information from the /etc/passwd and /etc/group files. Note that the extraneous data does not include user passwords; however, system configuration and user information may be unintentionally disclosed should the archive files be distributed. Sun Microsystems has released patched versions of the tar utility for all affected versions of SunOS. The patched tar utility produces archive files in the same format as all other versions; but any extraneous data is set to zero. Restoring an existing archive file to disk, and then creating a new file with the patched tar, will result in a clean archive file with no extraneous data. BSD SVR4 System Patch ID Filename Checksum Checksum --------- --------- --------------- --------- --------- SunOS 5.1 100975-02 100975-02.tar.Z 37034 374 13460 747 SunOS 5.2 101301-01 101301-01.tar.Z 22089 390 4703 779 The checksums shown above are from the BSD-based checksum (on SunOS 4.1.x, /bin/sum; on SunOS 5.x, /usr/ucb/sum) and from the SVR4 version that Sun has released on SunOS 5.x (/usr/bin/sum). Individuals with support contracts may obtain these patches from their local Sun Answer Center or from SunSolve Online. Security patches are also available without a support contract via anonymous FTP from ftp.uu.net (IP 192.48.96.9) in the directory /systems/sun/sun-dist. __________________________________________________________________________ (3) Potential misuse of Sun microphones PROBLEM: Microphones on Sun workstations may be used for eavesdropping. PLATFORM: SunOS 4.1.x and SunOS 5.x (Solaris 2.x). DAMAGE: Access to conversations held near the computer. SOLUTION: Disconnect microphone or apply software solution described below. __________________________________________________________________________ Critical Information about Misuse of Sun Microphones Sun Microsystems has released information regarding the potential for microphones attached to Sun workstations to be used to eavesdrop on conversations near the computer. Software solutions to reduce the risk are described below. Note, however, that CIAC strongly recommends microphones on systems in sensitive areas be either physically switched off or disconnected from the system. The initial permissions for the audio data device, /dev/audio, allow any user with an account on the system to listen with the microphone when it is turned on. Also, the permissions for the audio control device, /dev/audioctl, allow anyone to vary playback and record settings such as volume. Unauthorized use of the system's audio devices may be prevented by changing the permissions and ownership of /dev/audio and /dev/audioctl. On SunOS 4.x systems, the /etc/fbtab file may be used to automatically control access to the audio devices. As root, add the following lines to the end of the fbtab file: /dev/console 0600 /dev/audio /dev/console 0600 /dev/audioctl On SunOS 5.x (Solaris 2.x) systems, the file permissions must be manually changed. As root, execute the following commands, specifying the username of the individual that should have access to the microphone: # chmod 600 /dev/audio* # chown /dev/audio* ______________________________________________________________________ CIAC would like to thank Mark Graff and Sun Microsystems, Inc. for the information used in this bulletin. ______________________________________________________________________ For additional information or assistance, please contact CIAC at (510) 422-8193 or send E-mail to ciac@llnl.gov. FAX messages to (510) 423-8002. Previous CIAC Bulletins and other information are available via anonymous FTP from irbis.llnl.gov (IP address 128.115.19.60). PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ US Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ INFORMATION BULLETIN Vulnerabilities in SGI IRIX Default Configuration October 25, 1993 1330 PDT Number E-02 __________________________________________________________________________ PROBLEM: The default configuration of SGI IRIX software introduces vulnerabilities. PLATFORM: SGI IRIX, all versions including 4.x and 5.x. DAMAGE: Accounts without passwords and default xhost configuration can lead to system compromise. SOLUTION: Add passwords, lock accounts, change xhost configuration per this bulletin. __________________________________________________________________________ Critical Information about SGI IRIX Default Configuration CIAC has learned that SGI IRIX systems configured with operating system defaults are vulnerable to attack. The auto-installation procedure leaves some default accounts vulnerable to compromise, some files are left world readable, and the default configuration for xhost is vulnerable. CIAC recommends that IRIX system administrators check the configuration of their systems as outlined below. OPEN ACCOUNTS Eight accounts are left open, without a password, at the end of the installation procedure. Three of these accounts--root, lp, and nuucp--are administrative accounts with system privileges. The other five accounts are demos, tutor, guest, 4Dgifts, and tour. CIAC recommends that these accounts be assigned valid passwords, deleted, or disabled to ensure account security. Give an account a password by executing the following command as root: # passwd account_name To disable ("lock") an account, use the passwd command with the -l option, as below: # passwd -l account_name To delete an account, edit the /etc/passwd account directly as SGI's utility "sysadm" will not edit these specific accounts. SGI recommends account deletion be done with care, since the execution of some system functions requires an account to be present. LOGIN.OPTIONS VULNERABILITY The file /etc/config/login.options (renamed /etc/default/login on 5.x) contains some parameters for the system's login process. By default, this file is world readable. CIAC recommends that if a system is logging rsh and ftp activity, these permissions be removed by executing the following command as root: # chmod 640 /etc/config/login.options Note: the options "SYSLOG=ALL" or "SYSLOG=FAIL", set within login.options will not log any login attempts made through the SGI-supplied graphical login process Pandora. In addition, the file where login attempts are kept, /usr/adm/SYSLOG, should also not be world readable. NIS ALTERNATE PASSWORD FILE If using NIS, an alternate password file can be created with any name and placed anywhere. This password file should be set up to contain only accounts of users that log in remotely. No administrative accounts should be contained in this alternative password file since all NIS users can easily see this file. Use of this file will make the information in /etc/passwd useless to anyone who might break into the system and try to crack passwords. To define the password file, open or create the file /etc/config/ypmaster.options, and create a line with the text: PWFILE=/path/newpasswdfile.name NOTE: this feature is available because shadow password files are incompatible with NIS. XHOST DEFAULTS The system default configuration for xhost is "xhost +", which allows any host on the same network to use X protocols to access the machine. X has well known vulnerabilities and there are automated programs that can remotely gain unauthorized access using X. CIAC recommends that you either deny all access to all hosts through X or authorize only specific known, trustworthy machines. To deny or restrict X access to selected hosts follow these three steps: a. Create or edit the file "/etc/Xn.hosts" where 'n' is the display number of the server on the local host, normally 0, as in "/etc/X0.hosts". To deny all X access to your system, the file /etc/X0.hosts will contain a single character, "-". To grant access to hosts "newhost.gov" and "secondhost.gov" and no other hosts the file /etc/X0.hosts will consist of: - +newhost.gov +secondhost.gov b. Search through all files in the directory /usr/lib/X11/xdm for occurances of the command "xhost +" or "/usr/bin/X11/xhost +". Remove or comment out all such lines. For SGI IRIS these files are by default: /usr/lib/X11/xdm/xsession /usr/lib/X11/xdm/xsession-remote /usr/lib/X11/xdm/xsession.0 c. Inform users that any xhost commands should be removed or commented out of user startup scripts, such as .cshrc, .login, .profile, etc. To add an additional level of security to the X environment, CIAC recommends the use of xauthority for host access control. To set up xauthority, edit the file /usr/lib/X11/xdm/xdm-config and replace the "off" with "on" in the following line: DisplayManager*authorize:off After all changes are made, SGI recommends that the system be rebooted to ensure that all changes take effect and all passwords be modified for all users' accounts that may have been compromised. To ensure that X has been turned off for non-registered hosts, perform the following test commands from an invalid machine: setenv DISPLAY yourhostname:0 /usr/bin/X11/xterm If a message appears which refuses the connection, then the system has been configured correctly. Much of the information in this bulletin has been extracted from the chapter on system security in the SGI IRIX administrator's guide, Chapter 8 for version 4.x and Chapter 9 for version 5.x. CIAC would like to thank Donna Yobs of SGI and Fred W. Allen of LLNL for their technical contributions to this bulletin, and to the ASSIST team for alerting us to this vulnerability. For additional information or assistance, please contact CIAC at (510) 422-8193 or send E-mail to ciac@llnl.gov. FAX messages to (510) 423-8002. Previous CIAC Bulletins and other information are available via anonymous FTP from irbis.llnl.gov (IP address 128.115.19.60). PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ ADVISORY NOTICE UNIX sendmail Vulnerabilities November 4, 1993 2300 PST Number E-03 __________________________________________________________________________ PROBLEM: Vulnerabilities have been discovered in the UNIX sendmail utility. PLATFORM: All implementations of UNIX sendmail. DAMAGE: Local and remote users may execute commands and/or gain access to system files. SOLUTION: Apply workarounds or install new version of sendmail on ALL systems running sendmail. __________________________________________________________________________ Critical Information about UNIX sendmail Vulnerabilities This advisory supersedes the sendmail information contained in CIAC Advisory E-01. CIAC has learned of a set of serious vulnerabilities affecting the UNIX utility sendmail. These vulnerabilities affect a significant number of sendmail implementations, permitting unauthorized access to system commands and files by both local and remote users. In the absence of specific vendor information, CIAC recommends that all implementations of sendmail be considered vulnerable to attack. CIAC is working with the CERT Coordination Center and the vendor community to address this issue. At this time, there are no known patches available for any vendor implementation that fully address all known sendmail vulnerabilities. CIAC will publish information regarding vendor patches as they become available. Details of these vulnerabilities have been openly discussed in several electronic forums, including the Firewalls mailing list and the USENET newsgroup comp.security.unix. In addition, at least one automated tool designed to exploit these vulnerabilities has been widely distributed. Until vendor patches become available, CIAC strongly recommends that sites apply one of the three possible solutions described below to all systems running sendmail, including those systems behind firewalls and mail hubs. Restrict shell This workaround involves modifying the sendmail commands configuration file to restrict the sendmail program mailer facility using the sendmail restricted shell, smrsh, by Eric Allman (the original author of sendmail). The sendmail restricted shell screens all attempts to execute programs from sendmail, allowing only those specifically authorized by the system administrator. Attempts to invoke programs not in the allowed set will fail and log the attempt. Programs in the allowed set should be selected carefully. Mail utilities found in /etc/aliases and ~/.forward files should be considered for inclusion to prevent mail delivery failures (e.g. vacation, procmail, and slocal). Note that it is important that sites not include interpreters (e.g. /bin/sh, /bin/csh, /bin/perl, /bin/uudecode, and /bin/sed) in the set of allowed programs, as they may allow system compromise. The sendmail restricted shell may be obtained via anonymous FTP from ftp.uu.net in the directory /pub/security/smrsh. Consult the program documentation for installation instructions. Checksum Information Filename BSD sum System V sum -------- ------- ------------ README 30114 5 56478 10 smrsh.8 25757 2 42281 4 smrsh.c 46786 5 65517 9 Disable shell This approach also involves modifying the sendmail commands configuration. However, this approach completely disables the sendmail program mailer facility. Attempts to invoke programs through sendmail will fail. While this is a drastic solution, it may be quickly implemented to protect a site while a more long term approach is installed. To implement this approach, edit the sendmail.cf file, replacing the program mailer specification: Mprog, P=/bin/sh, F=slFDM, S=10, R=20, A=sh -c $u with: Mprog, P=/bin/false, F=, S=10, R=20, A= The configuration file should then be frozen, if necessary, and the sendmail process restarted. See the end of this advisory for more details. Install The most recent version of Eric Allman's public sendmail 8.6.4 domain sendmail has been updated to eliminate all known vulnerabilities. Sites may choose to replace their current implementation of sendmail with version 8.6.4 or later to secure their systems. Note that depending on the currently installed sendmail software, switching to sendmail 8.6.4 may potentially require significant effort for the system administrator to become familiar with the new program. Considerable modification of the sendmail configuration may also be required. The latest version of sendmail may be obtained via anonymous FTP from ftp.cs.berkeley.edu in the directory /ucb/sendmail. Checksum Information Filename BSD sum System V sum ------------------------- --------- ------------ sendmail.8.6.4.base.tar.Z 07718 428 64609 856 sendmail.8.6.4.cf.tar.Z 28004 179 42112 357 sendmail.8.6.4.misc.tar.Z 57299 102 8101 203 sendmail.8.6.4.xdoc.tar.Z 33954 251 50037 502 CIAC strongly recommends that sites monitor their systems for signs of sendmail attacks. System administrators should regularly examine the following: - All bounced mail, looking for unusual messages. - Mail log files (e.g. /var/log/syslog), looking for unusual occurrences of "|" characters. To provide this information, sendmail must be configured to bounce mail to the local postmaster and generate adequate logs. Receipt of bounced mail is enabled by placing the following line in sendmail.cf: OPpostmaster A logging level of 9 or higher should also be specified in the configuration file with a line similar to the following: OL9 Whenever any changes are made to the sendmail configuration file, it is necessary to kill all existing sendmail processes, refreeze the configuration file (on some systems), and restart the sendmail daemon. For example, under SunOS 4.1.2: # /usr/bin/ps -aux | /usr/bin/grep sendmail root 130 0.0 0.0 168 0 ? IW Oct 2 0:10 /usr/lib/sendmail -bd -q # /bin/kill -9 130 (Kill the current sendmail process) # /usr/lib/sendmail -bz (Refreeze the sendmail configuration file) # /usr/lib/sendmail -bd -q30m (Restart the sendmail daemon) Note that some sites do not use frozen configuration files. If the file sendmail.fc does not exist in the same directory as sendmail.cf, frozen configurations are not being used. __________________________________________________________________________ CIAC wishes to thank the CERT Coordination Center and members of the FIRST community for their contributions to this advisory. In addition, CIAC would like to acknowledge the technical contributions of Eric Allman, Matt Blaze, Andy Sherman, Gene Spafford, and Tim Seaver. __________________________________________________________________________ For additional information or assistance, please contact CIAC at (510) 422-8193 or send E-mail to ciac@llnl.gov. FAX messages to (510) 423-8002. Previous CIAC Bulletins and other information are available via anonymous FTP from irbis.llnl.gov (IP address 128.115.19.60). PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ INFORMATION BULLETIN xterm Logfile Vulnerability November 11, 1993 2130 PST Number E-04 ______________________________________________________________________________ PROBLEM: The logfile facility of the xterm program contains a security vulnerability. PLATFORM: UNIX systems with X11 software and xterm installed with setuid or setgid privileges. DAMAGE: Local users may gain root access to the system. SOLUTION: Install a patched version of xterm. ______________________________________________________________________________ Critical Information about the xterm Logfile Vulnerability CIAC has learned of a vulnerability in many versions of the X11 program xterm. Local users may use the xterm logfile facility to create or modify files on the system, enabling unauthorized access including root access. This vulnerability has been shown to exist in X11 (Version 5 and earlier) in both vendor supplied binaries and those compiled from the public X11 sources. The vulnerability exists only on systems with xterm installed with setuid or setgid privileges. For example, the "s" permission bit in the following directory listing indicates the xterm binary is installed with the setuid bit set: % ls -l /opt/X11R5/bin/xterm -rwsr-xr-x 1 root staff 183152 Nov 10 13:10 /opt/X11R5/bin/xterm* Additionally, the vulnerability only exists in xterm binaries that permit logging. To determine if this feature is enabled, execute the following command: % xterm -l If a file of the form "XtermLog.axxxx" is created, logging is enabled. CIAC recommends that affected sites implement one of the solutions described below. All solutions require that a new version of xterm be installed. It is important that old versions either be removed from the system or have the setuid and setgid bits cleared. Vendor Patch Vendor patches, if available, should be installed. The CERT Coordination Center is coordinating the vendor response to this issue and will maintain a list of currently available vendor patches for xterm. The information will be available via anonymous FTP from info.cert.org (IP 192.88.209.5) in the file /pub/cert_advisories/xterm-patch-status. A current version of this file is appended at the end of this bulletin. For up-to-date patch information, please contact your vendor or CIAC. X11R5 Public Systems using the public X11 distribution and systems lacking Patch #26 vendor patches may upgrade to the X Consortium's X11R5 Patch Level 26. The X11 sources and patches are available via anonymous FTP from ftp.x.org (IP 198.112.44.100). All patches, up to and including fix-26, should be installed. By default, fix-26 disables the logfile facility in xterm. Similar functionality may be obtained through the use of utilities such as the UNIX script(1) command. ______________________________________________________________________________ CIAC wishes to thank the CERT Coordination Center and Stephen Gildea of the X Consortium for their contributions to this bulletin. ______________________________________________________________________________ For additional information or assistance, please contact CIAC at (510) 422-8193 or send E-mail to ciac@llnl.gov. FAX messages to (510) 423-8002. Previous CIAC Bulletins and other information are available via anonymous FTP from irbis.llnl.gov (IP address 128.115.19.60). ______________________________________________________________________________ CERT Coordination Center xterm Vendor Status November 11, 1993 This file is a supplement to the CERT Advisory CA-93:17 of November 11, 1993, and will be updated as additional information becomes available. The following is vendor-supplied information. The CERT Coordination Center will not formally review, evaluate, or endorse this information. For more up-to-date information, contact your vendor. It is important to note that the vendor of your xterm may not be the same as the vendor of your platform. You should take care to correctly identify the vendor whose xterm you are using, so you can take the appropriate action. Convex Fixed in CXwindows V3.1. Fixed in CXwindows V3.0 with TAC patch V3.0.131 applied. The Convex Technical Assistance Center is available for additional information at 800-952-0379. Cray Fixed. Contact Cray for version/patch numbers. DEC/OSF Attached is the information on the remedial images to address the xterm issue for ULTRIX V4.3 (VAX & RISC) and OSF/1 V1.2. The solutions have been included in ULTRIX V4.4 (VAX & RISC) and OSF/1 V1.3. Customers may call their normal Digital Multivendor Customer Services Support Channel to obtain this kit. ---------------------------------------------------------- *ULTRIX,OSF/1] CSCPAT_4034 xterm Security Fix ECO Summary COPYRIGHT (c) 1988, 1993 by Digital Equipment Corporation. ALL RIGHTS RESERVED. COMPONENT: xterm OP/SYS: ULTRIX VAX and RISC, OSF/1 SOURCE: Digital Customer Support Center ECO INFORMATION: CSCPAT Kit: CSCPAT_4034 V1.1 CSCPAT Kit Size: 2152 blocks Engineering Cross Reference: SSRT93-E-0230, SSRT93-E-0231, SSRT93-E-232 Kit Applies To: ULTRIX V4.3, OSF/1 V1.2 System Reboot Required: NO ---------------------------------------------------------- SCO The current releases listed below are not vulnerable to this problem. No xterm logging or scoterm logging is provided: SCO Open Desktop Lite, Release 3.0 SCO Open Desktop, Release 3.0 SCO Open Server Network System, Release 3.0 SCO Open Server Enterprise System, Release 3.0 Contact SCO for any further information. Sequent Fixed. Contact Sequent for version/patch numbers. Sun Sun's version of xterm has not been setuid root since at least as far back as SunOS 4.1.1, and probably further. An xterm that does not run setuid or setgid is not vulnerable to the xterm logging problem. CAUTION: A Sun patch was issued on December 6, 1992 to give system administrators the option of running xterm setuid root. Installing this patch will introduce the xterm logging vulnerability. So check your xterm. If either the setuid or setgid privilege bit is set on the xterm program, the vulnerability can be exploited. Contact Sun for further information. X.org (Publicly distributed version of X.) You can patch X11R5 by applying all patches up to and including fix-26. See the associated CERT Advisory (CA-93:17) for further information. ______________________________________________________________________________ PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ INFORMATION BULLETIN SunOS/Solbourne loadmodule and modload Vulnerability December 15, 1993 1200 PST Number E-05 ______________________________________________________________________________ PROBLEM: Security vulnerability in loadmodule and modload. PLATFORM: OpenWindows 3.0 under SunOS 4.1.x on sun4 and Solbourne systems. DAMAGE: Local users may gain root level access to the system. SOLUTION: Apply patches to SunOS systems or implement workaround on Solbourne machines. ______________________________________________________________________________ Critical Information about the loadmodule and modload Vulnerability CIAC has received information from Sun Microsystems and Solbourne regarding a security vulnerability in the /usr/etc/modload and $OPENWINHOME/bin/loadmodule utilities that allows local users to execute commands as root. This vulnerability affects systems with OpenWindows 3.0 installed under SunOS 4.1.x on sun4 and Solbourne architectures. It does not affect Solaris 2.x systems, sun3 architectures, or other versions of OpenWindows. Sun Microsystems has released patched versions of the loadmodule and modload utilities: /bin/sum Utility Patch ID Filename Checksum ---------- --------- --------------- -------- loadmodule 100448-02 100448-02.tar.Z 19410 5 modload 101200-02 101200-02.tar.Z 41677 28 Individuals with Sun support contracts may obtain these patches from their local Sun Answer Center or from SunSolve Online. Security patches are also available without a support contract via anonymous FTP from ftp.uu.net (IP 192.48.96.9) in the directory /systems/sun/sun-dist. Solbourne systems do not make use of the loadmodule utility. On these systems, the vulnerability may be removed by turning off the file's setuid bit by executing the following command as root: chmod 0755 /usr/openwin/bin/loadmodule ______________________________________________________________________________ CIAC wishes to thank Sun Microsystems and Solbourne for their response to this problem. ______________________________________________________________________________ For additional information or assistance, please contact CIAC: Voice: (510) 422-8193 FAX: (510) 423-8002 STU-III: (510) 423-2604 E-mail: ciac@llnl.gov Previous CIAC Bulletins and other information are available via anonymous FTP from irbis.llnl.gov (IP address 128.115.19.60). ______________________________________________________________________________ PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ INFORMATION BULLETIN Solaris System Startup Vulnerability December 17, 1993 1500 PST Number E-06 ______________________________________________________________________________ PROBLEM: Solaris system startup vulnerability. PLATFORM: Solaris 2.x and Solaris x86 systems. DAMAGE: Anyone with physical access to a workstation with eeprom(1m) security enabled may gain root level privilege without supplying the eeprom or root password. SOLUTION: Change system scripts as described or restrict physical access. ______________________________________________________________________________ Critical Information about the Solaris System Startup Vulnerability CIAC has received information from Sun Microsystems regarding a security vulnerability in the Solaris system 2.x and x86 startups. This vulnerability allows a person with physical access to a workstation with eeprom(1m) security enabled to force a startup failure and subsequently gain root privilege without supplying the eeprom or root password. Changing the system scripts as described below or restricting physical access to the workstations will eliminate this vulnerability. Note that without eeprom security enabled, a workstation is vulnerable to any unauthorized individual who has physical access. Without the script changes, if fsck(8) fails during boot, the system will run a privileged shell on the workstation. Since an attacker can force the failure, CIAC recommends application of the changes described below. If this is not possible, then restrict physical workstation access to only those users allowed root privilege. The changes will require the user to enter the root password before the system runs the privileged shell. To make the changes, edit both /sbin/rcS and /sbin/mountall. Change every occurrence of /sbin/sh < /dev/console to /sbin/sulogin < /dev/console The Sun distribution of /sbin/rcS contains an occurrence of the target string at line 152; the distribution of /sbin/mountall contains one at line 66 and one at line 250. An attacker with physical access to a workstation without eeprom security enabled can easily compromise the system by booting it in single user mode. CIAC thus recommends enabling eeprom security for all workstations without strict physical access controls. ______________________________________________________________________________ CIAC wishes to thank Sun Microsystems for first bringing the vulnerability to our attention, and both Sun Microsystems and the CERT Coordination Center for portions of the information in this bulletin. ______________________________________________________________________________ For additional information or assistance, please contact CIAC: Voice: (510) 422-8193 FAX: (510) 423-8002 STU-III: (510) 423-2604 E-mail: ciac@llnl.gov Previous CIAC Bulletins and other information are available via anonymous FTP from irbis.llnl.gov (IP address 128.115.19.60). ______________________________________________________________________________ PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ INFORMATION BULLETIN UNIX sendmail Vulnerabilities Update January 7, 1994 0900 PST Number E-07 ______________________________________________________________________________ PROBLEM: Vulnerabilities in the UNIX sendmail utility. PLATFORM: All implementations of UNIX sendmail. DAMAGE: Local and remote users may execute commands and/or gain access to system files. SOLUTION: Apply workarounds or install patched version of sendmail on ALL systems running sendmail. ______________________________________________________________________________ Critical Information about UNIX sendmail Vulnerabilities This advisory updates the sendmail information contained in CIAC Advisory E-03. CIAC has learned of several vendor security patches addressing the vulnerabilities in the UNIX utility sendmail described in CIAC Advisory E-03. These vulnerabilities include the ability of local and remote users to execute commands and write to system files on systems running sendmail, including those systems behind firewalls. CIAC Advisory E-03 described a set of workarounds to be used in the absence of vendor patches. These may still be safely used even after vendor patches have been installed. The CERT Coordination Center is maintaining a list of vendor information on available security patches for sendmail. It is available via anonymous FTP from info.cert.org (IP 192.88.209.5) in /pub/cert_advisories/CA-93:16a.README. A brief summary is provided below, and the current version of this file is appended at the end of this bulletin. Vendor Patch Status ----------------------------- -------------- sendmail 8.6.4 Available IDA sendmail Available BSDI Available Data General Corporation Available Digital Equipment Corporation Available Hewlett-Packard Company Available IBM Available NeXT, Inc. Available soon The Santa Cruz Operation Available soon Sequent Computer Systems Available Solbourne Available Sony Corporation Available Sun Microsystems, Inc. Available ______________________________________________________________________________ CIAC wishes to thank the CERT Coordination Center and the vendor community for their response to this problem. ______________________________________________________________________________ For additional information or assistance, please contact CIAC: Voice: (510) 422-8193 FAX: (510) 423-8002 STU-III: (510) 423-2604 E-mail: ciac@llnl.gov Previous CIAC Bulletins and other information are available via anonymous FTP from irbis.llnl.gov (IP address 128.115.19.60). ______________________________________________________________________________ PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. ______________________________________________________________________________ CA-93:16a.README Rev. January 7, 1994 This file is a supplement to the CERT Advisory CA-93:16a of January 7, 1994, and will be updated as additional information becomes available. The following is vendor-supplied information. Please notice that some entries provide pointers to vendor advisories. For more up-to-date information, contact your vendor. ------------- Eric Allman, 8.6.4 Version 8.6.4 is available for anonymous FTP from ftp.cs.berkeley.edu in the "ucb/sendmail" directory. Standard Unix Sum sendmail.8.6.4.base.tar.Z: 07718 428 System V Sum 64609 856 sendmail.8.6.4.base.tar.Z MD5 Checksum MD5 (sendmail.8.6.4.base.tar.Z) = 59727f2f99b0e47a74d804f7ff654621 ------------- Paul Pomes, IDA: A new release is available for anonymous FTP from vixen.cso.uiuc.edu as "pub/sendmail-5.67b+IDA-1.5.tar.gz". Standard Unix Sum sendmail-5.67b+IDA-1.5.tar.gz: 17272 1341 System V Sum 30425 2682 sendmail-5.67b+IDA-1.5.tar.gz MD5 Checksum MD5 (sendmail-5.67b+IDA-1.5.tar.gz) = a9b8e17fd6d3e52739d2195cead94300 ------------- BSDI BSDI can supply either an easy-to-install port of the smrsh patch from CERT or a port of sendmail-8.6.4 (contact BSDI Customer Support for information in obtaining either of these solutions). In future releases, BSDI will ship the newer sendmail that is not affected by these problems. Releases affected by this advisory: BSD/386 V1.0. BSDI Contact Information: BSDI Customer Support Berkeley Software Design, Inc. 7759 Delmonico Drive Colorado Springs, CO 80919 Toll Free: +1 800 ITS BSD8 (+1 800 486 2738) Phone: +1 719 260 8114 Fax: +1 719 598 4238 Email: support@bsdi.com ------------- Data General Corporation Patches are available from dg-rtp.rtp.dg.com (128.222.1.2) in the directory "deliver/sendmail": Rev Patch Number Sys V Checksum ------------ ------------------ -------- 5.4.2 tcpip_5.4.2.p14 39298 512 MD5 (tcpip_5.4.2.p14) = c80428e3b791d4e40ebe703ba5bd249c 5.4R2.01 tcpip_5.4R2.01.p12 65430 512 MD5 (tcpip_5.4R2.01.p12) = 9c84cfdb4d79ee22224eeb713a414996 5.4R2.10 tcpip_5.4R2.10.p05 42625 512 MD5 (tcpip_5.4R2.10.p05) = 2d74586ff22e649354cc6a02f390a4be These patches are loadable via the "syadm" utility and installation instructions are included in the patch notes. Trusted versions of DG/UX will use the same patches as their base version of DG/UX. Customers with any questions about these patches should contact their local SEs or Sales Representatives. ------------- Digital Equipment Corporation Systems affected: ULTRIX Versions 4.3 (VAX), ULTRIX V4.3 & V4.3A (RISC), DEC OSF/1 V1.2 & V1.3, using sendmail. The following patches are available from your normal Digital support channel: ULTRIX V4.3 (VAX), V4.3 (RISC) or V4.3a (RISC): CSCPAT #: CSCPAT_4044 OSF/1 V1.2 and V1.3: CSCPAT #: CSCPAT_4045 *These fixes will be included in future releases of ULTRIX and DEC OSF/1 Digital Equipment Corporation strongly urges Customers to upgrade to a minimum of ULTRIX V4.3 or DEC OSF/1 V1.2, then apply the Security kit to prevent this potential vulnerability. The full text of Digital's advisory can be found in /pub/vendors/dec/advisories/sendmail on info.cert.org. ------------- Hewlett-Packard Company For HP/UX, the following patches are available: PHNE_3369 (series 300/400, HP-UX 8.x), or PHNE_3370 (series 300/400, HP-UX 9.x), or PHNE_3371 (series 700/800, HP-UX 8.x), or PHNE_3372 (series 700/800, HP-UX 9.x), or modify the sendmail configuration file (releases of HP-UX prior to 8.0) These patches may be obtained from HP via FTP (this is NOT anonymous FTP) or the HP SupportLine. To obtain HP security patches, you must first register with the HP SupportLine. The registration instructions are available via anonymous FTP at info.cert.org in the file "pub/vendors/hp/supportline_and_patch_retrieval". The full text of Hewlett-Packard's advisory can be found in /pub/vendors/hp/advisories/sendmail on info.cert.org. ------------- IBM Patches for these problems can be ordered as APAR# ix40304 and APAR# ix41354. Ix40304 is available now and ix41354 will be sent as soon as it is available. ------------- NeXT, Inc. NeXT expects to have patches available soon. ------------- The Santa Cruz Operation Support level Supplement (SLS) net379A, will soon be available for the following platforms: SCO TCP/IP Release 1.2.0 for SCO UNIX or SCO XENIX SCO TCP/IP Release 1.2.1 for SCO UNIX SCO Open Desktop Release 2.0, 3.0 SCO Open Desktop Lite Release 3.0 SCO Open Server Network System, Release 3.0 SCO Open Server Enterprise System, Release 3.0 This SLS is currently orderable from SCO Support for all customers who have one of the above products registered. It will be available in the near future. Systems using MMDF as their mail system do not need this SLS. ------------- Sequent Computer Systems Versions 3.0.17 and greater of Dynix are vulnerable as are versions 2.2 and 2.3 of the TCP package for PTX. Sequent customers should call the Sequent Hotline at (800) 854-9969 and ask for the Sendmail Maintenance Release Tape. Alternatively, ptx customers can upgrade to PTX/TCP/IP version 2.2.3 or 2.3.1 as appropriate. ------------- Solbourne Patch p93122301 is available from Solboune to fix the sendmail problems. This patch is equivalent to Sun patch 100377-08. Customers may retrieve it via anonymous FTP from solbourne.solbourne.com in the pub/support/OS4.1B directory: Filename BSD SVR4 Checksum Checksum --------------- --------- --------- p93122301.tar.Z 63749 211 53951 421 MD5 (p93122301.tar.Z) = f7300f3ecfbbbfaa11a6695f42f14615 It is also available by sending email to solis@solbourne.com and specifying "get patches/4.1b p93122301" in the body of the mail message. Earlier versions (4.1A.*) are no longer supported. The 4.1B patch may well work on 4.1A.* systems but this has not been tested. If you have any questions please call the SOURCE at 1-800-447-2861 or send email to support@solbourne.com. The full text of Solbourne's advisory can be found in /pub/vendors/solbourne/advisories/sendmail on info.cert.org. --------------- Sony Corporation These vulnerabilities have been fixed in NEWS-OS 6.0.1. A patch is available for NEWS-OS 4.x. Customers should contact their dealers for any additional information. --------------- Sun Microsystems, Inc. Sun has made patches for sendmail available as described in their SUN MICROSYSTEMS SECURITY BULLETIN: #00125, 12/23/93. These patches can be found in the /systems/sun/sun-dist directory on ftp.uu.net: System Patch ID Filename BSD SVR4 Checksum Checksum ------ -------- --------------- --------- --------- SunOS 4.1.x 100377-08 100377-08.tar.Z 05320 755 58761 1510 Solaris 2.1 100840-06 100840-06.tar.Z 59489 195 61100 390 Solaris 2.2 101077-06 101077-06.tar.Z 63001 179 28185 358 Solaris 2.3 101371-03 101371-03.tar.Z 27539 189 51272 377 MD5 checksums are: MD5 (100377-08.tar.Z) = 8e8a14c0a46b6c707d283cacd85da4f1 MD5 (100840-06.tar.Z) = 7d8d2c7ec983a58b4c6a608bf1ff53ec MD5 (101077-06.tar.Z) = 78e165dec0b8260ca6a5d5d9bdc366b8 MD5 (101371-03.tar.Z) = 687d0f3287197dee35941b9163812b56 A patch for x86 based systems will be forthcoming as patch 101352-02. 4.1 sites installing these patches may require sites to modify their configuration files slightly. Full details are given in the Sun advisory. The full text of Sun Microsystems's advisory can be found in /pub/vendors/sun/advisories/sendmail on info.cert.org. ------------- Return-Path: ciac-bulletin@cheetah.llnl.gov Delivery-Date: Thu, 03 Feb 1994 20:12:27 -0800 Return-Path: ciac-bulletin@cheetah.llnl.gov Return-Path: Received: from cheetah.llnl.gov by eek. (5.0/SMI-SVR4) id AA15179; Thu, 3 Feb 1994 20:12:26 +0800 Received: from cheetah.llnl.gov (localhost.llnl.gov [127.0.0.1]) by cheetah.llnl.gov (8.6.4/8.6.4) with SMTP id UAA17283 for ; Thu, 3 Feb 1994 20:13:00 -0800 _____________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ ADVISORY NOTICE Network Monitoring Attacks February 3, 1994 2130 PST Number E-09 ______________________________________________________________________________ PROBLEM: Systematic compromise and exploitation of networked computers to capture network transactions. PLATFORM: Sun 4.x and Solbourne systems. DAMAGE: Unauthorized access and use of resources; exposure of username, password, host-name combinations, as well as other sensitive information. SOLUTION: Detection, prevention, and recovery steps described below. ______________________________________________________________________________ Critical information about the Network Monitoring Attacks CIAC and other response teams have observed many compromised systems surreptitiously monitoring network traffic, obtaining username, password, host-name combinations (and potentially other sensitive information) as users connect to remote systems using telnet, rlogin, and ftp. This is for both local and wide area network connections. The intruders may (and presumably do) use this information to compromise new hosts and expand the scope of the attacks. Once system administrators discover a compromised host, they must presume monitoring of all network transactions from or to any host "visible" on the network for the duration of the compromise, and that intruders potentially possess any of the information so exposed. The attacks proceed as follows. The intruders gain unauthorized, privileged access to a host that supports a network interface capable of monitoring the network in "promiscuous mode," reading every packet on the network whether addressed to the host or not. They accomplish this by exploiting unpatched vulnerabilities or learning a username, password, host-name combination from the monitoring log of another compromised host. The intruders then install a network monitoring tool that captures and records the initial portion of all network traffic for ftp, telnet, and rlogin sessions. They typically also install "Trojan" programs for login, ps, and telnetd to support their unauthorized access and other clandestine activities. System administrators must begin by determining if intruders have compromised their systems. The CERT Coordination Center has released a tool to detect network interface devices in promiscuous mode. Instructions for obtaining and using the tool appears later in this bulletin--the tool is available via anonymous ftp. If a site discovers that intruders have compromised their systems, the site must determine the extent of the attack and perform recovery as described below. System administrators must also prevent future attacks as described below. CIAC advises system administrators to follow the steps described below. The following guidelines have been extracted (with minor modifications) from the CERT Coordination Center's Advisory CA-94:01, and full credit is given to them. [Beginning of CERT extract.] A. Detection The network monitoring tool can be run under a variety of process names and log to a variety of filenames. Thus, the best method for detecting the tool is to look for 1) Trojan horse programs commonly used in conjunction with this attack, 2) any suspect processes running on the system, and 3) the unauthorized use of /dev/nit. 1) Trojan horse programs: The intruders have been found to replace one or more of the following programs with a Trojan horse version in conjunction with this attack: /usr/etc/in.telnetd and /bin/login - Used to provide back-door access for the intruders to retrieve information /bin/ps - Used to disguise the network monitoring process Because the intruders install Trojan horse variations of standard UNIX commands, CERT recommends not using other commands such as the standard UNIX sum(1) or cmp(1) commands to locate the Trojan horse programs on the system until these programs can be restored from distribution media, run from read-only media (such as a mounted CD-ROM), or verified using cryptographic checksum information. In addition to the possibility of having the checksum programs replaced by the intruders, the Trojan horse programs mentioned above may have been engineered to produce the same standard checksum and timestamp as the legitimate version. Because of this, the standard UNIX sum(1) command and the timestamps associated with the programs are not sufficient to determine whether the programs have been replaced. CERT recommends that you use both the /usr/5bin/sum and /bin/sum commands to compare against the distribution media and assure that the programs have not been replaced. The use of cmp(1), MD5, Tripwire (only if the baseline checksums were created on a distribution system), and other cryptographic checksum tools are also sufficient to detect these Trojan horse programs, provided these programs were not available for modification by the intruder. If the distribution is available on CD-ROM or other read-only device, it may be possible to compare against these volumes or run programs off these media. 2) Suspect processes: Although the name of the network monitoring tool can vary from attack to attack, it is possible to detect a suspect process running as root using ps(1) or other process-listing commands. Until the ps(1) command has been verified against distribution media, it should not be relied upon--a Trojan horse version is being used by the intruders to hide the monitoring process. Some process names that have been observed are sendmail, es, and in.netd. The arguments to the process also provide an indication of where the log file is located. If the "-F" flag is set on the process, the filename following indicates the location of the log file used for the collection of authentication information for later retrieval by the intruders. If the network monitoring tool is currently running on your system, it is possible to detect this by checking for unauthorized use of the /dev/nit interface. CERT has created a minimal tool for this purpose. The source code for this tool is available via anonymous FTP on info.cert.org in the /pub/tools/cpm directory or on ftp.uu.net in the /pub/security/cpm directory as cpm.1.0.tar.Z. The checksum information is: Filename Standard UNIX Sum System V Sum -------------- ----------------- ------------ cpm.1.0.tar.Z: 11097 6 24453 12 MD5 Checksum MD5 (cpm.1.0.tar.Z) = e29d43f3a86e647f7ff2aa453329a155 This archive contains a readme file, also included at the end of this extract, containing instructions on installing and using this detection tool. B. Prevention There are two actions that are effective in preventing this attack. A long-term solution requires eliminating transmission of clear-text passwords on the network. For this specific attack, however, a short-term workaround exists. Both of these are described below. 1) Long-term prevention: CERT recognizes that the only effective long-term solution to prevent these attacks is by not transmitting reusable clear-text passwords on the network. CERT has collected some information on relevant technologies. This information is included as Appendix B in this advisory. Note: These solutions will not protect against transient or remote access transmission of clear-text passwords through the network. Until everyone connected to your network is using the above technologies, your policy should allow only authorized users and programs access to promiscuous network interfaces. The tool described in Section III.A.3 above may be helpful in verifying this restricted access. 2) Short-term workaround: Regardless of whether the network monitoring software is detected on your system, CERT recommends that ALL SITES take action to prevent unauthorized network monitoring on their systems. You can do this either by removing the interface, if it is not used on the system or by attempting to prevent the misuse of this interface. For systems other than Sun and Solbourne, contact your vendor to find out if promiscuous mode network access is supported and, if so, what is the recommended method to disable or monitor this feature. For SunOS 4.x and Solbourne systems, the promiscuous interface to the network can be eliminated by removing the /dev/nit capability from the kernel. The procedure for doing so is outlined below (see your system manuals for more details). Once the procedure is complete, you may remove the device file /dev/nit since it is no longer functional. Procedure for removing /dev/nit from the kernel: 1. Become root on the system. 2. Apply "method 1" as outlined in the System and Network Administration manual, in the section, "Sun System Administration Procedures," Chapter 9, "Reconfiguring the System Kernel." Excerpts from the method are reproduced below: # cd /usr/kvm/sys/sun[3,3x,4,4c]/conf # cp CONFIG_FILE SYS_NAME [Note that at this step, you should replace the CONFIG_FILE with your system specific configuration file if one exists.] # chmod +w SYS_NAME # vi SYS_NAME # # The following are for streams NIT support. NIT is used by # etherfind, traffic, rarpd, and ndbootd. As a rule of thumb, # NIT is almost always needed on a server and almost never # needed on a diskless client. # pseudo-device snit # streams NIT pseudo-device pf # packet filter pseudo-device nbuf # NIT buffering module [Comment out the preceding three lines; save and exit the editor before proceeding.] # config SYS_NAME # cd ../SYS_NAME # make # mv /vmunix /vmunix.old # cp vmunix /vmunix # /etc/halt > b [This step will reboot the system with the new kernel.] [NOTE that even after the new kernel is installed, you need to take care to ensure that the previous vmunix.old , or other kernel, is not used to reboot the system.] C. Scope and recovery If you detect the network monitoring software at your site, CERT recommends following three steps to successfully determine the scope of the problem and to recover from this attack. 1. Restore the system that was subjected to the network monitoring software. The systems on which the network monitoring and/or Trojan horse programs are found have been compromised at the root level; your system configuration may have been altered. See Appendix A of this advisory for help with recovery. 2. Consider changing router, server, and privileged account passwords due to the wide-spread nature of these attacks. Since this threat involves monitoring remote connections, take care to change these passwords using some mechanism other than remote telnet, rlogin, or FTP access. 3. Urge users to change passwords on local and remote accounts. Users who access accounts using telnet, rlogin, or FTP either to or from systems within the compromised domain should change their passwords after the intruder's network monitor has been disabled. 4. Notify remote sites connected from or through the local domain of the network compromise. Encourage the remote sites to check their systems for unauthorized activity. Be aware that if your site routes network traffic between external domains, both of these domains may have been compromised by the network monitoring software. --------------------------------------------------------------------------- cpm 1.0 README FILE cpm - check for network interfaces in promiscuous mode. Copyright (c) Carnegie Mellon University 1994 Thursday Feb 3 1994 CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 This program is free software; you can distribute it and/or modify it as long as you retain the Carnegie Mellon copyright statement. It can be obtained via anonymous FTP from info.cert.org:pub/tools/cpm.tar.Z. This program is distributed WITHOUT ANY WARRANTY; without the IMPLIED WARRANTY of merchantability or fitness for a particular purpose. This package contains: README MANIFEST cpm.1 cpm.c To create cpm under SunOS, type: % cc -Bstatic -o cpm cpm.c On machines that support dynamic loading, such as Sun's, CERT recommends that programs be statically linked so that this feature is disabled. CERT recommends that after you install cpm in your favorite directory, you take measures to ensure the integrity of the program by noting the size and checksums of the source code and resulting binary. The following is an example of the output of cpm and its exit status. Running cpm on a machine where both the le0 and le2 interfaces are in promiscuous mode, under csh(1): % cpm le0 le2 % echo $status 2 % Running cpm on a machine where no interfaces are in promiscuous mode, under csh(1): % cpm % echo $status 0 % [End of CERT extract.] ______________________________________________________________________________ CIAC wishes to acknowledge the contributions of the CERT Coordination Center for their timely and thorough advisory, their detection tool, and their diligence and support throughout this ongoing incident. ______________________________________________________________________________ For additional information or assistance, please contact CIAC: Voice: (510) 422-8193 FAX: (510) 423-8002 STU-III: (510) 423-2604 E-mail: ciac@llnl.gov Previous CIAC Bulletins and other information are available via anonymous FTP from irbis.llnl.gov (IP address 128.115.19.60). ______________________________________________________________________________ PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. _____________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ Information Bulletin Lotus cc:Mail Security Upgrade Available March 7, 1994 900 PST Number E-11 ______________________________________________________________________________ PROBLEM: Passwords are vulnerable on local hard drives PLATFORM: Lotus cc:Mail Windows 2.0 and 2.01 DAMAGE: Accounts could be compromised if another person is allowed access to a cc:Mail user's personal computer SOLUTION: Retrieve and install cc:Mail 2.02 for Windows, then have all users change their passwords. ______________________________________________________________________________ Critical Information about Lotus CCMAIL Security Upgrade CIAC has received information from Lotus regarding a vulnerability in cc:Mail for Windows. Under certain circumstances, the user's password can be viewed on their local hard drive. This vulnerability exists only in cc:Mail Windows 2.0 and 2.01. To correct the problem, a software upgrade, cc:Mail for Windows 2.02, has been made available. This upgrade is contained in the file WINFIX.ZIP. WINFIX.ZIP can be downloaded from three sources: anonymous ftp, CompuServe, or the Lotus cc:Mail BBS. The file is available via anonymous ftp from ftp.ccmail.com in the /pub/windows directory. On the anonymous ftp server, WINFIX.ZIP is dated Feb 19 00:53 and is 279803 bytes long. In CompuServe, perform the following commands: a. Enter the Lotus forum by typing GO LOTUSC from any CompuServe prompt. b. Enter Section 10 when prompted for which section. c. From within Section 10, select "Download" and download the file WINFIX.ZIP. The Lotus cc:Mail BBS is available to everyone via modem. The telephone number is (415) 691-0401. Your modem setting should be: 8 data bits, No Parity, 1 stop bit. Once connected, go to the "File Area" by typing "F". Select the download option and download the file WINFIX.ZIP. On the BBS, WINFIX.ZIP is 279803 bytes long and is dated 2/18/94 at 2:02a. After unzipping WINFIX.ZIP, the following files are available: ccmail.exe 628656 bytes readme.now 1062 bytes Your next step is to install this upgrade. Change to the directory (which is likely to be m:\ccmail) that contains the old version of ccmail.exe. Rename the old copy of ccmail.exe to ccmail.old, and then copy the new ccmail.exe to the directory. If cc:Mail for Windows has been installed on a network, the system administrator only needs to change the network copy of ccmail.exe. If cc:Mail for Windows has been installed locally, ccmail.exe must be installed in the proper directory of every workstation. After installation of ccmail.exe, all users should change their password. ______________________________________________________________________________ CIAC would like to thank Lally Thomas and Gary Schuppert of CDSI for bringing this problem to our attention. ______________________________________________________________________________ For additional information or assistance, please contact CIAC: Voice: (510) 422-8193 FAX: (510) 423-8002 STU-III: (510) 423-2604 E-mail: ciac@llnl.gov Previous CIAC Bulletins and other information are available via anonymous FTP from irbis.llnl.gov (IP address 128.115.19.60). ______________________________________________________________________________ PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. ______________________________________________________________________________ _____________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ _____________________________________________________ ADVISORY NOTICE Network Monitoring Attacks Update March 18, 1994 1800 PST Number E-12 ______________________________________________________________________________ PROBLEM: Continued network monitoring attacks. PLATFORM: All computers supporting logins over the Internet. DAMAGE: Unauthorized access and use of resources; exposure of username, password, host-name combinations, as well as other sensitive information. SOLUTION: Detection and prevention steps described below. ______________________________________________________________________________ Critical Information about the Network Monitoring Attacks This Advisory supersedes any other version of Bulletin E-12 dated prior to March 18, 1994. This Advisory updates information contained in CIAC Advisory E-09. The number of Internet sites compromised by the ongoing series of network monitoring (sniffing) attacks continues to increase. The number of accounts compromised world-wide is now estimated to exceed 100,000. This series of attacks represents the most serious Internet threat in its history. IMPORTANT: THESE NETWORK MONITORS DO NOT SPECIFICALLY TARGET INFORMATION FROM UNIX SYSTEMS; ALL SYSTEMS SUPPORTING NETWORK LOGINS ARE POTENTIALLY VULNERABLE. IT IS IMPERATIVE THAT SITES ACT TO SECURE THEIR SYSTEMS. Attack Description ================== The attacks are based on network monitoring software, known as a "sniffer", installed surreptitiously by intruders. The sniffer records the initial 128 bytes of each login, telnet, and FTP session seen on the local network segment, compromising ALL traffic to or from any machine on the segment as well as traffic passing through the segment being monitored. The captured data includes the name of the destination host, the username, and the password used. This information is written to a file and is later used by the intruders to gain access to other machines. Note: To date, these attacks have only involved sniffers on Unix systems running SunOS 4.x. However, nearly all networked computers have the capability of monitoring the network. In most cases, the intruders initially gain access to systems using one of the following techniques: - Retrieve the password file via TFTP on improperly configured systems. - Retrieve the password file from systems running insecure versions of NIS. - Gain access to the local file systems via NFS mount points exported without restrictions. - Use a login name and password captured by a sniffer running on another system. Once on a system, the intruders gain root privilege by exploiting known vulnerabilities, including rdist, Sun Sparc integer division, and world writeable utmp files; or by making use of a captured root password. They then install the sniffer software, logging the captured session information to a hidden file. In addition, the intruders generally install Trojan replacements for one or more of the following critical system files in order to disguise their presence on the system: - /bin/login - /usr/etc/in.telnetd - /usr/kvm/ps - /usr/ucb/netstat Detection ========= The following techniques may be used to detect the presence of a sniffer on a system running SunOS 4.x: 1. The integrity of key system files may be verified using the database of MD5 checksums contained in Appendix B of this Advisory. The use of MD5 checksums is essential, as many of the Trojan binaries currently being used have been engineered to generate the same "/bin/sum" checksum as the original binary. The MD5 signature algorithm by RSA Data Security, Inc. is cryptographically strong and is not believed to be susceptible to such an attack. In addition to the checksum database, CIAC is providing a program to automate the verification of system files. This program is included in Appendix A. The program, the checksum database, source for md5, and a man page are also available via anonymous FTP from irbis.llnl.gov (IP 128.115.19.60) in the directory /pub/util/crypto. Filename MD5 Checksum -------- -------------------------------- md5check.1.0.tar 113d5d66e73c95967801b512d3dd692d md5_sun.v1 780a0f1f3717819c59135716e5f6a1ce Note that the MD5 checksum database is not complete. Some patch revisions and OS releases were unavailable for testing. If a checksum DOES NOT match, consider these possible reasons: a. The file may be legitimate, but not included in this database. To check this possibility, compare the file against the original distribution media. b. You may have made local modifications to the file. To check this possibility, compare the file to a known good version. c. The file may be a Trojan replacement installed by an intruder. We encourage you to make a copy of the file, replace it with a known good version, and check for additional signs of compromise. Contact CIAC for further assistance. 2. The sniffer software places the network interface in promiscuous mode to allow examination of each packet on the network segment. This mode can be detected with the CPM utility described in Appendix C. 3. Scan your file system for any unusual directories or files. Look for unusual names like ".. " (dot dot space space) or " " (space). A useful technique for locating such files is to examine the file system for files that have recently changed. For example, the command find / -ctime -7 -print will locate all files that have changed in the last 7 days. 4. Examine the process table with a known good version of ps, checking for long running processes with unusually high amounts of CPU time and/or unusual names. Prevention ========== 1. Verify that all applicable security patches have been installed. These patches will limit the amount of damage that is possible, even if an intruder has captured a password for the system. Appendix D lists all SunOS security patches released as of March 18, 1994. 2. Install a change detection tool such as Security Profile Inspector (SPI) or Tripwire to detect future changes to system binaries. For the latest information about the availability of SPI contact Tony Bartoletti, SPI Project Leader, 510-422-3881 or azb@llnl.gov. A mailserver exists for information about Tripwire availability. Send E-mail to "tripwire-request@cs.purdue.edu" with a message body consisting solely of the word "help", and the server will respond with instructions on how to get source, patches and join the tripwire mailing list. 3. The only long term solution to the problem of network password sniffing is the use of one-time passwords. These passwords change with each use, and are of no value to an intruder. Several implementations exist, including both hardware and software solutions. Contact information is provided in Appendix E. At a minimum, users should use different passwords for each account and each system, remote systems in particular. Passwords must be changed frequently, especially on systems accessed over networks. -------------------------------------------------------------------- Appendix A: "md5check" The following program is a "nawk" script that can be run against the list of checksums "md5_sun.v1" in Appendix B: nawk -f md5check md5_sun.v1 The program, the checksum database, source for md5, and a man page are also available via anonymous FTP from irbis.llnl.gov (IP 128.115.19.60) in the directory /pub/util/crypto. Filename MD5 Checksum ---------------- -------------------------------- md5check.1.0.tar 113d5d66e73c95967801b512d3dd692d md5_sun.v1 780a0f1f3717819c59135716e5f6a1ce ------- Cut Here ------- # "md5check" version 1 (3/17/94) BEGIN { FS = "[ \t]*:[ \t]*"; } # Print notices from the configuration file /^##/ { print substr ($0, 3); next; } # Only handle MD5 checksums currently /^md5/ { source = sprintf("%-7s %-8s %-6s %s", $2, $3, $5, $4); file = $6; sum = hex_lower($7); if (md5[file] == "") { print "Checking", file; testcmd = "test -r " file; if ( system(testcmd) != 0 ) { print " Could not open", file; md5[file] = "x"; next; } else { md5cmd = "md5 " file md5cmd | getline md5[file]; close (md5cmd); # Strip off any leading text and set to lowercase sub(".*[ \t]", "", md5[file]); md5[file] = hex_lower(md5[file]); } } if (md5[file] == "x" || file in matched) { # Could not open or already matched next; } if (md5[file] == sum) { # We have a match - remember which one matched[file] = source; num_match++; if (file in not_matched) { num_no_match--; delete not_matched[file]; } } else { if (! (file in not_matched)) { num_no_match++; not_matched[file] = 1; } } } END { printf "\n%d files DID NOT MATCH a known checksum\n", num_no_match; printf "%d files did match a known checksum\n", num_match; print "\nThe following files DID NOT MATCH a known checksum"; for (filename in not_matched) { printf "\t%s\n", filename; } print "\nThe following files did match a known checksum"; for (filename in matched) { printf "\t%s\n\t\t%s\n", filename, matched[filename]; } } function hex_lower(s) { gsub("A","a",s); gsub("B","b",s); gsub("C","c",s); gsub("D","d",s); gsub("E","e",s); gsub("F","f",s); return s } ------- Cut Here ------- -------------------------------------------------------------------- Appendix B: "md5_sun.v1" ## Checksum Table for Selected SunOS Binary Files (v1: 3/17/94) ## ## PLEASE NOTE: The entries included in this table do not represent complete ## coverage of all released versions of these files. ## In particular, checksum data for outdated patch releases is ## limited. ## ## Failure to match a checksum for a given file does not ## necessarily indicate the presence of a Trojan binary. ## Failure indicates that the file's checksum did not match any ## contained in this table. The file's authenticity should be ## verified against distribution media or local modifications. ## ## Success at matching a file's checksum indicates that the ## corresponding file is free from tampering. ## # (MD5 is the RSA Data Security, Inc. Message Digest Algorithm) # # format of data # # XSUMTYPE:OSNAME:OSVERSION:SOURCE:ARCH:FILE:XSUM #/bin/login md5:SunOS:4.1:100201-06:sun3:/bin/login:00d95a04ecce2193b9c6e16516d37855 md5:SunOS:4.1:100201-06:sun4:/bin/login:e746fed42be0433a53cce082acfee23c md5:SunOS:4.1:100630-01:sun3:/bin/login:11d5ed4445face25642100ec0ab1ed3c md5:SunOS:4.1:100630-01:sun4:/bin/login:b6d013403c54949c0e476afd966ef261 md5:SunOS:4.1.1:Original Dist:sun3:/bin/login:073d378264f25245c154be8a12f208e9 md5:SunOS:4.1.1:Original Dist:sun4:/bin/login:92611eb1ef1f221c1e9c76db8da44a99 md5:SunOS:4.1.1:100201-06:sun3:/bin/login:00d95a04ecce2193b9c6e16516d37855 md5:SunOS:4.1.1:100201-06:sun4:/bin/login:e746fed42be0433a53cce082acfee23c md5:SunOS:4.1.1:100630-01:sun3:/bin/login:11d5ed4445face25642100ec0ab1ed3c md5:SunOS:4.1.1:100630-01:sun4:/bin/login:b6d013403c54949c0e476afd966ef261 md5:SunOS:4.1.1:100632-06:sun4:/bin/login:12c4b39cb94b8dcdad0a10e1c59345c6 md5:SunOS:4.1.1:100633-01:sun4:/bin/login:9634cda7a353d0043a22ad2b0eebaab2 md5:SunOS:4.1.2:Original Dist:sun4:/bin/login:637503c0e2b46791820609d87629db91 md5:SunOS:4.1.2:100630-01:sun4:/bin/login:b6d013403c54949c0e476afd966ef261 md5:SunOS:4.1.2:100631-01:sun3:/bin/login:65d1e270fbb13984f5e0036b9e4a1011 md5:SunOS:4.1.2:100631-01:sun4:/bin/login:976a0431dbd23ec1535c1679e215095b md5:SunOS:4.1.2:100632-06:sun4:/bin/login:12c4b39cb94b8dcdad0a10e1c59345c6 md5:SunOS:4.1.2:100633-01:sun4:/bin/login:9634cda7a353d0043a22ad2b0eebaab2 md5:SunOS:4.1.3:100630-02:sun3:/bin/login:11d5ed4445face25642100ec0ab1ed3c md5:SunOS:4.1.3:100630-02:sun4:/bin/login:b6d013403c54949c0e476afd966ef261 md5:SunOS:4.1.3:100632-06:sun4:/bin/login:12c4b39cb94b8dcdad0a10e1c59345c6 md5:SunOS:4.1.3:Original Dist:sun4:/bin/login:e88e84d228d05e8f54a0d57d62d0710d md5:SunOS:4.1.3c:Original Dist:sun4:/bin/login:e88e84d228d05e8f54a0d57d62d0710d md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/bin/login:4e437a85e05f886ff5082ac58108d882 #/usr/kvm/ps md5:SunOS:4.1.1:Original Dist:sun3x:/usr/kvm/ps:ac96820499c2da78d65700e230f66df2 md5:SunOS:4.1.1:Original Dist:sun3:/usr/kvm/ps:b4633eed82815a233d2ca8d8df8d655e md5:SunOS:4.1.1:Original Dist:sun4:/usr/kvm/ps:390ef406ba27b1d591ba6f281986369b md5:SunOS:4.1.1:Original Dist:sun4c:/usr/kvm/ps:cb58a8259ff580389b115b7861793b48 md5:SunOS:4.1.2:Original Dist:sun4:/usr/kvm/ps:efca4ca10a088e557c6c69695dadcfa6 md5:SunOS:4.1.2:Original Dist:sun4c:/usr/kvm/ps:9d489c87d709a540aced718a04e38e11 md5:SunOS:4.1.2:Original Dist:sun4m:/usr/kvm/ps:e9e364f3936a5b16d7e2fb812d11e475 md5:SunOS:4.1.2:100981-02:sun4:/usr/kvm/ps:86b8b5eb7212c94c9c570cd20c9af2ae md5:SunOS:4.1.2:100981-02:sun4c:/usr/kvm/ps:4871287498c0ab7b17d97848ebe34d15 md5:SunOS:4.1.2:100981-02:sun4m:/usr/kvm/ps:97cc063bafa6aaf032cb1b67b444c5a8 md5:SunOS:4.1.3:Original Dist:sun4:/usr/kvm/ps:226ab466429f5d4de4f6a108bae1c518 md5:SunOS:4.1.3:Original Dist:sun4c:/usr/kvm/ps:83b369e5d8c34db4d5d6725140d0b216 md5:SunOS:4.1.3:100981-02:sun4:/usr/kvm/ps:a4809a70e66b415bae8a165dc4ffb185 md5:SunOS:4.1.3:100981-02:sun4c:/usr/kvm/ps:cf10e206de67755e801e4c9d96c239a9 md5:SunOS:4.1.3:100981-02:sun4m:/usr/kvm/ps:d6237550748855bee17ce96465cd1331 md5:SunOS:4.1.3_u1:Original Dist:sun4m:/usr/kvm/ps:92c3b1495ab80446ddb6979c890cee58 md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/kvm/ps:b14b75017dfe75ea1b89d147c6b49cb7 md5:SunOS:4.1.3_u1:Original Dist:sun4c:/usr/kvm/ps:e24eab973f1b1cfd6bf5b54310a2207f md5:SunOS:4.1.3_u1:101442-01:sun4:/usr/kvm/ps:174731efb18020dacde9f205ad04a4bf #/usr/etc/in.telnetd md5:SunOS:4.0.3:100125-05:sun3:/usr/etc/in.telnetd:dce91901f9fd15f7f6f6c94fb7824428 md5:SunOS:4.0.3:100125-05:sun4:/usr/etc/in.telnetd:2e67031ad7984c22cfacc8a0b4c3d6ee md5:SunOS:4.0.3c:100125-05:sun4c:/usr/etc/in.telnetd:943574a9befb9fac3fce2fc111f68d51 md5:SunOS:4.1:100125-05:sun3:/usr/etc/in.telnetd:2544753907d24a699c9cdfddcab0d2e3 md5:SunOS:4.1:100125-05:sun3x:/usr/etc/in.telnetd:3af506b9b02b6a299f5e081c3abfce1f md5:SunOS:4.1:100125-05:sun4:/usr/etc/in.telnetd:5448303462518cca8390a84b5f312abe md5:SunOS:4.1.1:Original Dist:sun3:/usr/etc/in.telnetd:333ffc49f21e675f3099772661549b7d md5:SunOS:4.1.1:Original Dist:sun4:/usr/etc/in.telnetd:7706ba7270a28f3470ccbe965f8fc7a1 md5:SunOS:4.1.1:100125-05:sun3:/usr/etc/in.telnetd:c4dca8a653f60feaed63a25786aee2ed md5:SunOS:4.1.1:100125-05:sun3x:/usr/etc/in.telnetd:6c409bd315711aae29b8285ffc4bb90c md5:SunOS:4.1.1:100125-05:sun4:/usr/etc/in.telnetd:29f24e09ffebc36fb14f9fee4bf2d6fc md5:SunOS:4.1.1:Original Dist:sun3x:/usr/etc/in.telnetd:503be2c540d03281fdada476d5b0b247 md5:SunOS:4.1.1:Original Dist:sun3:/usr/etc/in.telnetd:333ffc49f21e675f3099772661549b7d md5:SunOS:4.1.1:Original Dist:sun4c:/usr/etc/in.telnetd:503be2c540d03281fdada476d5b0b247 md5:SunOS:4.1.2:Original Dist:sun4:/usr/etc/in.telnetd:913095f91bbf06e98635f964951e0e2d md5:SunOS:4.1.2:Original Dist:sun4c:/usr/etc/in.telnetd:503be2c540d03281fdada476d5b0b247 md5:SunOS:4.1.2:Original Dist:sun4m:/usr/etc/in.telnetd:503be2c540d03281fdada476d5b0b247 md5:SunOS:4.1.3:Original Dist:sun4:/usr/etc/in.telnetd:b94ac90e4fe63f1c7a0199a27a7c4d80 md5:SunOS:4.1.3:Original Dist:sun4c:/usr/etc/in.telnetd:503be2c540d03281fdada476d5b0b247 md5:SunOS:4.1.3c:Original Dist:sun4:/usr/etc/in.telnetd:b94ac90e4fe63f1c7a0199a27a7c4d80 md5:SunOS:4.1.3c:Original Dist:sun4m:/usr/etc/in.telnetd:503be2c540d03281fdada476d5b0b247 md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/etc/in.telnetd:831c59628b1197c612f19289a786eaeb #/usr/etc/ifconfig md5:SunOS:4.1.1:Original Dist:sun3x:/usr/etc/ifconfig:c9fe06259a49a58edfc6f1fe68665990 md5:SunOS:4.1.1:Original Dist:sun3:/usr/etc/ifconfig:0da82be29c7173759316f51417fb420a md5:SunOS:4.1.1:Original Dist:sun4:/usr/etc/ifconfig:c9fe06259a49a58edfc6f1fe68665990 md5:SunOS:4.1.2:Original Dist:sun4:/usr/etc/ifconfig:47d6e495207cc2b7037bd94a12cf565b md5:SunOS:4.1.2:Original Dist:sun4c:/usr/etc/ifconfig:c9fe06259a49a58edfc6f1fe68665990 md5:SunOS:4.1.2:Original Dist:sun4m:/usr/etc/ifconfig:c9fe06259a49a58edfc6f1fe68665990 md5:SunOS:4.1.3:Original Dist:sun4:/usr/etc/ifconfig:de44e217c94fa4f4c6fdfbcae419cb8b md5:SunOS:4.1.3:Original Dist:sun4c:/usr/etc/ifconfig:c9fe06259a49a58edfc6f1fe68665990 md5:SunOS:4.1.3c:Original Dist:sun4:/usr/etc/ifconfig:de44e217c94fa4f4c6fdfbcae419cb8b md5:SunOS:4.1.3c:Original Dist:sun4m:/usr/etc/ifconfig:c9fe06259a49a58edfc6f1fe68665990 md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/etc/ifconfig:22d9340368aec82ebdd63518613bc6ab #/usr/lib/libc.a md5:SunOS:4.1.1:100267-09:sun3:/usr/5lib/libc.a:af8a721ca332754cdff2a1f1b74b8e8f md5:SunOS:4.1.1:100267-09:sun3:/usr/5lib/libc_p.a:1b930986afb11494b4e1e0fd4f9540b0 md5:SunOS:4.1.1:100267-09:sun3:/usr/lib/libc.a:6b0ff2e11f3042d453ee502787ac29d7 md5:SunOS:4.1.1:100267-09:sun3:/usr/lib/libc_p.a:ad9bd3c42db06fb0c45674eaafc5c4f8 md5:SunOS:4.1.1:100267-09:sun4:/usr/5lib/libc.a:8c396b0695abb59fea66bc6615d9f101 md5:SunOS:4.1.1:100267-09:sun4:/usr/5lib/libc_p.a:d98a993e3f6c308f3679690dd4f5e8d7 md5:SunOS:4.1.1:100267-09:sun4:/usr/lib/libc.a:da7c2504a1cb5073d7e9bb7de580db32 md5:SunOS:4.1.1:100267-09:sun4:/usr/lib/libc_p.a:9879d72df71d9956f62f058ddf70d0f8 md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/5lib/libc.a:4daced1b11335f613bf7a5792bfeff77 md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/5lib/libc_p.a:bd2037193776678e48324f523064b95b md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/lib/libc.a:ae4bcb481e7267c1def082ed6acf4bd9 md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/lib/libc_p.a:696c03eb30c696b712f38907d3c2ee45 md5:SunOS:4.1.1:Original Dist:sun4:/usr/5lib/libc.a:68686e4ed99b5dcf98ac4e3350ff6645 md5:SunOS:4.1.1:Original Dist:sun4:/usr/lib/libc.a:cbba2b6e294f0087a0b9116290946d46 md5:SunOS:4.1.1:Original Dist:sun3:/usr/5lib/libc.a:89b9040707c28810554dfaca6993e7d0 md5:SunOS:4.1.1:Original Dist:sun3:/usr/lib/libc.a:15d385b850be70a30077e66b67dc5f09 md5:SunOS:4.1.2:Original Dist:sun4:/usr/5lib/libc.a:e7ab3d2658611114833f25a4279db158 md5:SunOS:4.1.2:Original Dist:sun4:/usr/lib/libc.a:f95fabcdbaaf34ac3da6174e635724e3 md5:SunOS:4.1.3:Original Dist:sun4:/usr/5lib/libc.a:c6669804e4def2e1e49ad5628c52ee75 md5:SunOS:4.1.3:Original Dist:sun4:/usr/lib/libc.a:ab06bfd723df7802d25291576736ce23 md5:SunOS:4.1.3c:Original Dist:sun4:/usr/5lib/libc.a:5ef2ccf958dc6734c3e412127884c559 md5:SunOS:4.1.3c:Original Dist:sun4:/usr/lib/libc.a:6f5d5c343b262c03a3f976d2830f4d06 md5:SunOS:4.1.1:Original Dist:sun4:/usr/5lib/libc_p.a:21766ed7fdb431bb0435e48ea0764d42 md5:SunOS:4.1.1:Original Dist:sun4:/usr/lib/libc_p.a:709d9a093b637e64234a03f1c48583e7 md5:SunOS:4.1.1:Original Dist:sun3:/usr/5lib/libc_p.a:3e3fcdfeb1636c708f1a2fec14c13b9f md5:SunOS:4.1.1:Original Dist:sun3:/usr/lib/libc_p.a:18f6043209f019ec58e50ab4f4771d40 md5:SunOS:4.1.2:Original Dist:sun4:/usr/5lib/libc_p.a:c0b13f61038a198e6be3c09e137dee0e md5:SunOS:4.1.2:Original Dist:sun4:/usr/lib/libc_p.a:a40b2af6cde4734289f06d8325c8cf2e md5:SunOS:4.1.3:Original Dist:sun4:/usr/5lib/libc_p.a:bb06ddd972dd5549a3d6cc38a9537893 md5:SunOS:4.1.3:Original Dist:sun4:/usr/lib/libc_p.a:72c8bee2000b2562225077784ea61bac md5:SunOS:4.1.3c:Original Dist:sun4:/usr/5lib/libc_p.a:8ccee0cc285a298c713b8bace38da815 md5:SunOS:4.1.3c:Original Dist:sun4:/usr/lib/libc_p.a:157a7dc7a8fc77f1a5a06a85d3bab16c #/usr/kvm/pstat md5:SunOS:4.1.1:Original Dist:sun3x:/usr/kvm/pstat:a131828d02092ab56e98ac8d63b1125d md5:SunOS:4.1.1:Original Dist:sun4:/usr/kvm/pstat:6de82bb539b54c2bd0be79dfc7712507 md5:SunOS:4.1.1:Original Dist:sun4c:/usr/kvm/pstat:5e6058397f8e86df7456e36ad54f9b1e md5:SunOS:4.1.2:Original Dist:sun4c:/usr/kvm/pstat:a1cfc4f23be423aede09e23bcbf6268a md5:SunOS:4.1.2:Original Dist:sun4m:/usr/kvm/pstat:c2abc2313450cfd72ccd93448fef967b md5:SunOS:4.1.3:Original Dist:sun4:/usr/kvm/pstat:0076043c06cd24ae927128f02da9b935 md5:SunOS:4.1.3:Original Dist:sun4c:/usr/kvm/pstat:225d4542b70f15af39c96a4d3b48a631 md5:SunOS:4.1.3c:Original Dist:sun4m:/usr/kvm/pstat:e3a519a93a8b6a02fd6c64a6b3db476d md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/kvm/pstat:2a1cbf06988208179adf132349c3a403 md5:SunOS:4.1.3_u1:Original Dist:sun4m:/usr/kvm/pstat:2f3af3afbfa5942575bbcb02b13ebac1 md5:SunOS:4.1.3_u1:Original Dist:sun4c:/usr/kvm/pstat:d15776947e0d60fc7d5ae755f65e779b #/usr/etc/in.ftpd md5:SunOS:4.1.1:Original Dist:sun3x:/usr/etc/in.ftpd:c95b40609c510cfcc65504972d1f3ae1 md5:SunOS:4.1.1:Original Dist:sun3:/usr/etc/in.ftpd:7ff869b0d0eeec61b08a81a085759681 md5:SunOS:4.1.1:Original Dist:sun4:/usr/etc/in.ftpd:7a17e92251d08c56d001a1f5654fcb35 md5:SunOS:4.1.1:Original Dist:sun4c:/usr/etc/in.ftpd:c95b40609c510cfcc65504972d1f3ae1 md5:SunOS:4.1.2:Original Dist:sun4:/usr/etc/in.ftpd:8b1bfb5ba15d2898fffa373b1005e7ff md5:SunOS:4.1.2:Original Dist:sun4c:/usr/etc/in.ftpd:c95b40609c510cfcc65504972d1f3ae1 md5:SunOS:4.1.2:Original Dist:sun4m:/usr/etc/in.ftpd:c95b40609c510cfcc65504972d1f3ae1 md5:SunOS:4.1.3:Original Dist:sun4:/usr/etc/in.ftpd:79a29ae3f1deb02efb743d9cd39f6f2f md5:SunOS:4.1.3:Original Dist:sun4c:/usr/etc/in.ftpd:c95b40609c510cfcc65504972d1f3ae1 md5:SunOS:4.1.3c:Original Dist:sun4:/usr/etc/in.ftpd:79a29ae3f1deb02efb743d9cd39f6f2f md5:SunOS:4.1.3c:Original Dist:sun4m:/usr/etc/in.ftpd:c95b40609c510cfcc65504972d1f3ae1 md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/etc/in.ftpd:3e8f757252dd562ad80ae79e78d06fb7 #/usr/etc/in.rexecd md5:SunOS:4.1.1:Original Dist:sun3x:/usr/etc/in.rexecd:fd51458be842565c712f8d57cf5a6f28 md5:SunOS:4.1.1:Original Dist:sun3:/usr/etc/in.rexecd:4d9811877f622348dd454172fbb40a66 md5:SunOS:4.1.1:Original Dist:sun4:/usr/etc/in.rexecd:fd51458be842565c712f8d57cf5a6f28 md5:SunOS:4.1.2:Original Dist:sun4:/usr/etc/in.rexecd:6d9f39193ac39bc9680a4fb44fdfb50f md5:SunOS:4.1.2:Original Dist:sun4c:/usr/etc/in.rexecd:fd51458be842565c712f8d57cf5a6f28 md5:SunOS:4.1.2:Original Dist:sun4m:/usr/etc/in.rexecd:fd51458be842565c712f8d57cf5a6f28 md5:SunOS:4.1.3:Original Dist:sun4:/usr/etc/in.rexecd:37316f4d63faa445ea448ec7c670f94f md5:SunOS:4.1.3:Original Dist:sun4c:/usr/etc/in.rexecd:fd51458be842565c712f8d57cf5a6f28 md5:SunOS:4.1.3c:Original Dist:sun4:/usr/etc/in.rexecd:37316f4d63faa445ea448ec7c670f94f md5:SunOS:4.1.3c:Original Dist:sun4m:/usr/etc/in.rexecd:fd51458be842565c712f8d57cf5a6f28 md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/etc/in.rexecd:be66f45bb60f31aaa23377f23c66caca #/usr/etc/in.rshd md5:SunOS:4.1.1:Original Dist:sun3x:/usr/etc/in.rshd:3d81a586add92ef033088d928c7ae7dc md5:SunOS:4.1.1:Original Dist:sun3:/usr/etc/in.rshd:17f91e72bbf70d5cf3e75a3068d5c461 md5:SunOS:4.1.1:Original Dist:sun4:/usr/etc/in.rshd:a4eb9385df064b9a751ede87fd0804a2 md5:SunOS:4.1.1:Original Dist:sun4c:/usr/etc/in.rshd:3d81a586add92ef033088d928c7ae7dc md5:SunOS:4.1.2:Original Dist:sun4:/usr/etc/in.rshd:e45ab7d2dc4c3e7346292f85259c0432 md5:SunOS:4.1.2:Original Dist:sun4c:/usr/etc/in.rshd:3d81a586add92ef033088d928c7ae7dc md5:SunOS:4.1.2:Original Dist:sun4m:/usr/etc/in.rshd:3d81a586add92ef033088d928c7ae7dc md5:SunOS:4.1.3:Original Dist:sun4c:/usr/etc/in.rshd:3d81a586add92ef033088d928c7ae7dc md5:SunOS:4.1.3:Original Dist:sun4:/usr/etc/in.rshd:686c2bb25752e6bec5090e2732a46207 md5:SunOS:4.1.3c:Original Dist:sun4:/usr/etc/in.rshd:686c2bb25752e6bec5090e2732a46207 md5:SunOS:4.1.3c:Original Dist:sun4m:/usr/etc/in.rshd:3d81a586add92ef033088d928c7ae7dc md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/etc/in.rshd:e5ca89c51427d917690fbcc1395507b4 #/usr/etc/in.tftpd md5:SunOS:4.1.1:Original Dist:sun3x:/usr/etc/in.tftpd:73ea84bdcff54ace0e601f5c3d2f90b0 md5:SunOS:4.1.1:Original Dist:sun3:/usr/etc/in.tftpd:ccec1773e5945a0b8397a74ec07112df md5:SunOS:4.1.1:Original Dist:sun4:/usr/etc/in.tftpd:e6b495aec9b8a24f5e58ebc19fd1eec7 md5:SunOS:4.1.1:Original Dist:sun4c:/usr/etc/in.tftpd:73ea84bdcff54ace0e601f5c3d2f90b0 md5:SunOS:4.1.2:Original Dist:sun4:/usr/etc/in.tftpd:4b924bda12c61674771c84caa0fa1e80 md5:SunOS:4.1.2:Original Dist:sun4c:/usr/etc/in.tftpd:73ea84bdcff54ace0e601f5c3d2f90b0 md5:SunOS:4.1.2:Original Dist:sun4m:/usr/etc/in.tftpd:73ea84bdcff54ace0e601f5c3d2f90b0 md5:SunOS:4.1.3:Original Dist:sun4:/usr/etc/in.tftpd:bfaf4492223126181ca9333220cbcf02 md5:SunOS:4.1.3:Original Dist:sun4c:/usr/etc/in.tftpd:73ea84bdcff54ace0e601f5c3d2f90b0 md5:SunOS:4.1.3c:Original Dist:sun4:/usr/etc/in.tftpd:bfaf4492223126181ca9333220cbcf02 md5:SunOS:4.1.3c:Original Dist:sun4m:/usr/etc/in.tftpd:73ea84bdcff54ace0e601f5c3d2f90b0 md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/etc/in.tftpd:0ff3883f2b99f06d4f897347c58a79d9 #/usr/etc/inetd md5:SunOS:4.1.1:Original Dist:sun3x:/usr/etc/inetd:c3a0f2bb985babcd43a438ce53de54ae md5:SunOS:4.1.1:Original Dist:sun3:/usr/etc/inetd:0764c23ac95b4ea5a8683c8761337485 md5:SunOS:4.1.1:Original Dist:sun4:/usr/etc/inetd:c3a0f2bb985babcd43a438ce53de54ae md5:SunOS:4.1.2:Original Dist:sun4:/usr/etc/inetd:e6054cbb343d21791c6457e78822d5f1 md5:SunOS:4.1.2:Original Dist:sun4c:/usr/etc/inetd:c3a0f2bb985babcd43a438ce53de54ae md5:SunOS:4.1.2:Original Dist:sun4m:/usr/etc/inetd:c3a0f2bb985babcd43a438ce53de54ae md5:SunOS:4.1.3:Original Dist:sun4:/usr/etc/inetd:c3a923cbf5023b48ffdef3d043190a81 md5:SunOS:4.1.3:Original Dist:sun4c:/usr/etc/inetd:c3a0f2bb985babcd43a438ce53de54ae md5:SunOS:4.1.3c:Original Dist:sun4:/usr/etc/inetd:c3a923cbf5023b48ffdef3d043190a81 md5:SunOS:4.1.3c:Original Dist:sun4m:/usr/etc/inetd:c3a0f2bb985babcd43a438ce53de54ae md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/etc/inetd:722d3e46a2f8e52ffadd7450fbbd1438 #/usr/bin/newgrp md5:SunOS:4.1.1:Original Dist:sun3:/usr/bin/newgrp:e3d6e9d43345372f5aa0d5c96570b155 md5:SunOS:4.1.1:Original Dist:sun4:/usr/bin/newgrp:d3749b2a6e99f14feede9430d1feee46 md5:SunOS:4.1.2:Original Dist:sun4:/usr/bin/newgrp:875e7cf58cec91c6fb44ec6e5d89ef0f md5:SunOS:4.1.3:Original Dist:sun4:/usr/bin/newgrp:7c0aad251ccb8de9c050d53c823f334f md5:SunOS:4.1.3c:Original Dist:sun4:/usr/bin/newgrp:7c0aad251ccb8de9c050d53c823f334f md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/bin/newgrp:04edbbb4d06bf056c4959d3b85560fe6 #/usr/bin/passwd md5:SunOS:4.1.1:Original Dist:sun3:/usr/bin/passwd:11499df2dfc4f75c5466e09b64fe1097 md5:SunOS:4.1.1:Original Dist:sun4:/usr/bin/passwd:d4e3ee198d6e3934bc2356ce495e77c7 md5:SunOS:4.1.2:Original Dist:sun4:/usr/bin/passwd:2dcec1f0e106354a85058f4c2c66e2bd md5:SunOS:4.1.3:Original Dist:sun4:/usr/bin/passwd:6fdb875b621de4dbffab6f6782ec2ba3 md5:SunOS:4.1.3c:Original Dist:sun4:/usr/bin/passwd:6fdb875b621de4dbffab6f6782ec2ba3 md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/bin/passwd:97f3231b48d6e29b829357b72043aadc #/usr/bin/su md5:SunOS:4.1.1:Original Dist:sun3:/usr/bin/su:829e4e39edc3a8d299f5525c866dc324 md5:SunOS:4.1.1:Original Dist:sun4:/usr/bin/su:94b0bc99dcb9dcdbc3e8ece7e127a906 md5:SunOS:4.1.2:Original Dist:sun4:/usr/bin/su:23fe0a40ec522c5add89cd6ab2731170 md5:SunOS:4.1.3:Original Dist:sun4:/usr/bin/su:0d2f5665c9befdf2f7aeafa4d77266bb md5:SunOS:4.1.3c:Original Dist:sun4:/usr/bin/su:0d2f5665c9befdf2f7aeafa4d77266bb md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/bin/su:c49812d55df4712194f832f099d40aa7 #Shared Libraries md5:SunOS:4.1.1:Original Dist:sun4:/usr/5lib/libc.so.2.6:1d66abbac68785d6f8fa8ff53200845e md5:SunOS:4.1.1:Original Dist:sun4:/usr/lib/libc.so.1.6:d4dc2514248834d95ee6b5c77a7eda86 md5:SunOS:4.1.1:Original Dist:sun3:/usr/5lib/libc.so.1.15:26c5c2e8b147f3f6d96bdff369853cad md5:SunOS:4.1.1:Original Dist:sun3:/usr/lib/libc.so.0.15:2262f263e711bff2bd4d9d6f87ea5edd md5:SunOS:4.1.2:Original Dist:sun4:/usr/5lib/libc.so.2.7:b1e624d4293907511e4ee9e8e77e74dd md5:SunOS:4.1.2:Original Dist:sun4:/usr/lib/libc.so.1.7:76c095597088ee5bc82a2c1ce0a419ce md5:SunOS:4.1.3:Original Dist:sun4:/usr/5lib/libc.so.2.8:d3c8366dca51488864cc8d80c106f190 md5:SunOS:4.1.3:Original Dist:sun4:/usr/lib/libc.so.1.8:aabfb3300f2d872cdc6d9fb10514e246 md5:SunOS:4.1.3c:Original Dist:sun4:/usr/5lib/libc.so.2.8:af3584319d80525c2ca8e8ea8920d131 md5:SunOS:4.1.3c:Original Dist:sun4:/usr/lib/libc.so.1.8:91a8dde1c328e474ec08557c211a4dcb md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/5lib/libc.so.2.9:722852b7e5df15de70e3c1a1f96c04d9 md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/lib/libc.so.1.9:2d5bc65422472f7d4119712ccf795bf3 -------------------------------------------------------------------- Appendix C: "cpm" The CPM 1.0 README File cpm - check for promiscuous mode in network interfaces. Copyright (c) Carnegie Mellon University 1994 Thursday Feb 3 1994 CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 This program is free software; you can distribute it and/or modify it as long as you retain the Carnegie Mellon copyright statement. It can be obtained via anonymous FTP from info.cert.org:pub/tools/cpm.tar.Z. This program is distributed WITHOUT ANY WARRANTY and without an IMPLIED WARRANTY of merchantability or fitness for a particular purpose. This package contains: README MANIFEST cpm.1 cpm.c To create cpm under SunOS, type: % cc -Bstatic -o cpm cpm.c On machines that support dynamic loading, such as Sun's, CERT recommends that programs be statically linked so that this feature is disabled. CERT recommends that after you install cpm in your favorite directory, you take measures to ensure the integrity of the program by noting the size and checksums of the source code and resulting binary. The following is an example of the output of cpm and its exit status. Running cpm on a machine where both the le0 and le2 interfaces are in promiscuous mode, under csh(1): % cpm le0 le2 % echo $status 2 % Running cpm on a machine where no interfaces are in promiscuous mode, under csh(1): % cpm % echo $status 0 % ------------------------------------------------------------- Appendix D: "SunOS security patches" Solaris and SunOS Security Patch Information For information about rdist see CIAC Bulletin C-04. For information about integer division under SunOS see CIAC Bulletin B-41. Previous CIAC notices are available on the Internet via anonymous FTP from irbis.llnl.gov (IP address 128.115.19.60). CIAC has compiled a list of all security related patches currently available from Sun Microsystems. The patches have been grouped by SunOS version and are detailed below. CIAC recommends the installation of any applicable patches that either are not currently present on a system or are present in the form of an older version of the patch. SunOS security patches are available through both your Sun Answer Center and anonymous FTP. In the U.S., ftp to ftp.uu.net (IP address 192.48.96.9) and retrieve the patches from the directory /systems/sun/sun-dist. In Europe, ftp to ftp.eu.net (IP address 192.16.202.2) and retrieve the patches from the /sun/fixes directory. The patches are contained in compressed tarfiles with filenames based on the ID number of the patch (e.g. patch 100085-03 is contained in the file 100085-03.tar.Z), and must be retrieved using FTP's binary transfer mode. After obtaining the patches, compute the checksum of each compressed tarfile and compare with the values indicated below. For example, the command "/usr/bin/sum 100085-03.tar.Z" should return "44177 740". Please note that Sun Microsystems occasionally updates patch files, resulting in a changed checksum. If you should find a checksum that differs from those listed below, please contact Sun Microsystems or CIAC for verification before using the patch. The patches may be extracted from the compressed tarfiles using the commands uncompress and tar. For example, to extract patch 100085-03 from the compressed tarfile 100085-03.tar.Z, execute the commands "uncompress 100085-03.tar.Z" and "tar -xvf 100085-03.tar". For specific instructions regarding the installation of a particular patch, consult the README file accompanying each patch. As multiple patches may affect the same files, it is recommended that patches be installed chronologically by revision date, with the exception of patches for which an explicit order is specified. ======================= SunOS 5.3 (Solaris 2.3) ======================= Patch ID Last Revised Checksum Description -------- ------------ --------- ------------------------------------- 101371-03 23-Dec-93 51272 377 sendmail vulnerabilities ======================= SunOS 5.2 (Solaris 2.2) ======================= Patch ID Last Revised Checksum Description -------- ------------ --------- ------------------------------------- 101090-01 28-Jun-93 44985 54 expreserve can overwrite any file 101301-01 21-Oct-93 4703 779 tar archives may contain extraneous info 101077-06 23-Dec-93 28185 358 sendmail vulnerabilities ======================= SunOS 5.1 (Solaris 2.1) ======================= Patch ID Last Revised Checksum Description -------- ------------ --------- ------------------------------------- 100833-02 12-Jan-93 24412 309 C2 auditing missing in some programs 100840-01 12-Jan-93 25050 220 sendmail bypasses mailhost 100884-01 12-Feb-93 63299 5220 Security fixes for sun4m machines 101089-01 28-Jun-93 4501 54 expreserve can overwrite any file 100975-02 21-Oct-93 13460 747 tar archives may contain extraneous info 100840-06 23-Dec-93 61100 390 sendmail vulnerabilities ======================= SunOS 5.0 (Solaris 2.0) is no longer supported (upgrade is essential for ======================= security) =========== SunOS 4.1.3 =========== Patch ID Last Revised Checksum Description -------- ------------ --------- ------------------------------------- 100478-01 14-Feb-92 64588 58 OpenWindows 3.0 xlock vulnerability 100296-04 18-Jun-92 15271 40 File systems exported incorrectly 100507-04 3-Sep-92 57590 61 tmpfs file system vulnerability 100372-02 8-Sep-92 22739 712 tfs fails under C2 100103-11 29-Sep-92 19847 6 Permissions incorrect on many files 100567-04 27-Oct-92 15728 11 ICMP packets can be forged 100564-05 11-Nov-92 00115 824 C2 jumbo patch 100482-04 16-Nov-92 06594 342 ypserv will send NIS maps to anyone 100513-02 2-Dec-92 34315 483 Console can be redirected 100623-03 11-Dec-92 56063 141 NFS file handles can be guessed 100173-10 7-Jan-93 48086 788 NFS jumbo patch 100383-06 26-Jan-93 58984 121 rdist can create setuid root files 100452-28 29-Jan-93 07299 1688 cmdtool may reveal passwords 100305-11 12-Feb-93 38582 500 The lp daemon can delete system files 100891-01 19-Feb-93 33195 3075 Netgroup and xlock vulnerabilities 100224-06 5-Mar-93 57647 54 mail and rmail can invoke root shells 101080-01 9-Jun-93 45221 13 expreserve can overwrite any file 100448-02 15-Dec-93 19410 5 OpenWindows 3.0 loadmodule hole 101200-02 15-Dec-93 41677 28 Security hole in modload 100377-08 23-Dec-93 05320 755 sendmail vulnerabilities 100593-03 17-Mar-94 52095 242 dump vulnerabilities 100272-07 17-Mar-94 26553 39 in.comsat vulnerabilities 101480-01 17-Mar-94 47917 44 in.talkd vulnerabilities 101481-01 17-Mar-94 46562 80 shutdown vulnerabilities 100909-02 17-Mar-94 61539 108 syslogd vulnerabilities 101482-01 17-Mar-94 61148 41 write vulnerabilities =========== SunOS 4.1.2 =========== Patch ID Last Revised Checksum Description -------- ------------ --------- ------------------------------------- 100184-02 14-Dec-90 06627 33 OpenWindows 2.0 vulnerability 100478-01 14-Feb-92 64588 58 OpenWindows 3.0 xlock vulnerability 100630-01 18-May-92 28074 39 Environment variables vulnerability 100633-01 22-May-92 33264 20 Environment variables with Sun's ARM 100296-04 18-Jun-92 15271 40 File systems exported incorrectly 100376-04 16-Jul-92 12884 100 Integer division vulnerability 100507-04 3-Sep-92 57590 61 tmpfs file system vulnerability 100372-02 8-Sep-92 22739 712 tfs fails under C2 100103-11 29-Sep-92 19847 6 Permissions incorrect on many files 100567-04 27-Oct-92 15728 11 ICMP packets can be forged 100564-05 11-Nov-92 00115 824 C2 jumbo patch 100482-04 16-Nov-92 06594 342 ypserv will send NIS maps to anyone 100513-02 2-Dec-92 34315 483 Console can be redirected 100623-03 11-Dec-92 56063 141 NFS file handles can be guessed 100173-10 7-Jan-93 48086 788 NFS jumbo patch 100383-06 26-Jan-93 58984 121 rdist can create setuid root files 100452-28 29-Jan-93 07299 1688 cmdtool may reveal passwords 100305-11 12-Feb-93 38582 500 The lp daemon can delete system files 100224-06 5-Mar-93 57647 54 mail and rmail can invoke root shells 101080-01 9-Jun-93 45221 13 expreserve can overwrite any file 100448-02 15-Dec-93 19410 5 OpenWindows 3.0 loadmodule hole 101200-02 15-Dec-93 41677 28 Security hole in modload 100377-08 23-Dec-93 05320 755 sendmail vulnerabilities 100593-03 17-Mar-94 52095 242 dump vulnerabilities 100272-07 17-Mar-94 26553 39 in.comsat vulnerabilities 101480-01 17-Mar-94 47917 44 in.talkd vulnerabilities 101481-01 17-Mar-94 46562 80 shutdown vulnerabilities 100909-02 17-Mar-94 61539 108 syslogd vulnerabilities 101482-01 17-Mar-94 61148 41 write vulnerabilities =========== SunOS 4.1.1 =========== Patch ID Last Revised Checksum Description -------- ------------ --------- ------------------------------------- 100085-03 5-Sep-90 44177 740 Sunview selection_svc vulnerability 100184-02 14-Dec-90 06627 33 OpenWindows 2.0 vulnerability 100125-05 8-Jul-91 41964 164 telnet permits password capture 100424-01 12-Nov-91 63070 50 NFS file handles can be guessed 100448-01 10-Dec-91 29285 5 OpenWindows 3.0 loadmodule hole 100478-01 14-Feb-92 64588 58 OpenWindows 3.0 xlock vulnerability 100630-01 18-May-92 28074 39 Environment variables vulnerability 100633-01 22-May-92 33264 20 Environment variables with Sun's ARM 100296-04 18-Jun-92 42492 40 File systems exported incorrectly 100376-04 16-Jul-92 12884 100 Integer division vulnerability 100507-04 3-Sep-92 57590 61 tmpfs file system vulnerability 100372-02 8-Sep-92 22739 712 tfs fails under C2 100103-11 29-Sep-92 19847 6 Permissions incorrect on many files 100567-04 27-Oct-92 15728 11 ICMP packets can be forged 100201-06 5-Nov-92 13145 164 C2 jumbo patch 100267-09 6-Nov-92 55338 5891 Netgroup membership check fails 100482-04 16-Nov-92 06594 342 ypserv will send NIS maps to anyone 100513-02 2-Dec-92 34315 483 Console can be redirected 100173-10 7-Jan-93 48086 788 NFS jumbo patch 100383-06 26-Jan-93 58984 121 rdist can create setuid root files 100452-28 29-Jan-93 07299 1688 cmdtool may reveal passwords 100305-11 12-Feb-93 38582 500 The lp daemon can delete system files 100224-06 5-Mar-93 57647 54 mail and rmail can invoke root shells 101080-01 9-Jun-93 45221 13 expreserve can overwrite any file 100448-02 15-Dec-93 19410 5 OpenWindows 3.0 loadmodule hole 101200-02 15-Dec-93 41677 28 Security hole in modload 100377-08 23-Dec-93 05320 755 sendmail vulnerabilities 100593-03 17-Mar-94 52095 242 dump vulnerabilities 100272-07 17-Mar-94 26553 39 in.comsat vulnerabilities 101480-01 17-Mar-94 47917 44 in.talkd vulnerabilities 101481-01 17-Mar-94 46562 80 shutdown vulnerabilities 100909-02 17-Mar-94 61539 108 syslogd vulnerabilities 101482-01 17-Mar-94 61148 41 write vulnerabilities ========= SunOS 4.1 ========= Patch ID Last Revised Checksum Description -------- ------------ --------- ------------------------------------- 100101-02 7-Aug-90 42872 34 ptrace security vulnerability 100085-03 5-Sep-90 44177 740 Sunview selection_svc vulnerability 100184-02 14-Dec-90 06627 33 OpenWindows 2.0 vulnerability 100125-05 8-Jul-91 41964 164 telnet permits password capture 100630-01 18-May-92 28074 39 Environment variables vulnerability 100376-04 16-Jul-92 12884 100 Integer division vulnerability 100103-11 29-Sep-92 19847 6 Permissions incorrect on many files 100567-04 27-Oct-92 15728 11 ICMP packets can be forged 100201-06 5-Nov-92 13145 164 C2 jumbo patch 100482-04 16-Nov-92 06594 342 ypserv will send NIS maps to anyone 100513-02 2-Dec-92 34315 483 Console can be redirected 100383-06 26-Jan-93 58984 121 rdist can create setuid root files 100452-28 29-Jan-93 07299 1688 cmdtool may reveal passwords 100305-11 12-Feb-93 38582 500 The lp daemon can delete system files 100121-09 24-Feb-93 57589 360 NFS jumbo patch 101080-01 9-Jun-93 45221 13 expreserve can overwrite any file 100448-02 15-Dec-93 19410 5 OpenWindows 3.0 loadmodule hole 101200-02 15-Dec-93 41677 28 Security hole in modload 100377-08 23-Dec-93 05320 755 sendmail vulnerabilities 100593-03 17-Mar-94 52095 242 dump vulnerabilities 100272-07 17-Mar-94 26553 39 in.comsat vulnerabilities 101480-01 17-Mar-94 47917 44 in.talkd vulnerabilities 101481-01 17-Mar-94 46562 80 shutdown vulnerabilities 100909-02 17-Mar-94 61539 108 syslogd vulnerabilities 101482-01 17-Mar-94 61148 41 write vulnerabilities ====================== SunOS 4.0.3c, 4.0.3, 4,0.2i, 4.0.2, and 4.0.1 are no longer supported ====================== (upgrade is essential for security) ---------------------------------------------------------- Appendix E: One-time Passwords The following information was compiled by the CERT Coordination Center. Given today's networked environments, CIAC recommends that sites concerned about the security and integrity of their systems and networks consider moving away from standard, reusable passwords. CIAC has seen many incidents involving Trojan network programs (e.g., telnet and rlogin) and network packet sniffing programs. These programs capture clear-text hostname, account name, password triplets. Intruders can use the captured information for subsequent access to those hosts and accounts. This is possible because 1) the password is used over and over (hence the term "reusable"), and 2) the password passes across the network in clear text. Several authentication techniques have been developed that address this problem. Among these techniques are challenge-response technologies that provide passwords that are only used once (commonly called one-time passwords). This document provides a list of sources for products that provide this capability. The decision to use a product is the responsibility of each organization, and each organization should perform its own evaluation and selection. I. Public Domain packages S/KEY(TM) The S/KEY package is publicly available (no fee) via anonymous FTP from: thumper.bellcore.com /pub/skey directory There are four subdirectories: skey UNIX source code for S/KEY. Includes the change needed to login, and stand-alone commands (such as "key"), that computes the one-time password for the user, given the secret password and the S/KEY command. dos DOS or DOS/WINDOWS S/KEY programs. Includes DOS version of "key" and "termkey" which is a TSR program. mac One-time password calculation utility for the Mac. docs Documentation. II. Commercial Products Secure Net Key (SNK) (Do-it-yourself project) Digital Pathways, Inc. 201 Ravendale Dr. Mountainview, Ca. 94043-5216 USA Phone: 415-964-0707 Fax: 415-961-7487 Products: handheld authentication calculators (SNK004) serial line auth interruptors (guardian) Note: Secu