TUCoPS :: SunOS/Solaris :: ciacg015.txt

Sunsoft Demo CD Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----



             __________________________________________________________

                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                         Sunsoft Demo CD Vulnerability

March 1, 1996 05:00 GMT                                            Number G-15
______________________________________________________________________________
PROBLEM:       Interrupting the installation script on SunSoft's demo CDs can 
               introduce a security vulnerability. 
PLATFORM:      Sun Sparc and x86 systems 
DAMAGE:        Web browsers may potentially access sites which take advantage 
               of an introduced vulnerability. 
SOLUTION:      Introduce the fixes described below. 
______________________________________________________________________________
VULNERABILITY  This vulnerability is only produced under unusual 
ASSESSMENT:    circumstances and no Web sites exploiting it have been found. 
______________________________________________________________________________

[Start Sun Bulletin ]

- -----------------------------------------------------------------------------
         SUN MICROSYSTEMS SECURITY BULLETIN: #00132, 28 February 1995
- -----------------------------------------------------------------------------

BULLETIN TOPICS

In this bulletin Sun announces a potential security vulnerability
which can result from interrupting the installation script on several
demo CD's. We describe how to determine if your system is affected,
and how to remove the potential security vulnerability with one or
two simple commands. No patches are needed.

In addition to issuing this bulletin, Sun is sending letters to those
customers known to have received the CD's.

I.   Who is affected and what to do

II.  Understanding the vulnerability

III. Acknowledgments

APPENDICES

A.  How to obtain Sun security patches

B.  How to report or inquire about Sun security problems

C.  How to obtain Sun security bulletins




          /\         Send Replies or Inquiries To:
         \\ \        
        \ \\ /       Mark Graff
       / \/ / /      Sun Security Coordinator
      / /   \//\     MS MPK17-103
      \//\   / /     2550 Garcia Avenue
       / / /\ /      Mountain View, CA 94043-1100
        / \\ \       Phone: 415-786-5274
         \ \\        Fax:   415-786-7994
          \/         E-mail: security-alert@Sun.COM
 
                                -----------

Permission is granted for the redistribution of this Bulletin for
the purpose of alerting Sun customers to problems, as long as the
Bulletin is not edited and is attributed to Sun Microsystems.

Any other use of this information without the express written consent
of Sun Microsystems is prohibited. Sun Microsystems expressly disclaims
all liability for any misuse of this information by any third party.

- -----------------------------------------------------------------------------
         SUN MICROSYSTEMS SECURITY BULLETIN: #00132, 28 February 1995
- -----------------------------------------------------------------------------


I.   Who is affected and what to do

Sun has discovered that installation scripts in several SunSoft demo CD's
contain a flaw which could weaken the security of systems on which the demo
software is installed. We are alerting our customers so that those who
are affected can take appropriate action.

   Date		Title					Part #
   ----		-----					------
   Sep-Dec '95	Catalyst CDWARE (Sparc) 		724-1308-03, Rev D
   Jan-Mar '96	Catalyst CDWARE (Sparc)			724-1308-03, Rev E
   Jan-Mar '96	Catalyst CDWARE (x86)			724-1433-05, Rev C
   Dec '95	SunSoft Developer CD, Premiere Issue	95459-001
   Jan '96	Business Solutions			95536-001

You need only be concerned if you:

   * Received one of the listed CD's; and
   * Installed the software on it, using the installation script; and
   * Interrupted the installation script before it could exit normally.

If you did install the software, you should check whether the string
"x-spam-sh" appears in the ".mailcap" file in your home directory,
by issuing a command such as:

	grep x-spam-sh $HOME/.mailcap

If the string appears in the file, use a text editor to delete any lines
which include it, then exit any Web browsers you are currently running.
When you have completed these steps, the potential security weakness is gone.
You can then restart a browser without reopening the vulnerability.


II.  Understanding the vulnerability

The potential security weakness arises only when the installation script is
interrupted, causing it to terminate before undoing a temporary modification
to the ".mailcap" file.

If you were to use a Web browser while the ".mailcap" modification was
in effect, your browser might be caused to execute commands on your system
without your knowledge--if you happened to visit a Web page which exploited
this flaw. (We believe no such sites exist at this time.)

It might also be possible under these circumstances for such hidden
commands to be executed on your behalf as the result of an electronic
mail message. However, all of the  mail programs we have tested would
require your confirmation before executing the commands.

We apologize for any inconvenience this problem may have caused. We have
taken steps to ensure that it will not happen again.


III. Acknowledgments

Sun would like to thank Steve Neruda, of Nationwide Insurance, and
CERT/CC for their assistance.


APPENDICES

A.  How to obtain Sun security patches

    1. If you have a support contract

    Customers with Sun support contracts can obtain any patches listed
    in this bulletin (and any other patches--and a list of patches) from:

       - Local Sun answer centers, worldwide
       - SunSITEs worldwide
       - SunSolve Online

    The patches are available via World Wide Web at http://sunsolve1.sun.com. 

    You should also contact your answer center if you have a support
    contract and:

       - You need assistance in installing a patch 
       - You need additional patches
       - You want an existing patch ported to another platform
       - You believe you have encountered a bug in a Sun patch
       - You want to know if a patch exists, or when one will be ready

    2. If you do not have a support contract

    Customers without support contracts may now obtain security patches,
    "recommended" patches, and patch lists via SunSolve Online.
 
    Sun also makes its security patches available via anonymous ftp,
    from the directory /systems/sun/sun-dist on the system ftp.uu.net.
    However, the ftp.uu.net repository will be discontinued in the near
    future. The availability of security patches via the SunSolve patch
    database has made it redundant.

    Sun does not furnish patches to any external distribution sites
    other than the ones mentioned here.

    3. About the checksums

    Patches announced in a Sun security bulletin are uploaded to the
    ftp.*.net sites just before the bulletin is released, and seldom
    updated.  In contrast, the "supported" patch databases are
    refreshed nightly, and will often contain newer versions of a patch
    incorporating changes which are not security-related.

    So that you can quickly verify the integrity of the patch files
    themselves, we supply checksums for the tar archives in each
    bulletin. The listed checksums should always match those on the
    ftp.*.net systems. (The rare exceptions are listed in the
    "checksums" file there.)

    Normally, the listed checksums will also match the patches on the
    SunSolve database. However, this will not be true if we have
    changed (as we sometimes do) the README file in the patch after the
    bulletin has been released.

    In the future we plan to provide checksum information for the
    individual components of a patch as well as the compressed archive
    file. This will allow customers to determine, if need be, which
    file(s) have been changed since we issued the bulletin containing
    the checksums.

    If you would like assistance in verifying the integrity of a patch
    file please contact this office or your local answer center.


B.  How to report or inquire about Sun security problems

    If you discover a security problem with Sun software or wish to
    inquire about a possible problem, contact one or more of the
    following:

       - Your local Sun answer centers
       - Your representative computer security response team, such as CERT 
       - This office. Address postal mail to:

         Sun Security Coordinator
         MS MPK17-103
         2550 Garcia Avenue Mountain
	 View, CA 94043-1100

	 Phone: 415-786-5274
         Fax:   415-786-7994
         E-mail: security-alert@Sun.COM

     We strongly recommend that you report problems to your local Answer
     Center. In some cases they will accept a report of a security bug
     even if you do not have a support contract. An additional notification
     to the security-alert alias is suggested but should not be used as your
     primary vehicle for reporting a bug.


C.   How to obtain Sun security bulletins

     1. Subscription information

     Sun Security Bulletins are available free of charge as part of
     our Customer Warning System. It is not necessary to have a Sun
     support contract in order to receive them.

     To receive information or to subscribe or unsubscribe from our
     mailing list, send mail to security-alert@sun.com with a subject
     line containing one of the following commands.


        Subject         Information Returned/Action Taken
        -------         ---------------------------------

        HELP            An explanation of how to get information

        LIST            A list of current security topics

        QUERY [topic]   The mail containing the question is relayed to
                        a Security Coordinator for a response.

        REPORT [topic]  The mail containing the text is treated as a
                        security bug report and forwarded to a Security
                        Coordinator for handling. Please note that this
                        channel of communications does not supersede
                        the use of Sun Solution Centers for this
                        purpose.  Note also that we do not recommend
                        that detailed problem descriptions be sent in
                        plain text.

        SEND topic      Summary of the status of selected topic

        SUBSCRIBE       Sender is added to the CWS (Customer
                        Warning System) list.  The subscribe feature
                        requires that the sender include on the subject
                        line the word "cws" and the reply email
                        address.  So the subject line might look like
                        the following:

                                SUBSCRIBE cws graff@sun.com

        UNSUBSCRIBE     Sender is removed from the CWS list.


     Should your email not fit into one of the above subjects, a help
     message will be returned to you.

     Due to the volume of subscription requests we receive, we cannot
     guarantee to acknowledge requests. Please contact this office if
     you wish to verify that your subscription request was received, or
     if you would like your bulletin delivered via postal mail or fax.

     2. Obtaining old bulletins

     Sun Security Bulletins are archived on ftp.uu.net (in the same
     directory as the patches) and on SunSolve. Please try these
     sources first before contacting this office for old bulletins.

[End Sun Bulletin ]

_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Sun Microsystems for the 
information contained in this bulletin.
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the National Institutes of Health (NIH). CIAC is located at
the Lawrence Livermore National Laboratory in Livermore,
California. CIAC is also a founding member of FIRST, the Forum of
Incident Response and Security Teams, a global organization
established to foster cooperation and coordination among computer
security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 510-422-8193
    FAX:      +1 510-423-8002
    STU-III:  +1 510-423-2604
    E-mail:   ciac@llnl.gov

For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://ciac.llnl.gov/
   Anonymous FTP:       ciac.llnl.gov (128.115.19.53)
   Modem access:        +1 (510) 423-4753 (28.8K baud)
                        +1 (510) 423-3331 (28.8K baud)

CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
   information and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector
   (SPI) software updates, new features, distribution and
   availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the
   use of SPI products.

Our mailing lists are managed by a public domain software package
called ListProcessor, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for list-name and
valid information for LastName FirstName and PhoneNumber when sending

E-mail to       ciac-listproc@llnl.gov:
        subscribe list-name LastName, FirstName PhoneNumber
  e.g., subscribe ciac-notes OHara, Scarlett W. 404-555-1212 x36

You will receive an acknowledgment containing address, initial PIN,
and information on how to change either of them, cancel your
subscription, or get help.

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained by sending email to
docserver@first.org with an empty subject line and a message body
containing the line: send first-contacts.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

(G-5)   HP-UX FTP Vulnerability Bulletin
(G-6)   Windows 95 Vulnerability
(G-7)   SGI Object Server Vulnerability
(G-8)   splitvt(1) Vulnerability
(G-9b)  Unix sendmail Vulnerability
(G-10a) Winword Macro Viruses
(G-11)  HP Syslog Vulnerability
(G-12)  SGI ATT Packaging Utility Security Vulnerability
(G-13)  Kerberos 4 Key Server Vulnerability
(G-14)  Domain Name Service Vulnerabilities

RECENT CIAC NOTES ISSUED (Previous Notes available from CIAC)

Notes 07 - 3/29/95   A comprehensive review of SATAN

Notes 08 - 4/4/95    A Courtney update

Notes 09 - 4/24/95   More on the "Good Times" virus urban legend

Notes 10 - 6/16/95   PKZ300B Trojan, Logdaemon/FreeBSD, vulnerability
                     in S/Key, EBOLA Virus Hoax, and Caibua Virus

Notes 11 - 7/31/95   Virus Update, Hats Off to Administrators,
                     America On-Line Virus Scare, SPI 3.2.2 Released, 
                     The Die_Hard Virus

Notes 12 - 9/12/95   Securely configuring Public Telnet Services, X
                     Windows, beta release of Merlin, Microsoft Word
                     Macro Viruses, Allegations of Inappropriate Data
                     Collection in Win95


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
Comment: Processed by Mailcrypt 3.3, an Emacs/PGP interface

iQCVAwUBMTdP4LnzJzdsy3QZAQGzxwP/VqyR6jg94Akrmnzqgz13/XB6vBasmGRx
UFWDC7AaPpRg9i3iUMTOFRu2uKxTgg37tSTCPeGX9LmYgAcRR+RB217IvTfADus3
C/atBzI7AXrxQclpQfkZICMDabBQBCL4U089ffCJh4K8qD/GSZuJAJ545PFiZGo/
vPgVb6ECGVI=
=xi5r
-----END PGP SIGNATURE-----

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH