TUCoPS :: Unix :: General :: ciacb036.txt

Telnet Patch 

From longstaf Wed Aug 14 22:25:45 1991
Return-Path: <longstaf>
Received: by  (4.1/SMI-4.1)
	id AA14944; Wed, 14 Aug 91 22:24:12 PDT
Date: Wed, 14 Aug 91 22:24:12 PDT
From: longstaf (Tom Longstaff)
Message-Id: <9108150524.AA14944@>
To: external
Cc: 
Subject: CIAC bulletin B-36: New patch available for /usr/ucb/telnet on ULTRIX systems
Status: RO

         _____________________________________________________
	      The Computer Incident Advisory Capability
                          ___  __ __    _     ___
                         /       |     / \   /
                         \___  __|__  /___\  \___
         _____________________________________________________
                          Information Bulletin

      New patch available for /usr/ucb/telnet on ULTRIX systems
				   
August 14, 1991, 1300 PDT	 				Number B-36
				   
				   
	      Critical Facts about /usr/ucb/telnet patch
-------------------------------------------------------------------------------
PROBLEM:   ULTRIX 4.1 and 4.2 systems running the Lat-Telnet gateway
	   software (lattelnet) may allow unauthorized privileged access.
PLATFORM:  ULTRIX 4.1 and 4.2 systems on RISC and VAX architectures.
DAMAGE:    Potential for considerable damage (e.g., creating bogus accounts, 
	   installing trojan horse, etc.) once unauthorized privileged
	   access is obtained.
SOLUTIONS: Obtain and install new telnet program from DEC or CIAC.
-------------------------------------------------------------------------------

A new patch to close a vulnerability in the Lat-Telnet gateway
software for ULTRIX 4.1 and 4.2 systems is now available.  This patch
will close a vulnerability in the telnet software that may allow
unauthorized privileged access to the ULTRIX system running the
Lat-Telnet gateway software (lattelnet).  The method used to exploit
this patch has recently been posted to the Internet, so it is
important that you install this patch if your system supports the
LAT-Telnet gateway software.  Since there is no apparent harm in
applying this patch to any ULTRIX 4.2 system, CIAC encourges all sites
to install this patch. The LAT/Telnet software requires special
installation and is NOT part of the default ULTRIX configuration.  To
determine if this software is active on your system, execute the
following command:

> grep lattelnet /etc/ttys

If this command returns a result similar to the one below, you are
running the Lat-Telnet gateway software.

tty## "/usr/etc/lattelnet std.9600" vt100 on nomodem

Patches for both the VAX and RISC architectures are available from DEC
or CIAC (e.g., via anonymous FTP).  To obtain the patch from the DEC
Customer Support Center, sites within the USA should call
1-800-525-7100.  Other sites should contact DEC through their normal
channels.  If you have Internet access, the following procedure will
transfer the patches from the CIAC anonymous FTP server:

> ftp irbis.llnl.gov
user: anonymous
password: {your e-mail address}
ftp> binary
ftp> get pub/ciac/unix/ultrix/usr-ucb-telnet.vax
ftp> get pub/ciac/unix/ultrix/usr-ucb-telnet.risc
ftp> quit

Once you have obtained the version of /usr/ucb/telnet appropriate to
your architecture, use the following procedure to install the new
telnet program:

Become "root" on the system to be patched. (i.e., use the su command).

Rename the original telnet program (to avoid overwriting this code
with a new patch) by entering:

# mv /usr/ucb/telnet /usr/ucb/telnet-dist

Copy the new version of telnet to /usr/ucb (The filename shown below
is for VAX architectures.  Substitute "risc" for "vax" if you are
using a RISC architecture):

# cp /{download location}/usr-ucb-telnet.vax /usr/ucb/telnet

Assure that the permissions and ownership of the new telnet program
are the same as the original (the program sizes shown below may not be
the same as those from your system):

# chown bin.bin /usr/ucb/telnet
# chmod 755 /usr/ucb/telnet
# ls -lg /usr/ucb/telnet*
-rwxr-xr-x 1  bin	bin	280224  {date and time}	/usr/ucb/telnet
-rwxr-xr-x 1  bin	bin	172032  {date and time}	/usr/ucb/telnet-dist

You can then verify the operation of the new /usr/ucb/telnet program
by using the telnet command to connect to other hosts with which you
have permission to connect.

For additional information or assistance, please contact CIAC:

	Tom Longstaff
	(415) 423-4416 or (FTS) 543-4416
	longstaf@llnl.gov
 
During working hours call CIAC at (415) 422-8193 or (FTS) 532-8193 or
send e-mail to ciac@llnl.gov.
 
Digital Equipment Corporation (DEC) and the Computer Emergency
Response Team (CERT) provided some of the information contained in
this bulletin.  This document was prepared as an account of work
sponsored by an agency of the United States Government. Neither the
United States Government nor the University of California nor any of
their employees, makes any warranty, express or implied, or assumes
any legal liability or responsibility for the accuracy, completeness,
or usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH