TUCoPS :: Unix :: Various Flavours :: ciacb023.txt

Ultrix V4.0 and 4.1 Vulnerability 

        _____________________________________________________

             The Computer Incident Advisory Capability

                         ___  __ __    _     ___

                        /       |     / \   /

                        \___  __|__  /___\  \___

        _____________________________________________________

                         Information Bulletin



May 1, 1991, 1200 PDT                                     Number B-23



                   Ultrix V4.0 and V4.1 Vulnerability

________________________________________________________________________

PROBLEM:  /usr/bin/chroot is installed with the setuid bit set.

PLATFORM: DEC Ultrix V4.0 and V4.1, all architectures.

DAMAGE:  Allows authorized users to gain unauthorized privileges.

SOLUTIONS: Fixed in Ultrix V4.2. Manually change file mode of

        /usr/bin/chroot to 700 for Ultrix V4.0 and V4.1

IMPACT OF WORKAROUND:  Non-privileged users no longer have access to

        the chroot command.

_______________________________________________________________________

              Critical /usr/bin/chroot Vulnerability Facts



CIAC has been advised of a vulnerability in DEC's Ultrix V4.0 and V4.1

operating systems running on all architectures. DEC is aware of this

problem, and has corrected it in Ultrix V4.2. The DEC provided fix for

Ultrix V4.0 and V4.1 is:



        (login as root)

        # chmod 700 /usr/bin/chroot

        # ls -l /usr/bin/chroot

        (verify the file protections are "-rwx------")





For additional information or assistance, please contact CIAC:   

 

        Hal Brand

        (415) 422-6312 or (FTS) 532-6312, or



        Call CIAC at (415) 422-8193 or (FTS) 532-8193 or 

        send e-mail to ciac@cheetah.llnl.gov.  

    

        Send FAX messages to:  (415) 423-0913 or (FTS) 543-0913

_____

The CERT/CC and Digital Equipment Corporation provided information

contained in this bulletin.  This document was prepared as an account

of work sponsored by an agency of the United States Government. Neither

the United States Government nor the University of California nor any

of their employees, makes any warranty, express or implied, or assumes

any legal liability or responsibility for the accuracy, completeness,

or usefulness of any information, apparatus, product, or process

disclosed, or represents that its use would not infringe privately

owned rights.  Reference herein to any specific commercial products,

process, or service by trade name, trademark, manufacturer, or

otherwise, does not necessarily constitute or imply its endorsement,

recommendation or favoring by the United States Government or the

University of California. The views and opinions of authors expressed

herein do not necessarily state or reflect those of the United States

Government or the University of California, and shall not be used for

advertising or product endorsement purposes.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH