[LUGA] Mit freundlicher Unterstützung von:

Mail Thread Index

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CERT Advisory CA-96.23 - Vulnerability in WorkMan (fwd)

Der langen Rede kurzer Sinn: Wenn das Programm workman unter LINUX mit suid-
Bit root installiert ist, so kann man ihm mit -p ein File angeben, in das es
seine pid schreiben soll. In diesem Fall kann man _jedes_ File nehmen, und
workman changed die Permissions zu world writeable.
Weiss nicht, ob irgendwer das workman-Programm so installiert hat.

Forwarded message:
> From cert-advisory-request@cert.org Mon Oct 28 22:53:45 MEZ 1996
> Date: Mon, 28 Oct 1996 15:31:24 -0500
> Message-Id: <199610282031.PAA15074@coal.cert.org>
> From: CERT Advisory <cert-advisory@cert.org>
> To: cert-advisory@cert.org
> Subject: CERT Advisory CA-96.23 - Vulnerability in WorkMan
> Reply-To: cert-advisory-request@cert.org
> Organization: CERT(sm) Coordination Center -  +1 412-268-7090
> =============================================================================
> CERT(sm) Advisory CA-96.23
> Original issue date: October 28, 1996
> Last revised: --
> Topic: Vulnerability in WorkMan
> - -----------------------------------------------------------------------------
>                 The original technical content for this advisory
>                 was published by the IBM-ERS response team and
>                 is used here with their permission.
> There is a vulnerability in the WorkMan compact disc-playing program that
> affects UNIX System V Release 4.0 and derivatives and Linux systems.
> When the program is installed set-user-id root, it can be used to make any
> file on the system world-writable.
> To address this problem, you should remove the set-user-id bit from the
> program.
> We will update this advisory as we receive additional information.
> Please check advisory files regularly for updates that relate to your site.
> - -----------------------------------------------------------------------------
> I.   Description
> WorkMan is a popular program used for playing audio compact disks on local
> workstation CD-ROM drives that is widely available from many sites around the
> Internet. Versions of WorkMan are also included with some operating system
> distributions, such as Linux.
> On systems where WorkMan was built and installed using the procedures that
> are given in "Makefile.linux" or "Makefile.svr4" (in general, this means on
> Linux systems and UNIX System V Release 4.0 systems), the WorkMan program
> is installed set-user-id root. This means that when the program is run,
> it will execute with super-user permissions.
> In order to allow signals to be sent to it, WorkMan writes its process-id
> to a file called /tmp/.wm_pid. The "-p" option to the program allows the
> user to specify a different file name in which to record this information.
> When a file is specified with "-p", WorkMan simply attempts to create and/or
> truncate the file, and if this succeeds, WorkMan changes the permissions on
> the file so that it is world-readable and world-writable.
> In the general case, when WorkMan is installed without the set-user-id bit
> set, the normal file access permissions provided by the operating system will
> prevent users from creating or truncating files they are not authorized to
> create or truncate.  However, when WorkMan is installed set-user-id root,
> this process breaks down (because "root" is allowed to create/truncate any
> file).
> WorkMan does not require the set-user-id bit to work; it is installed this
> way only on systems that do not make the CD-ROM device file world-readable
> by default.
> Note: The vulnerability described by "r00t" on several mailing lists is not
>       the same one that we describe in this advisory.
> II.  Impact
> A user with access to an account on the system can use the "-p" option to
> create a file anywhere in the file system or to truncate any file in the file
> system. The file specified with "-p" will be world-readable and world-writable
> when WorkMan is finished.  This can enable the user to create accounts,
> destroy log files, and perform other unauthorized actions.
> III. Solution
> 1. Remove the set-user-id bit from the WorkMan program using a command
>    such as
>         chmod u-s /usr/local/bin/workman
> 2. Make the CD-ROM device world-readable using a command such as
>         chmod +r /dev/cdrom
>    On multi-user systems, Step 2 will allow any user to access the contents
>    of the disc installed in the CD-ROM; this may not be desirable in all
>    environments.
> The vulnerability described in this advisory is related to the WorkMan
> program, not to the products of particular vendors. However, if a vendor sends
> us advice for their users, we will put it in Appendix A. 
> ...........................................................................
> Appendix A - Vendor Information
> This appendix contains advice vendors wish to offer their users. Note that the
> vulnerability described in this advisory is related to the WorkMan program,
> not particular vendors' products.
> Sun Microsystems, Inc.
> ======================
>         Sun does not recommend that workman and other utility programs
>         be installed setuid root (or anything else) unless that step is
>         absolutely necessary. Programs which were not designed with
>         security in mind (and most non-setuid programs are not) are
>         unlikely to have built-in allowances for abuse. The proper way to
>         allow such programs to work is to install them as unprivileged,
>         ordinary software, then modify device permissions as necessary
>         to allow them to function.
>         When an unprivileged users executes a recent version of the workman
>         program on a properly configured Solaris 2.x system, a message
>         similar to the following appears. (Ellipses added to save space.)
>                 As root, please run
>                         chmod 666 /devices/iommu@0,...sd@6,0:c,raw
>                 to give yourself permission to access the CD-ROM device.
>         That's pretty good advice. Of course, if you don't want to give
>         every user access to the contents of a CD (which will sometimes
>         be data or software, and sometimes music) such permissions are
>         not appropriate.
> - -----------------------------------------------------------------------------
> The CERT Coordination Center thanks IBM-ERS for permission to reproduce the
> technical content in their IBM Emergency Response Service Security
> Vulnerability Alert ERS-SVA-E01-1996:005.1. These alerts are copyrighted 1996
> International Business Machines Corporation.
> - -----------------------------------------------------------------------------
> If you believe that your system has been compromised, contact the CERT
> Coordination Center or your representative in the Forum of Incident Response 
> and Security Teams (see ftp://info.cert.org/pub/FIRST/first-contacts). 
> CERT/CC Contact Information 
> - ---------------------------- 
> Email    cert@cert.org
> Phone    +1 412-268-7090 (24-hour hotline)
>                 CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)
>                 and are on call for emergencies during other hours.
> Fax      +1 412-268-6989
> Postal address
>          CERT Coordination Center
>          Software Engineering Institute
>          Carnegie Mellon University
>          Pittsburgh PA 15213-3890
>          USA
> Using encryption
>    We strongly urge you to encrypt sensitive information sent by email. We can
>    support a shared DES key or PGP. Contact the CERT/CC for more information. 
>    Location of CERT PGP key
>          ftp://info.cert.org/pub/CERT_PGP.key
> Getting security information
>    CERT publications and other security information are available from
>         http://www.cert.org/
>         ftp://info.cert.org/pub/
>    CERT advisories and bulletins are also posted on the USENET newsgroup
>         comp.security.announce 
>    To be added to our mailing list for advisories and bulletins, send your
>    email address to 
>         cert-advisory-request@cert.org 
> - ---------------------------------------------------------------------------
> Copyright 1996 Carnegie Mellon University
> This material may be reproduced and distributed without permission provided
> it is used for noncommercial purposes and the copyright statement is
> included.
> CERT is a service mark of Carnegie Mellon University.
> - ---------------------------------------------------------------------------
> This file: ftp://info.cert.org/pub/cert_advisories/CA-96.23.workman_vul
>            http://www.cert.org
>                click on "CERT Advisories"
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Revision history 
> Version: 2.6.2
> iQCVAwUBMnTdVXVP+x0t4w7BAQEvaQQA3BgO7mS8X7G/qaAQxDx9b7HsIb9JVUGg
> H9Zxe7jaG1q3+MISCFdxPtqopdBHbLhNZ8vIN2ZChxsRG52Oj11mvafZK2wqg0ub
> 3YRZ16QzNaezC+kyyqHn8vIw0+3aSgj2DnxgYSdeVBzF41jcgeEBK5Kra7Qf0ME9
> E+CwivneAvU=
> =J4RP

                        Michael P. Demelbauer
          WSR (Wirtschafts- und Sozialwissenschaftliches Rechenzentrum)	
			LUGA (Linux User Group Austria)
          Harrwitz gehoerte zu jenen Spielern, die unertraeglich waren,
	      wenn sie gewannen und unausstehlich, wenn sie verloren.
	      (ein Zeitgenosse ueber den Schachmeister Harrwitz)

powered by LINUX the choice of a gnu generation
linux user group austria;
Letzte Änderung:
September 2010