From owner-freebsd-hackers Tue Jul 9 17:18:10 1996 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id RAA20100 for hackers-outgoing; Tue, 9 Jul 1996 17:18:10 -0700 (PDT) Received: from shell.aros.net (root@shell.aros.net [205.164.111.19]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id RAA20094 for ; Tue, 9 Jul 1996 17:18:08 -0700 (PDT) Received: (from angio@localhost) by shell.aros.net (8.7.5/Unknown) id SAA10845 for hackers@freebsd.org; Tue, 9 Jul 1996 18:18:08 -0600 (MDT) From: Dave Andersen Message-Id: <199607100018.SAA10845@shell.aros.net> Subject: CERT Advisory CA-96.13 - Alien/OS Vulerability To: hackers@freebsd.org Date: Tue, 9 Jul 1996 18:18:08 -0600 (MDT) X-Mailer: ELM [version 2.4ME+ PL13 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Subject: CERT Advisory CA-96.13 - Alien/OS Vulnerability (fwd) ============================================================================= CERT(sm) Advisory CA-96.13 July 4, 1996 Topic: ID4 virus, Alien/OS Vulnerability ----------------------------------------------------------------------------- The CERT Coordination Center has received reports of weaknesses in Alien/OS that can allow species with primitive information sciences technology to initiate denial-of-service attacks against MotherShip(tm) hosts. One report of exploitation of this bug has been received. When attempting takeover of planets inhabited by such races, a trojan horse attack is possible that permits local access to the MotherShip host, enabling the implantation of executable code with full root access to mission-critical security features of the operating system. The vulnerability exists in versions of EvilAliens' Alien/OS 34762.12.1 or later, and all versions of Microsoft's Windows/95. CERT advises against initiating further planet takeover actions until patches are available from these vendors. If planet takeover is absolutely necessary, CERT advises that affected sites apply the workarounds as specified below. As we receive additional information relating to this advisory, we will place it in ftp://info.cert.org/pub/cert_advisories/CA-96.13.README We encourage you to check our README files regularly for updates on advisories that relate to your site. --------------------------------------------------------------------------- I. Description Alien/OS contains a security vulnerability, which strangely enough can be exploited by a primitive race running Windows/95. Although Alien/OS has been extensively field tested over millions of years by EvilAliens, Inc., the bug was only recently discovered during a routine invasion of a backwater planet. EvilAliens notes that the operating system had never before been tested against a race with "such a kick-ass president." The vulnerability allows the insertion of executable code with root access to key security features of the operating system. In particular, such code can disable the NiftyGreenShield (tm) subsystem, allowing child processes to be terminated by unauthorized users. Additionally, Alien/OS networking protocols can provide a low-bandwidth covert timing channel to a determined attacker. II. Impact Non-privileged primitive users can cause the total destruction of your entire invasion fleet and gain unauthorized access to files. III. Solution EvilAliens has supplied a workaround and a patch, as follows: A. Workaround To prevent unauthorized insertion of executables, install a firewall to selectively vaporize incoming packets that do not contain valid aliens. Also, disable the "Java" option in Netscape. To eliminate the covert timing channel, remove untrusted hosts from routing tables. As tempting as it is, do not use target species' own satellites against them. B. Patch As root, install the "evil" package from the distribution tape. (Optionally) save a copy of the existing /usr/bin/sendmail and modify its permission to prevent misuse. --------------------------------------------------------------------------- The CERT Coordination Center thanks Jeff Goldblum and Fjkxdtssss for providing information for this advisory. --------------------------------------------------------------------------- If you believe that your mothership, planet, or extensive system of devoured planets have been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (FIRST). We strongly urge you to encrypt any sensitive information you send by email or interplanetary broadcast. Please do not use host systems satellites for the transmission of sensitive information. The CERT Coordination Center can support a shared DES key and PGP. Contact the CERT staff for more information. Location of CERT PGP key ftp://info.cert.org/pub/CERT_PGP.key CERT Contact Information ------------------------ Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST (GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA To be added to our mailing list for CERT advisories and bulletins, send your email address to cert-advisory-request@cert.org CERT publications, information about FIRST representatives, and other security-related information are available for anonymous FTP from security-related information are available for anonymous FTP from ftp://info.cert.org/pub/ CERT advisories and bulletins are also posted on the USENET newsgroup comp.security.announce -- angio@aros.net Complete virtual hosting and business-oriented system administration Internet services. (WWW, FTP, email) http://www.aros.net/ http://www.aros.net/about/virtual "There are only two industries that refer to their customers as 'users'."