Very Computer

Good reason to ban holidays, right?

Anyway, this is with SunOS 4.1.3, relatively "out-of-the-box".  I have
no support contract or such with Sun, though I do have an RTU (bought
the machine from the local Sun office).

So who do I report this to?  I don't know that it affects every Sun on
the planet, but it affects the handful that I have access to.  

I will not reveal this method.  Please don't bother asking.  I'd like
to hint at where the problem is, but because a high (100% in my
admittedly very small sample) percentage of systems are vulnerable, I'd
like to hear from someone with more experience in security than I before
I do that.  I'm afraid if I hint at it, the bad guys will be quicker to
find it than the good guys are to fix it.

I don't know whether COPS would have found this.  I'm planning to
install it ASAP to find out ...

|> So who do I report this to?  I don't know that it affects every Sun on
|> the planet, but it affects the handful that I have access to.  

        The CERT (Compute Emergency Response Team) at CMU and other places
is THE group to report the problem to.  They have a 24 hour number you can
call to report it, or you can email them at cert.org or cert.sei.cmu.edu

|> I will not reveal this method.  Please don't bother asking.  I'd like
|> to hint at where the problem is, but because a high (100% in my
|> admittedly very small sample) percentage of systems are vulnerable, I'd
|> like to hear from someone with more experience in security than I before
|> I do that.  I'm afraid if I hint at it, the bad guys will be quicker to
|> find it than the good guys are to fix it.

        That's the right thing to do.  NEVER post to a public group saying
"if you do this and this and this you can get root access."  Always report
to the response team and the developer and let them tell the sys admins.

Direct all comments to this news group or:

Direct all complaints to /dev/null at the site of your choice.

The oceans are full of dirty fish, huh? See the fnords

Quote:>I don't know whether COPS would have found this.  I'm planning to
>install it ASAP to find out ...

This is with COPS 1.04, which has been out for a while.

                Information is Power  -  TGiTM Inc.

I'm interested to see how long it takes Sun to fix it, given that it's
a 4.1.3 bug,  and they probably don't really want to support 4.1.3
anymore .. :-/

(if it's a bug, of course, no offence to Mr Deibele  :) )

--
Carl Brewer                             Ph :61-9-380-1893 | #include \
Systems/Network Officer, Reid Library   Fax:61-9-380-1012 | <std_disclaimer.h>

Merlin, where are you?  Call your Dragon, to weave a mist ....

Aarrrgh! You have found a really good way to annoy other sysadmins...
You say, approximately: "There is a hole in every SunOS 4.1.3, and there are
guys who have found it, and exploited it, but I won't tell you where is it!"
Incidentally, all our Suns are running 4.1.3... So, instead of immediately
patching the hole, I will have to suffer nightmares until CERT announces
the problem. And can you ensure that your crackers will not share their
experience with others? I think you don't... So could you at least tell us
WHERE the hole is (maybe it is something trivial or already discussed here) ?
--
U     U  M     M  M     M  Szymon Sokol -- Network Manager
U     U  MM   MM  MM   MM  University of Mining and Metallurgy, Computer Center
U     U  M M M M  M M M M  ave. Mickiewicza 30, 30-059 Krakow, POLAND
 UUUUU   M  M  M  M  M  M  TEL. +48 12 338100 EXT. 2885    FAX +48 12 338907

chris...
--

"Post: FB Informatik - Bau 57, Universitaet KL, 67653 Kaiserslautern, Germany"

If you're a sysadmin, like me (admittedly small-scale!) how will the
information on avoiding security holes such as this become available
to you/us?

--
Martin Corley                                         ---------

Exeter, UK                                            ---------

Brian

                                                                Z

--
-------------------------------------------------------------------------
| Syed Zaeem Hosain          P. O. Box 610097            (408) 441-7021 |

-------------------------------------------------------------------------

Well, if the hole was not found by me, but by a cracker with a
malicious mind, how do I stop _him_ from distributing information
about it among the cracker community?

Besides, I have very strong suspicions that only holes which are
widely known get a prompt response from CERT. Perhaps this is not
CERT's fault, though.

I've checked CERT advisories from the last 3 months, and found:

CA-93:06.wuarchive.ftpd.vulnerability

  This came couple of days after someone said on Usenet: 'There was
such-and-such bug in an ftp daemon, but it was fixed years ago.'

CA-93:07.Cisco.Router.Packet.Handling.vulnerability

 This one I know nothing about.

CA-93:08.SCO.passwd.vulnerability

 This vulnerability was not, strictly speaking, a 'security risk'. To
quote: 'this will not allow unauthorized access to a system...'.

CA-93:09.SunOS.expreserve.vulnerability

 Information about this bug was _really_ widely circulated before it
was fixed. And several people stated that they had reported it to CERT
before.

To summarize: I don't believe in 'security thru obscurity'. While
posting shell-scripts which, when run from any account, destroy
everything around, may be bad idea, posting some information about the
location of the hole will, IMHO, actually increase security. Eg., say
'there is a hole in "xxxx" program'. That way, sysadms could do
'chmod a-x xxxx' and wait for a proper fix.

  Michal Jankowski

 -- d

(For a limited time, you can get cops 1.04+, which is a slightly
bug-fixed version of cops 1.04, at archive.cis.ohio-state.edu, in
~pub/cops.  Ginsu knives are extra now.)

Quote:(James Deibele) writes:
>One of my users found a way to become root over the weekend.

>So who do I report this to?  I don't know that it affects every Sun on
>the planet, but it affects the handful that I have access to.  

Best place to start is CERT.  Information attached.

-Dan Wing, Systems Administrator, University Hospital, Denver

-----

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in FIRST (Forum of Incident
Response and Security Teams).

Telephone: 412-268-7090 (24-hour hotline)
           CERT personnel answer 7:30 a.m.-6:00 p.m. EST(GMT-5)/EDT(GMT-4),
           on call for emergencies during other hours.

CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890

Past advisories, information about FIRST representatives, and other
information related to computer security are available for anonymous FTP
from cert.org (192.88.209.5).