Security problem - where to report?

Security problem - where to report?

Post by James Deibe » Thu, 08 Jul 1993 09:41:28



One of my users found a way to become root over the weekend.

Good reason to ban holidays, right?

Anyway, this is with SunOS 4.1.3, relatively "out-of-the-box".  I have
no support contract or such with Sun, though I do have an RTU (bought
the machine from the local Sun office).

So who do I report this to?  I don't know that it affects every Sun on
the planet, but it affects the handful that I have access to.  

I will not reveal this method.  Please don't bother asking.  I'd like
to hint at where the problem is, but because a high (100% in my
admittedly very small sample) percentage of systems are vulnerable, I'd
like to hear from someone with more experience in security than I before
I do that.  I'm afraid if I hint at it, the bad guys will be quicker to
find it than the good guys are to fix it.

I don't know whether COPS would have found this.  I'm planning to
install it ASAP to find out ...

 
 
 

Security problem - where to report?

Post by Trammell B. Huds » Thu, 08 Jul 1993 10:16:58


|> One of my users found a way to become root over the weekend.

|> So who do I report this to?  I don't know that it affects every Sun on
|> the planet, but it affects the handful that I have access to.  

        The CERT (Compute Emergency Response Team) at CMU and other places
is THE group to report the problem to.  They have a 24 hour number you can
call to report it, or you can email them at cert.org or cert.sei.cmu.edu

|> I will not reveal this method.  Please don't bother asking.  I'd like
|> to hint at where the problem is, but because a high (100% in my
|> admittedly very small sample) percentage of systems are vulnerable, I'd
|> like to hear from someone with more experience in security than I before
|> I do that.  I'm afraid if I hint at it, the bad guys will be quicker to
|> find it than the good guys are to fix it.

        That's the right thing to do.  NEVER post to a public group saying
"if you do this and this and this you can get root access."  Always report
to the response team and the developer and let them tell the sys admins.

Direct all comments to this news group or:


Direct all complaints to /dev/null at the site of your choice.

The oceans are full of dirty fish, huh? See the fnords

 
 
 

Security problem - where to report?

Post by James Deibe » Thu, 08 Jul 1993 11:13:58



>So who do I report this to?  I don't know that it affects every Sun on
>the planet, but it affects the handful that I have access to.  



to all of them.  Thanks for the pointers.

Quote:>I don't know whether COPS would have found this.  I'm planning to
>install it ASAP to find out ...

So far it has not.  It's deep into the password checking part routines,
which I assume means that it's completed the other checking it does.

This is with COPS 1.04, which has been out for a while.

 
 
 

Security problem - where to report?

Post by TGiTM In » Thu, 08 Jul 1993 12:28:22



> I will not reveal this method.  Please don't bother asking.  I'd like
> to hint at where the problem is, but because a high (100% in my
> admittedly very small sample) percentage of systems are vulnerable, I'd
> like to hear from someone with more experience in security than I before
> I do that.  I'm afraid if I hint at it, the bad guys will be quicker to
> find it than the good guys are to fix it.

Yeah best thing would be to report it to CERT so that THEY can post it all
over the place and let the bad guys know how to do it.  It's their usual
practice...

                Information is Power  -  TGiTM Inc.



 
 
 

Security problem - where to report?

Post by Carl Brew » Thu, 08 Jul 1993 18:36:48




>> I will not reveal this method.  Please don't bother asking.  I'd like
>> to hint at where the problem is, but because a high (100% in my
>> admittedly very small sample) percentage of systems are vulnerable, I'd
>> like to hear from someone with more experience in security than I before
>> I do that.  I'm afraid if I hint at it, the bad guys will be quicker to
>> find it than the good guys are to fix it.

>Yeah best thing would be to report it to CERT so that THEY can post it all
>over the place and let the bad guys know how to do it.  It's their usual
>practice...

at least when CERT/SERT/CISC/whatever post it, they also post a fix.

I'm interested to see how long it takes Sun to fix it, given that it's
a 4.1.3 bug,  and they probably don't really want to support 4.1.3
anymore .. :-/

(if it's a bug, of course, no offence to Mr Deibele  :) )

--
Carl Brewer                             Ph :61-9-380-1893 | #include \
Systems/Network Officer, Reid Library   Fax:61-9-380-1012 | <std_disclaimer.h>

Merlin, where are you?  Call your Dragon, to weave a mist ....

 
 
 

Security problem - where to report?

Post by Szymon Sok » Thu, 08 Jul 1993 18:32:56


: I will not reveal this method.  Please don't bother asking.  I'd like
: to hint at where the problem is, but because a high (100% in my
: admittedly very small sample) percentage of systems are vulnerable, I'd
: like to hear from someone with more experience in security than I before
: I do that.  I'm afraid if I hint at it, the bad guys will be quicker to
: find it than the good guys are to fix it.

Aarrrgh! You have found a really good way to annoy other sysadmins...
You say, approximately: "There is a hole in every SunOS 4.1.3, and there are
guys who have found it, and exploited it, but I won't tell you where is it!"
Incidentally, all our Suns are running 4.1.3... So, instead of immediately
patching the hole, I will have to suffer nightmares until CERT announces
the problem. And can you ensure that your crackers will not share their
experience with others? I think you don't... So could you at least tell us
WHERE the hole is (maybe it is something trivial or already discussed here) ?
--
U     U  M     M  M     M  Szymon Sokol -- Network Manager
U     U  MM   MM  MM   MM  University of Mining and Metallurgy, Computer Center
U     U  M M M M  M M M M  ave. Mickiewicza 30, 30-059 Krakow, POLAND
 UUUUU   M  M  M  M  M  M  TEL. +48 12 338100 EXT. 2885    FAX +48 12 338907

 
 
 

Security problem - where to report?

Post by Christopher Lo » Thu, 08 Jul 1993 19:07:57



>> I will not reveal this method.  Please don't bother asking.  I'd like
>> to hint at where the problem is, but because a high (100% in my

>Yeah best thing would be to report it to CERT so that THEY can post it all
>over the place and let the bad guys know how to do it.  It's their usual
>practice...

Post a *patch* ASAP.  You can discuss the problem without
giving a detailed script of how to exploit it.  Also, when
detailed information gets around, the vendors listen.
When it's kept quiet, nothing gets fixed.  See the expreserve
bug that resurfaced last month - had been reported to Sun
in 1991 and 1992 by others.  Only when a real hue-and-cry
went up did they bother to fix it.

chris...
--

"Post: FB Informatik - Bau 57, Universitaet KL, 67653 Kaiserslautern, Germany"

 
 
 

Security problem - where to report?

Post by Martin Corl » Thu, 08 Jul 1993 19:59:18


Out of interest, while condoning the actions taken above:

If you're a sysadmin, like me (admittedly small-scale!) how will the
information on avoiding security holes such as this become available
to you/us?

--
Martin Corley                                         ---------

Exeter, UK                                            ---------

 
 
 

Security problem - where to report?

Post by Brian Fitzgera » Thu, 08 Jul 1993 23:57:30


Szymon Sokol writes:

>: I will not reveal this method.  Please don't bother asking.  I'd like
>: to hint at where the problem is, but because a high (100% in my

>experience with others? I think you don't... So could you at least tell us
>WHERE the hole is (maybe it is something trivial or already discussed here) ?

I agree.  What program or kernel module is involved?

Brian

 
 
 

Security problem - where to report?

Post by Syed Zaeem Hosa » Thu, 08 Jul 1993 23:58:58




>: I will not reveal this method.  Please don't bother asking.  I'd like
>: to hint at where the problem is, but because a high (100% in my
>: admittedly very small sample) percentage of systems are vulnerable, I'd
>: like to hear from someone with more experience in security than I before
>: I do that.  I'm afraid if I hint at it, the bad guys will be quicker to
>: find it than the good guys are to fix it.

>Aarrrgh! You have found a really good way to annoy other sysadmins...
>You say, approximately: "There is a hole in every SunOS 4.1.3, and there are
>guys who have found it, and exploited it, but I won't tell you where is it!"
>Incidentally, all our Suns are running 4.1.3... So, instead of immediately
>patching the hole, I will have to suffer nightmares until CERT announces
>the problem. And can you ensure that your crackers will not share their
>experience with others? I think you don't... So could you at least tell us
>WHERE the hole is (maybe it is something trivial or already discussed here) ?

How about mailing the information to the sun-managers mailing list?
This will restrict the distribution slightly, although there are non
sun-managers on the list too presumably. Better than nothing, imo.

                                                                Z

--
-------------------------------------------------------------------------
| Syed Zaeem Hosain          P. O. Box 610097            (408) 441-7021 |

-------------------------------------------------------------------------

 
 
 

Security problem - where to report?

Post by Michal Jankows » Fri, 09 Jul 1993 02:05:19



>>>>> B. Hudson) said:

Trammell>    That's the right thing to do.  NEVER post to a public
Trammell> group saying "if you do this and this and this you can get
Trammell> root access."  Always report to the response team and the
Trammell> developer and let them tell the sys admins.

Well, if the hole was not found by me, but by a cracker with a
malicious mind, how do I stop _him_ from distributing information
about it among the cracker community?

Besides, I have very strong suspicions that only holes which are
widely known get a prompt response from CERT. Perhaps this is not
CERT's fault, though.

I've checked CERT advisories from the last 3 months, and found:

CA-93:06.wuarchive.ftpd.vulnerability

  This came couple of days after someone said on Usenet: 'There was
such-and-such bug in an ftp daemon, but it was fixed years ago.'

CA-93:07.Cisco.Router.Packet.Handling.vulnerability

 This one I know nothing about.

CA-93:08.SCO.passwd.vulnerability

 This vulnerability was not, strictly speaking, a 'security risk'. To
quote: 'this will not allow unauthorized access to a system...'.

CA-93:09.SunOS.expreserve.vulnerability

 Information about this bug was _really_ widely circulated before it
was fixed. And several people stated that they had reported it to CERT
before.

To summarize: I don't believe in 'security thru obscurity'. While
posting shell-scripts which, when run from any account, destroy
everything around, may be bad idea, posting some information about the
location of the hole will, IMHO, actually increase security. Eg., say
'there is a hole in "xxxx" program'. That way, sysadms could do
'chmod a-x xxxx' and wait for a proper fix.

  Michal Jankowski

 
 
 

Security problem - where to report?

Post by d ... 415-336-07 » Fri, 09 Jul 1993 04:02:46



> >I don't know whether COPS would have found this.  I'm planning to
> >install it ASAP to find out ...
> So far it has not.  It's deep into the password checking part routines,
> which I assume means that it's completed the other checking it does.

  Actually in the standard out-of-the-box cops, the password stuff is
before the bug stuff.  But it still wouldn't find it if it were a new
bug, since it does all the (brain dead) bug checking based on dates of
the OS vs. the date of the cert advisory.

 -- d

(For a limited time, you can get cops 1.04+, which is a slightly
bug-fixed version of cops 1.04, at archive.cis.ohio-state.edu, in
~pub/cops.  Ginsu knives are extra now.)

 
 
 

Security problem - where to report?

Post by Dan Wi » Fri, 09 Jul 1993 10:37:51



Quote:(James Deibele) writes:
>One of my users found a way to become root over the weekend.

>So who do I report this to?  I don't know that it affects every Sun on
>the planet, but it affects the handful that I have access to.  

Please don't discuss *anything* about this on the net.  Don't even hint
at where the vulnerability could be.

Best place to start is CERT.  Information attached.

-Dan Wing, Systems Administrator, University Hospital, Denver

-----

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in FIRST (Forum of Incident
Response and Security Teams).


Telephone: 412-268-7090 (24-hour hotline)
           CERT personnel answer 7:30 a.m.-6:00 p.m. EST(GMT-5)/EDT(GMT-4),
           on call for emergencies during other hours.

CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890

Past advisories, information about FIRST representatives, and other
information related to computer security are available for anonymous FTP
from cert.org (192.88.209.5).

 
 
 

1. How to report security problems with comercial applications?

Hello!

I am sorry, if this is a FAQ, but I am in a hurry with this problem.

I found a security problem in one of our comersial products. It allows
every user of the internet, to execut any shell command as the user,
running this program.

What is the best way, to report this problem and to get it corrected?

I know, I can report this problem to the vendor of the software, but
then the hole probably never get fixed :-(.

Can I report this kind of security problems to CERT?

How do I have to report this problem? Is there a form, I can fill out?

Thanks in advance,

        Mario
--

Institut fuer Robotik und Prozessinformatik der TU Braunschweig
Hamburger Strasse 267, 38114 Braunschweig, Germany

2. installing new modules..

3. Reporting security problems in Linux

4. Bandwidth utilization?

5. Reporting Sun Security Problems

6. serial console falling asleep

7. Security Problems? What Security Problems?

8. Monitor Database.

9. Security Report - Cracks in Firewalls

10. Security Focus reports XP vulnerability

11. cryptography & computer security technical reports available

12. Scary report on OSS/Linux security

13. Conduct in Security Issues and Reports?