Date: Tue, 9 Jul 1996 18:18:08 -0600 (MDT) From: Dave Andersen <angio@aros.net> To: hackers@freebsd.org Subject: CERT Advisory CA-96.13 - Alien/OS Vulerability Message-ID: <199607100018.SAA10845@shell.aros.net>
next in thread | raw e-mail | index | archive | help
Subject: CERT Advisory CA-96.13 - Alien/OS Vulnerability (fwd)
=============================================================================
CERT(sm) Advisory CA-96.13
July 4, 1996
Topic: ID4 virus, Alien/OS Vulnerability
-----------------------------------------------------------------------------
The CERT Coordination Center has received reports of weaknesses in
Alien/OS that can allow species with primitive information sciences
technology to initiate denial-of-service attacks against MotherShip(tm)
hosts. One report of exploitation of this bug has been received.
When attempting takeover of planets inhabited by such races, a trojan
horse attack is possible that permits local access to the MotherShip host,
enabling the implantation of executable code with full root access to
mission-critical security features of the operating system.
The vulnerability exists in versions of EvilAliens' Alien/OS 34762.12.1 or
later, and all versions of Microsoft's Windows/95. CERT advises against
initiating further planet takeover actions until patches are available
from these vendors. If planet takeover is absolutely necessary, CERT
advises that affected sites apply the workarounds as specified below.
As we receive additional information relating to this advisory, we will
place it in
ftp://info.cert.org/pub/cert_advisories/CA-96.13.README
We encourage you to check our README files regularly for updates on
advisories that relate to your site.
---------------------------------------------------------------------------
I. Description
Alien/OS contains a security vulnerability, which strangely enough
can be exploited by a primitive race running Windows/95.
Although Alien/OS has been extensively field tested over millions
of years by EvilAliens, Inc., the bug was only recently discovered
during a routine invasion of a backwater planet. EvilAliens notes
that the operating system had never before been tested against a
race with "such a kick-ass president."
The vulnerability allows the insertion of executable code with
root access to key security features of the operating system. In
particular, such code can disable the NiftyGreenShield (tm)
subsystem, allowing child processes to be terminated by unauthorized
users.
Additionally, Alien/OS networking protocols can provide a
low-bandwidth covert timing channel to a determined attacker.
II. Impact
Non-privileged primitive users can cause the total destruction of
your entire invasion fleet and gain unauthorized access to files.
III. Solution
EvilAliens has supplied a workaround and a patch, as follows:
A. Workaround
To prevent unauthorized insertion of executables, install a
firewall to selectively vaporize incoming packets that do not
contain valid aliens. Also, disable the "Java" option in
Netscape.
To eliminate the covert timing channel, remove untrusted
hosts from routing tables. As tempting as it is, do not use
target species' own satellites against them.
B. Patch
As root, install the "evil" package from the distribution tape.
(Optionally) save a copy of the existing /usr/bin/sendmail and
modify its permission to prevent misuse.
---------------------------------------------------------------------------
The CERT Coordination Center thanks Jeff Goldblum and Fjkxdtssss for
providing information for this advisory.
---------------------------------------------------------------------------
If you believe that your mothership, planet, or extensive system of
devoured planets have been compromised, contact the CERT Coordination
Center or your representative in the Forum of Incident Response and
Security Teams (FIRST).
We strongly urge you to encrypt any sensitive information you send by
email or interplanetary broadcast. Please do not use host systems
satellites for the transmission of sensitive information. The CERT
Coordination Center can support a shared DES key and PGP. Contact the CERT
staff for more information.
Location of CERT PGP key
ftp://info.cert.org/pub/CERT_PGP.key
CERT Contact Information
------------------------
Email cert@cert.org
Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST
(GMT-5)/EDT(GMT-4), and are on call for
emergencies during other hours.
Fax +1 412-268-6989
Postal address
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
USA
To be added to our mailing list for CERT advisories and bulletins, send your
email address to
cert-advisory-request@cert.org
CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from
security-related information are available for anonymous FTP from
ftp://info.cert.org/pub/
CERT advisories and bulletins are also posted on the USENET newsgroup
comp.security.announce
--
angio@aros.net Complete virtual hosting and business-oriented
system administration Internet services. (WWW, FTP, email)
http://www.aros.net/ http://www.aros.net/about/virtual
"There are only two industries that refer to their customers as 'users'."
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199607100018.SAA10845>