============================================================================= CA-94:04 CERT Advisory March 17, 1994 SunOS /usr/ucb/rdist Vulnerability ============================================================================= The CERT Coordination Center has received information concerning a vulnerability in /usr/ucb/rdist in Sun Microsystems, Inc. SunOS 4.1.1, 4.1.2, 4.1.3, and 4.1.3c on all sun3 and sun4 architectures. SunOS 4.1.3_U1, Solaris 2.x, and Solbourne's 4.1B and 4.1C are not vulnerable. This is a Sun specific Advisory. Please reference CERT Advisory CA-91:20 "/usr/ucb/rdist Vulnerability" for general information regarding other vendors. A vendor status file pub/cert_advisories/rdist-patch-status is available via anonymous FTP from info.cert.org. This vulnerability is being actively exploited; please review CERT Advisory CA-94:01 "Ongoing Network Monitoring Attacks." Patches can be obtained from local Sun Answer Centers worldwide as well as through anonymous FTP from ftp.uu.net in the /systems/sun/sun-dist directory. In Europe, these patches are available from ftp.eu.net in the /sun/fixes directory. Information concerning specific patches is outlined below. Please note that Sun sometimes updates patch files. If you find that the checksum is different, please contact Sun. ----------------------------------------------------------------------------- I. Description A security vulnerability exists in /usr/ucb/rdist that can be used to gain unauthorized privileges. Under some circumstances /usr/ucb/rdist can be used to create setuid root programs. II. Impact This vulnerability allows a local user to gain root access. III. Solution A. If rdist is not being used, change the permissions on the file. # chmod 700 /usr/ucb/rdist B. Obtain and install the appropriate patches according to the instructions included with the patches. Module Patch ID Filename ---------- --------- --------------- rdist 100383-06 100383-06.tar.Z BSD Checksum = 58984 121 System V Checksum = 9125 241 MD5 Checksum = f8f78ddab19af5efabb9bd66fc8f5c1a --------------------------------------------------------------------------- If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in Forum of Incident Response and Security Teams (FIRST). Internet E-mail: cert@cert.org Telephone: 412-268-7090 (24-hour hotline) CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4), and are on call for emergencies during other hours. CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Past advisories, information about FIRST representatives, and other information related to computer security are available for anonymous FTP from info.cert.org.