SECURITY: [linux-alert] CIAC Bulletin G-42:Vulnerability in WorkMan Program
- To: debian-user@lists.debian.org
- Subject: SECURITY: [linux-alert] CIAC Bulletin G-42:Vulnerability in WorkMan Program
- From: "Lazaro D. Salem" <salem@rf.no>
- Date: Thu, 26 Sep 96 12:28:27 -0700
- Message-id: <"Mzk1V2.0.OZ6.-pbIo"@primer>
news:cola-liw-843162714-29491-0@liw.clinet.fi
Marcey Kelley <kelley6@llnl.gov> wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>
>[ Moderator's note: Forwarded from linux-alert. :-) --liw ]
>
>[Mod: Forwarded from Bugtraq. --Jeff.]
>
>- -----BEGIN PGP SIGNED MESSAGE-----
>
>
> __________________________________________________________
>
> The U.S. Department of Energy
> Computer Incident Advisory Capability
> ___ __ __ _ ___
> / | /_\ /
> \___ __|__ / \ \___
> __________________________________________________________
>
> INFORMATION BULLETIN
>
> Vulnerability in WorkMan Program
>
>August 29, 1996 15:00 GMT Number G-42
>______________________________________________________________________________
>PROBLEM: When the "WorkMan" compact disc playing program is installed
> set-user-id "root", it can be used to make any file on the
> system world-writable.
>PLATFORM: Linux, UNIX System V Release 4.0 (and derivatives).
>DAMAGE: A non-privileged user can use "WorkMan" to make any file on the
> system world-writable, and then modify that file's contents.
> This vulnerbility can allow the user to create accounts,
> destroy log files, and perform other unauthorized actions.
>SOLUTION: Apply the patches listed in the vendor bulletin below.
>______________________________________________________________________________
>VULNERABILITY This vulnerability is becoming widely known.
>ASSESSMENT:
>______________________________________________________________________________
>
>[Begin IBM Bulletin]
>
>- - - --ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT-ERS-ALERT
>- - - ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE
>
> ======= ============ ====== ======
> ======= ============== ======= =======
> === === ==== ====== ======
> === =========== ======= =======
> === =========== === ======= ===
> === === ==== === ===== ===
> ======= ============== ===== === =====
> ======= ============ ===== = =====
>
> EMERGENCY RESPONSE SERVICE
> SECURITY VULNERABILITY ALERT
>
>28 August 1996 18:00 GMT Number: ERS-SVA-E01-1996:005.1
>=============================================================================
> VULNERABILITY SUMMARY
>
>VULNERABILITY: When the "WorkMan" compact disc playing program is installed
> set-user-id "root," it can be used to make any file on the
> system world-writable.
>
>PLATFORMS: Linux, UNIX System V Release 4.0 (and derivatives)
>
>SOLUTION: Remove the set-user-id bit from the "workman" program.
>
>THREAT: A non-privileged user can use "WorkMan" to make any file on
> the system world-writable, and then modify that file's
> contents.
>
>=============================================================================
> DETAILED INFORMATION
>
>NOTE: This advisory is NOT a re-hash of the problem reported on several lists
> earlier this week by a group calling itself "r00t." The vulnerability
> described by "r00t" is essentially a subset of the problem described in
> this alert.
>
>I. Description
>
>"WorkMan" is a popular program used for playing audio compact disks on local
>workstation CD-ROM drives that is widely available from many sites around the
>Internet. Versions of "WorkMan" are also included with some operating system
>distributions, such as Linux.
>
>On systems where "WorkMan" was built and installed using the procedures that
>are given in "Makefile.linux" or "Makefile.svr4" (in general, this means on
>Linux systems and UNIX System V Release 4.0 systems), the "workman" program
>is installed set-user-id "root." This means that when the program is run,
>it will execute with super-user permissions.
>
>In order to allow signals to be sent to it, "WorkMan" writes its process-id
>to a file called "/tmp/.wm_pid." The "-p" option to the program allows the
>user to specify a different file name in which to record this information.
>When a file is specified with "-p", "WorkMan" simply attempts to create and/or
>truncate the file, and if this succeeds, "WorkMan" changes the permissions on
>the file so that it is world-readable and world-writable.
>
>In the general case, when "WorkMan" is installed without the set-user-id bit
>set, the normal file access permissions provided by the operating system will
>prevent users from creating or truncating files they are not authorized to
>create or truncate. However, when "WorkMan" is installed set-user-id "root,"
>this process breaks down (because "root" is allowed to create/truncate any
>file).
>
>II. Impact
>
>A user executing a set-user-id "root" version of "WorkMan" can use the "-p"
>option to create a file anywhere in the file system, or to truncate any file
>in the file system. More importantly, the file specified with "-p" will be
>world-readable and world-writable when "WorkMan" is finished. This can enable
>the user to create accounts, destroy log files, and perform other unauthorized
>actions.
>
>III. Solutions
>
>"WorkMan" does not require the set-user-id bit to work; it is installed this
>way only on systems that do not make the CD-ROM device file world-readable
>by default.
>
>This vulnerability can be alleviated by:
>
>1) Removing the set-user-id bit from the "WorkMan" program, via a command
> such as
>
> chmod u-s /usr/local/bin/workman
>
>and
>
>2) Making the CD-ROM device world-readable, via a command such as
>
> chmod +r /dev/cdrom
>
>Note that on multi-user systems, part (2) of the above procedure will allow
>any user to access the contents of the disc installed in the CD-ROM; this
>may not be desirable in all environments.
>
>IV. Acknowledgements
>
>IBM-ERS would like to thank the IBM Global Security Analysis Laboratory at the
>IBM T. J. Watson Research Center for their discovery of this vulnerability,
>bringing it to our attention, providing the steps to fix it, and assistance in
>developing this alert.
>
>UNIX is a technology trademark of X/Open Company, Ltd.
>
>===============================================================================
>
>[End IBM Bulletin]
>_______________________________________________________________________________
>
>CIAC wishes to acknowledge the contributions of IBM for the
>information contained in this bulletin.
>_______________________________________________________________________________
>
>CIAC, the Computer Incident Advisory Capability, is the computer
>security incident response team for the U.S. Department of Energy
>(DOE) and the emergency backup response team for the National
>Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
>National Laboratory in Livermore, California. CIAC is also a founding
>member of FIRST, the Forum of Incident Response and Security Teams, a
>global organization established to foster cooperation and coordination
>among computer security teams worldwide.
>
>CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
>can be contacted at:
> Voice: +1 510-422-8193
> FAX: +1 510-423-8002
> STU-III: +1 510-423-2604
> E-mail: ciac@llnl.gov
>
>For emergencies and off-hour assistance, DOE, DOE contractor sites,
>and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
>8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
>or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
>Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
>duty person, and the secondary PIN number, 8550074 is for the CIAC
>Project Leader.
>
>Previous CIAC notices, anti-virus software, and other information are
>available from the CIAC Computer Security Archive.
>
> World Wide Web: http://ciac.llnl.gov/
> Anonymous FTP: ciac.llnl.gov (128.115.19.53)
> Modem access: +1 (510) 423-4753 (28.8K baud)
> +1 (510) 423-3331 (28.8K baud)
>
>CIAC has several self-subscribing mailing lists for electronic
>publications:
>1. CIAC-BULLETIN for Advisories, highest priority - time critical
> information and Bulletins, important computer security information;
>2. CIAC-NOTES for Notes, a collection of computer security articles;
>3. SPI-ANNOUNCE for official news about Security Profile Inspector
> (SPI) software updates, new features, distribution and
> availability;
>4. SPI-NOTES, for discussion of problems and solutions regarding the
> use of SPI products.
>
>Our mailing lists are managed by a public domain software package
>called ListProcessor, which ignores E-mail header subject lines. To
>subscribe (add yourself) to one of our mailing lists, send the
>following request as the E-mail message body, substituting
>CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for list-name and
>valid information for LastName FirstName and PhoneNumber when sending
>
>E-mail to ciac-listproc@llnl.gov:
> subscribe list-name LastName, FirstName PhoneNumber
> e.g., subscribe ciac-notes OHara, Scarlett W. 404-555-1212 x36
>
>You will receive an acknowledgment containing address, initial PIN,
>and information on how to change either of them, cancel your
>subscription, or get help.
>
>PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
>communities receive CIAC bulletins. If you are not part of these
>communities, please contact your agency's response team to report
>incidents. Your agency's team will coordinate with CIAC. The Forum of
>Incident Response and Security Teams (FIRST) is a world-wide
>organization. A list of FIRST member organizations and their
>constituencies can be obtained by sending email to
>docserver@first.org with an empty subject line and a message body
>containing the line: send first-contacts.
>
>This document was prepared as an account of work sponsored by an
>agency of the United States Government. Neither the United States
>Government nor the University of California nor any of their
>employees, makes any warranty, express or implied, or assumes any
>legal liability or responsibility for the accuracy, completeness, or
>usefulness of any information, apparatus, product, or process
>disclosed, or represents that its use would not infringe privately
>owned rights. Reference herein to any specific commercial products,
>process, or service by trade name, trademark, manufacturer, or
>otherwise, does not necessarily constitute or imply its endorsement,
>recommendation or favoring by the United States Government or the
>University of California. The views and opinions of authors expressed
>herein do not necessarily state or reflect those of the United States
>Government or the University of California, and shall not be used for
>advertising or product endorsement purposes.
>
>LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
>
>G-32: HP-UX Vulnerabilities in expreserve, rpc.pcnfsd, rpc.statd
>G-33: rdist vulnerability
>G-34: HP-UX Vulnerabilities (netttune, SAM remote admin)
>G-35: SUN Microsystems Solaris vold Vulnerability
>G-36: HP-UX Vulnerabilities in elm and rdist Programs
>G-37: Vulnerability in Adobe FrameMaker (fm_fls)
>G-38: Linux Vulnerabilities in mount and umount Programs
>G-39: Vulnerability in expreserve
>G-40: SGI admin and user Program Vulnerabilities
>G-41: Vulnerability in BASH Program
>
>RECENT CIAC NOTES ISSUED (Previous Notes available from CIAC)
>
>Notes 07 - 3/29/95 A comprehensive review of SATAN
>
>Notes 08 - 4/4/95 A Courtney update
>
>Notes 09 - 4/24/95 More on the "Good Times" virus urban legend
>
>Notes 10 - 6/16/95 PKZ300B Trojan, Logdaemon/FreeBSD, vulnerability
> in S/Key, EBOLA Virus Hoax, and Caibua Virus
>
>Notes 11 - 7/31/95 Virus Update, Hats Off to Administrators,
> America On-Line Virus Scare, SPI 3.2.2 Released,
> The Die_Hard Virus
>
>Notes 12 - 9/12/95 Securely configuring Public Telnet Services, X
> Windows, beta release of Merlin, Microsoft Word
> Macro Viruses, Allegations of Inappropriate Data
> Collection in Win95
>
>Notes 96-01 - 3/18/96 Java and JavaScript Vulnerabilities, FIRST
> Conference Announcement, Security and Web Search
> Engines, Microsoft Word Macro Virus Update
>
>- -----BEGIN PGP SIGNATURE-----
>Version: 4.0 Business Edition
>
>iQCVAgUBMicE47nzJzdsy3QZAQGRCQQAiA9WGkaF14qx8/7X3qvEicuv23dBgrlV
>siE/Jcq7yBMtuDCThMk9nDbDf1fGLUyysZ/MeeS9ybBpWJxzgWL2iXP9f0yBRtap
>siGX0ij+7LKrexR5nWBsdf7jZF34qaqU8xRlBHxbC7QiZIZD7SMtl9ZYBsflN8nP
>CFT0bTnpUOk=
>=PYbw
>- -----END PGP SIGNATURE-----
>
>
>-----BEGIN PGP SIGNATURE-----
>Version: 2.6.2i
>
>iQCVAwUBMkGkHIQRll5MupLRAQHKcQP+MRWwuNgPZulW9K6GHXvuKL2nA1h8unOX
>aQRrw5Di/SUjXbq2U4W5QiqHrCGoqHZ7KztpYReLnmKNwCCiIewVDNCTvmPxE6+4
>0mqXKiRIVNGiEQkvWftlBOEcLWhz9Fx2iOrhZJmg2Kn6b9O6VckfjxsPWikmuluX
>FKBnv6LLS8Y=
>=WQNr
>-----END PGP SIGNATURE-----
>
>--
>This article has been digitally signed by the moderator, using PGP.
>http://www.iki.fi/liw/lasu-public-key.asc has PGP key for validating signature.
>Send submissions for comp.os.linux.announce to: linux-announce@news.ornl.gov
>PLEASE remember a short description of the software and the LOCATION.
>This group is archived at http://www.iki.fi/liw/linux/cola.html
--
Lazaro D. Salem E-mail: salem@rf.no
RF-Rogaland Research Phone: +47 51 87 50 00
P.O.Box 2503, Ullandhaug Direct: +47 51 87 50 65
N-4004 Stavanger, NORWAY Fax: +47 51 87 52 00
Reply to: