________________________________________________________________________ THE COMPUTER INCIDENT ADVISORY CAPABILITY CIAC INFORMATION BULLETIN ________________________________________________________________________ Additional information on the vulnerability in the UNIX DECODE alias January 23, 1990, 1130 PST Number A-14 CIAC information bulletin A-13 described preliminary information about a vulnerability in some versions of the UNIX operating system. This bulletin gives additional information and a procedure for patching this vulnerability. The UNIX operating system maintains a global mail aliases data base used by the "sendmail" program to re-route electronic mail. This database file is contained in /usr/lib/aliases for most UNIX systems (with exceptions noted below). One standard alias delivered with some versions of UNIX is "decode." When mail is sent to "decode" at a UNIX host, the message is re-routed to the program "uudecode", which will translate a file that has been encoded with "uuencode". There is a vulnerability associated with this default alias, and CIAC maintains that there is a strong possibility that this vulnerability has been or is currently being exploited. To determine if your UNIX system has this vulnerability, CIAC recommends the following procedure: 1. Find the global aliases file for your UNIX system. Traditionally this file is kept in /usr/lib/aliases, but for some systems such as SUN OS 4.X and ULTRIX 3.X systems it may be in /etc/aliases. If you do not have either of these files, it is possible that you are not running the SENDMAIL program, and thus do not have this vulnerability. The global aliases file will be referred to as in the following steps. 2. Determine if the decode alias is present in your global aliases file. To do this execute the command "grep decode " If this command results in nothing being displayed, your system does not have a decode alias, and probably does not have this vulnerability. If you see a line such as 'decode: "|/usr/bin/uudecode" ' or a similar line, proceed to step 3. 3. Become a super-user for your system if you are not already running as root. Create a backup copy of the aliases file found in step 1, and edit this file. Insert a "#" at the beginning of the line containing the decode alias. The line should now read: '#decode: "|/usr/bin/uudecode" ' Save the file and exit. 4. Assure that the ownership and permissions of this aliases file are still set properly, by executing the command "ls -l " The line should begin with "-rw--r--r--" If this is not the case, run the command "chmod 644 " 5. Once the aliases file has been altered, run the command "newaliases" so that the changed aliases file will take effect. The vulnerability has now been closed. If you do not wish to disable the DECODE alias, you can redirect DECODE to postmaster. In step 3 above, change the decode alias to "decode: postmaster" Now mail to decode will be forwarded to postmaster, allowing the designated postmaster to manually uudecode the file if desired. If neither of these solutions is appropriate for your system, you may call CIAC for additional alternatives. If you have questions, please contact CIAC. Tom Longstaff (415) 423-4416 or (FTS) 543-4416 FAX: (FTS) 543-0913 or (415) 294-5054 CIAC's business hours phone number is (415) 422-8193 or (FTS) 532-8193. CIAC's 24-hour emergency hot-line number is (415) 971-9384 or send e-mail to: ciac@tiger.llnl.gov Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes.