_____________________________________________________ The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ INFORMATION BULLETIN Vulnerability in the rdist utility on UNIX platforms October 23, 1991, 1000 PDT Number C-4 ----------------------------------------------------------------------------- PROBLEM: Bug in /usr/ucb/rdist may allow unauthorized file changes PLATFORM: All UNIX platforms supporting the rdist utility (See Below) DAMAGE: Could be exploited to create setuid files SOLUTIONS: Apply patch supplied by the vendor (see list below) or disallow access by non-privledged users until a patch is available ----------------------------------------------------------------------------- Critical Facts about the rdist vulnerability CIAC has learned of a vulnerability associated with the Berkeley Software Distribution (BSD) rdist utility. This program can commonly be found at /usr/ucb/rdist; however, the location may vary depending on the vendor and system configuration. This vulnerability may allow unauthorized system modification by non-privileged users. This vulnerability appears to be in all versions of rdist shipped by vendors supporting this utility to date. VENDORS THAT DO NOT SHIP /usr/ucb/rdist (Note: Even though these vendors do not ship rdist, it may have been added later (for example, by the system administrator). It is also possible that vendors porting one of these operating systems may have added rdist. In both cases corrective action must be taken.) Amdahl AT&T System V Data General The following list of vendors will supply a patched version of rdist to replace the vulnerable version. Cray Research, Inc. UNICOS 6.0/6.E/6.1 Field Alert #132 SPR 47600 For further information contact the Support Center at 1-800-950-CRAY or 612-683-5600 or e-mail support@crayamid.cray.com. NeXT Computer, Inc. NeXTstep Release 2.x A new version of rdist may be obtained from your authorized NeXT Support Center. If you are an authorized support center, please contact NeXT through your normal channels. NeXT also plans to make this new version of rdist available on the public NeXT FTP archives. Silicon Graphics IRIX 3.3/4.0/4.0.1 Patches may be obtained via anonymous ftp from sgi.com in the sgi/rdist directory. Sun Microsystems, Inc. SunOS 4.0.3/4.1/4.1.1 Patch ID 100383-02 Patches may be obtained via anonymous ftp from ftp.uu.net or from local Sun Answer Centers worldwide. If there is no patch available yet for your system, CIAC recommends that you modify the execute permission of the rdist utility so that unprivledged users cannot execute it. To do this, locate the rdist file (usually located in /usr/ucb/rdist) and execute the following as root: chmod 711 /usr/ucb/rdist The impact of this workaround is that non-privledged users and programs will not be able to execute the rdist utility as root. Please contact CIAC for assistance. David Brown (510) 423-9878**/(FTS) 543-9878 dsbrown@llnl.gov Send e-mail to ciac@llnl.gov or call CIAC at (510) 422-8193**/(FTS) 532-8193. FAX messages to: (510) 423-8002**/(FTS) 543-8002. Previous CIAC bulletins and other information is available via anonymous ftp from irbis.llnl.gov (ip address 128.115.19.60). **Note area code has changed from 415, although the 415 area code will work until Jan. 1992. CIAC would like to thank Barbara Fraser of the Computer Emergency Response Team/Coordination Center for some of the information provided in this bulletin. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes.