_____________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ _____________________________________________________ ADVISORY NOTICE Network Monitoring Attacks Update March 18, 1994 1800 PST Number E-12 ______________________________________________________________________________ PROBLEM: Continued network monitoring attacks. PLATFORM: All computers supporting logins over the Internet. DAMAGE: Unauthorized access and use of resources; exposure of username, password, host-name combinations, as well as other sensitive information. SOLUTION: Detection and prevention steps described below. ______________________________________________________________________________ Critical Information about the Network Monitoring Attacks This Advisory supersedes any other version of Bulletin E-12 dated prior to March 18, 1994. This Advisory updates information contained in CIAC Advisory E-09. The number of Internet sites compromised by the ongoing series of network monitoring (sniffing) attacks continues to increase. The number of accounts compromised world-wide is now estimated to exceed 100,000. This series of attacks represents the most serious Internet threat in its history. IMPORTANT: THESE NETWORK MONITORS DO NOT SPECIFICALLY TARGET INFORMATION FROM UNIX SYSTEMS; ALL SYSTEMS SUPPORTING NETWORK LOGINS ARE POTENTIALLY VULNERABLE. IT IS IMPERATIVE THAT SITES ACT TO SECURE THEIR SYSTEMS. Attack Description ================== The attacks are based on network monitoring software, known as a "sniffer", installed surreptitiously by intruders. The sniffer records the initial 128 bytes of each login, telnet, and FTP session seen on the local network segment, compromising ALL traffic to or from any machine on the segment as well as traffic passing through the segment being monitored. The captured data includes the name of the destination host, the username, and the password used. This information is written to a file and is later used by the intruders to gain access to other machines. Note: To date, these attacks have only involved sniffers on Unix systems running SunOS 4.x. However, nearly all networked computers have the capability of monitoring the network. In most cases, the intruders initially gain access to systems using one of the following techniques: - Retrieve the password file via TFTP on improperly configured systems. - Retrieve the password file from systems running insecure versions of NIS. - Gain access to the local file systems via NFS mount points exported without restrictions. - Use a login name and password captured by a sniffer running on another system. Once on a system, the intruders gain root privilege by exploiting known vulnerabilities, including rdist, Sun Sparc integer division, and world writeable utmp files; or by making use of a captured root password. They then install the sniffer software, logging the captured session information to a hidden file. In addition, the intruders generally install Trojan replacements for one or more of the following critical system files in order to disguise their presence on the system: - /bin/login - /usr/etc/in.telnetd - /usr/kvm/ps - /usr/ucb/netstat Detection ========= The following techniques may be used to detect the presence of a sniffer on a system running SunOS 4.x: 1. The integrity of key system files may be verified using the database of MD5 checksums contained in Appendix B of this Advisory. The use of MD5 checksums is essential, as many of the Trojan binaries currently being used have been engineered to generate the same "/bin/sum" checksum as the original binary. The MD5 signature algorithm by RSA Data Security, Inc. is cryptographically strong and is not believed to be susceptible to such an attack. In addition to the checksum database, CIAC is providing a program to automate the verification of system files. This program is included in Appendix A. The program, the checksum database, source for md5, and a man page are also available via anonymous FTP from irbis.llnl.gov (IP 128.115.19.60) in the directory /pub/util/crypto. Filename MD5 Checksum -------- -------------------------------- md5check.1.0.tar 113d5d66e73c95967801b512d3dd692d md5_sun.v1 780a0f1f3717819c59135716e5f6a1ce Note that the MD5 checksum database is not complete. Some patch revisions and OS releases were unavailable for testing. If a checksum DOES NOT match, consider these possible reasons: a. The file may be legitimate, but not included in this database. To check this possibility, compare the file against the original distribution media. b. You may have made local modifications to the file. To check this possibility, compare the file to a known good version. c. The file may be a Trojan replacement installed by an intruder. We encourage you to make a copy of the file, replace it with a known good version, and check for additional signs of compromise. Contact CIAC for further assistance. 2. The sniffer software places the network interface in promiscuous mode to allow examination of each packet on the network segment. This mode can be detected with the CPM utility described in Appendix C. 3. Scan your file system for any unusual directories or files. Look for unusual names like ".. " (dot dot space space) or " " (space). A useful technique for locating such files is to examine the file system for files that have recently changed. For example, the command find / -ctime -7 -print will locate all files that have changed in the last 7 days. 4. Examine the process table with a known good version of ps, checking for long running processes with unusually high amounts of CPU time and/or unusual names. Prevention ========== 1. Verify that all applicable security patches have been installed. These patches will limit the amount of damage that is possible, even if an intruder has captured a password for the system. Appendix D lists all SunOS security patches released as of March 18, 1994. 2. Install a change detection tool such as Security Profile Inspector (SPI) or Tripwire to detect future changes to system binaries. For the latest information about the availability of SPI contact Tony Bartoletti, SPI Project Leader, 510-422-3881 or azb@llnl.gov. A mailserver exists for information about Tripwire availability. Send E-mail to "tripwire-request@cs.purdue.edu" with a message body consisting solely of the word "help", and the server will respond with instructions on how to get source, patches and join the tripwire mailing list. 3. The only long term solution to the problem of network password sniffing is the use of one-time passwords. These passwords change with each use, and are of no value to an intruder. Several implementations exist, including both hardware and software solutions. Contact information is provided in Appendix E. At a minimum, users should use different passwords for each account and each system, remote systems in particular. Passwords must be changed frequently, especially on systems accessed over networks. -------------------------------------------------------------------- Appendix A: "md5check" The following program is a "nawk" script that can be run against the list of checksums "md5_sun.v1" in Appendix B: nawk -f md5check md5_sun.v1 The program, the checksum database, source for md5, and a man page are also available via anonymous FTP from irbis.llnl.gov (IP 128.115.19.60) in the directory /pub/util/crypto. Filename MD5 Checksum ---------------- -------------------------------- md5check.1.0.tar 113d5d66e73c95967801b512d3dd692d md5_sun.v1 780a0f1f3717819c59135716e5f6a1ce ------- Cut Here ------- # "md5check" version 1 (3/17/94) BEGIN { FS = "[ \t]*:[ \t]*"; } # Print notices from the configuration file /^##/ { print substr ($0, 3); next; } # Only handle MD5 checksums currently /^md5/ { source = sprintf("%-7s %-8s %-6s %s", $2, $3, $5, $4); file = $6; sum = hex_lower($7); if (md5[file] == "") { print "Checking", file; testcmd = "test -r " file; if ( system(testcmd) != 0 ) { print " Could not open", file; md5[file] = "x"; next; } else { md5cmd = "md5 " file md5cmd | getline md5[file]; close (md5cmd); # Strip off any leading text and set to lowercase sub(".*[ \t]", "", md5[file]); md5[file] = hex_lower(md5[file]); } } if (md5[file] == "x" || file in matched) { # Could not open or already matched next; } if (md5[file] == sum) { # We have a match - remember which one matched[file] = source; num_match++; if (file in not_matched) { num_no_match--; delete not_matched[file]; } } else { if (! (file in not_matched)) { num_no_match++; not_matched[file] = 1; } } } END { printf "\n%d files DID NOT MATCH a known checksum\n", num_no_match; printf "%d files did match a known checksum\n", num_match; print "\nThe following files DID NOT MATCH a known checksum"; for (filename in not_matched) { printf "\t%s\n", filename; } print "\nThe following files did match a known checksum"; for (filename in matched) { printf "\t%s\n\t\t%s\n", filename, matched[filename]; } } function hex_lower(s) { gsub("A","a",s); gsub("B","b",s); gsub("C","c",s); gsub("D","d",s); gsub("E","e",s); gsub("F","f",s); return s } ------- Cut Here ------- -------------------------------------------------------------------- Appendix B: "md5_sun.v1" ## Checksum Table for Selected SunOS Binary Files (v1: 3/17/94) ## ## PLEASE NOTE: The entries included in this table do not represent complete ## coverage of all released versions of these files. ## In particular, checksum data for outdated patch releases is ## limited. ## ## Failure to match a checksum for a given file does not ## necessarily indicate the presence of a Trojan binary. ## Failure indicates that the file's checksum did not match any ## contained in this table. The file's authenticity should be ## verified against distribution media or local modifications. ## ## Success at matching a file's checksum indicates that the ## corresponding file is free from tampering. ## # (MD5 is the RSA Data Security, Inc. Message Digest Algorithm) # # format of data # # XSUMTYPE:OSNAME:OSVERSION:SOURCE:ARCH:FILE:XSUM #/bin/login md5:SunOS:4.1:100201-06:sun3:/bin/login:00d95a04ecce2193b9c6e16516d37855 md5:SunOS:4.1:100201-06:sun4:/bin/login:e746fed42be0433a53cce082acfee23c md5:SunOS:4.1:100630-01:sun3:/bin/login:11d5ed4445face25642100ec0ab1ed3c md5:SunOS:4.1:100630-01:sun4:/bin/login:b6d013403c54949c0e476afd966ef261 md5:SunOS:4.1.1:Original Dist:sun3:/bin/login:073d378264f25245c154be8a12f208e9 md5:SunOS:4.1.1:Original Dist:sun4:/bin/login:92611eb1ef1f221c1e9c76db8da44a99 md5:SunOS:4.1.1:100201-06:sun3:/bin/login:00d95a04ecce2193b9c6e16516d37855 md5:SunOS:4.1.1:100201-06:sun4:/bin/login:e746fed42be0433a53cce082acfee23c md5:SunOS:4.1.1:100630-01:sun3:/bin/login:11d5ed4445face25642100ec0ab1ed3c md5:SunOS:4.1.1:100630-01:sun4:/bin/login:b6d013403c54949c0e476afd966ef261 md5:SunOS:4.1.1:100632-06:sun4:/bin/login:12c4b39cb94b8dcdad0a10e1c59345c6 md5:SunOS:4.1.1:100633-01:sun4:/bin/login:9634cda7a353d0043a22ad2b0eebaab2 md5:SunOS:4.1.2:Original Dist:sun4:/bin/login:637503c0e2b46791820609d87629db91 md5:SunOS:4.1.2:100630-01:sun4:/bin/login:b6d013403c54949c0e476afd966ef261 md5:SunOS:4.1.2:100631-01:sun3:/bin/login:65d1e270fbb13984f5e0036b9e4a1011 md5:SunOS:4.1.2:100631-01:sun4:/bin/login:976a0431dbd23ec1535c1679e215095b md5:SunOS:4.1.2:100632-06:sun4:/bin/login:12c4b39cb94b8dcdad0a10e1c59345c6 md5:SunOS:4.1.2:100633-01:sun4:/bin/login:9634cda7a353d0043a22ad2b0eebaab2 md5:SunOS:4.1.3:100630-02:sun3:/bin/login:11d5ed4445face25642100ec0ab1ed3c md5:SunOS:4.1.3:100630-02:sun4:/bin/login:b6d013403c54949c0e476afd966ef261 md5:SunOS:4.1.3:100632-06:sun4:/bin/login:12c4b39cb94b8dcdad0a10e1c59345c6 md5:SunOS:4.1.3:Original Dist:sun4:/bin/login:e88e84d228d05e8f54a0d57d62d0710d md5:SunOS:4.1.3c:Original Dist:sun4:/bin/login:e88e84d228d05e8f54a0d57d62d0710d md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/bin/login:4e437a85e05f886ff5082ac58108d882 #/usr/kvm/ps md5:SunOS:4.1.1:Original Dist:sun3x:/usr/kvm/ps:ac96820499c2da78d65700e230f66df2 md5:SunOS:4.1.1:Original Dist:sun3:/usr/kvm/ps:b4633eed82815a233d2ca8d8df8d655e md5:SunOS:4.1.1:Original Dist:sun4:/usr/kvm/ps:390ef406ba27b1d591ba6f281986369b md5:SunOS:4.1.1:Original Dist:sun4c:/usr/kvm/ps:cb58a8259ff580389b115b7861793b48 md5:SunOS:4.1.2:Original Dist:sun4:/usr/kvm/ps:efca4ca10a088e557c6c69695dadcfa6 md5:SunOS:4.1.2:Original Dist:sun4c:/usr/kvm/ps:9d489c87d709a540aced718a04e38e11 md5:SunOS:4.1.2:Original Dist:sun4m:/usr/kvm/ps:e9e364f3936a5b16d7e2fb812d11e475 md5:SunOS:4.1.2:100981-02:sun4:/usr/kvm/ps:86b8b5eb7212c94c9c570cd20c9af2ae md5:SunOS:4.1.2:100981-02:sun4c:/usr/kvm/ps:4871287498c0ab7b17d97848ebe34d15 md5:SunOS:4.1.2:100981-02:sun4m:/usr/kvm/ps:97cc063bafa6aaf032cb1b67b444c5a8 md5:SunOS:4.1.3:Original Dist:sun4:/usr/kvm/ps:226ab466429f5d4de4f6a108bae1c518 md5:SunOS:4.1.3:Original Dist:sun4c:/usr/kvm/ps:83b369e5d8c34db4d5d6725140d0b216 md5:SunOS:4.1.3:100981-02:sun4:/usr/kvm/ps:a4809a70e66b415bae8a165dc4ffb185 md5:SunOS:4.1.3:100981-02:sun4c:/usr/kvm/ps:cf10e206de67755e801e4c9d96c239a9 md5:SunOS:4.1.3:100981-02:sun4m:/usr/kvm/ps:d6237550748855bee17ce96465cd1331 md5:SunOS:4.1.3_u1:Original Dist:sun4m:/usr/kvm/ps:92c3b1495ab80446ddb6979c890cee58 md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/kvm/ps:b14b75017dfe75ea1b89d147c6b49cb7 md5:SunOS:4.1.3_u1:Original Dist:sun4c:/usr/kvm/ps:e24eab973f1b1cfd6bf5b54310a2207f md5:SunOS:4.1.3_u1:101442-01:sun4:/usr/kvm/ps:174731efb18020dacde9f205ad04a4bf #/usr/etc/in.telnetd md5:SunOS:4.0.3:100125-05:sun3:/usr/etc/in.telnetd:dce91901f9fd15f7f6f6c94fb7824428 md5:SunOS:4.0.3:100125-05:sun4:/usr/etc/in.telnetd:2e67031ad7984c22cfacc8a0b4c3d6ee md5:SunOS:4.0.3c:100125-05:sun4c:/usr/etc/in.telnetd:943574a9befb9fac3fce2fc111f68d51 md5:SunOS:4.1:100125-05:sun3:/usr/etc/in.telnetd:2544753907d24a699c9cdfddcab0d2e3 md5:SunOS:4.1:100125-05:sun3x:/usr/etc/in.telnetd:3af506b9b02b6a299f5e081c3abfce1f md5:SunOS:4.1:100125-05:sun4:/usr/etc/in.telnetd:5448303462518cca8390a84b5f312abe md5:SunOS:4.1.1:Original Dist:sun3:/usr/etc/in.telnetd:333ffc49f21e675f3099772661549b7d md5:SunOS:4.1.1:Original Dist:sun4:/usr/etc/in.telnetd:7706ba7270a28f3470ccbe965f8fc7a1 md5:SunOS:4.1.1:100125-05:sun3:/usr/etc/in.telnetd:c4dca8a653f60feaed63a25786aee2ed md5:SunOS:4.1.1:100125-05:sun3x:/usr/etc/in.telnetd:6c409bd315711aae29b8285ffc4bb90c md5:SunOS:4.1.1:100125-05:sun4:/usr/etc/in.telnetd:29f24e09ffebc36fb14f9fee4bf2d6fc md5:SunOS:4.1.1:Original Dist:sun3x:/usr/etc/in.telnetd:503be2c540d03281fdada476d5b0b247 md5:SunOS:4.1.1:Original Dist:sun3:/usr/etc/in.telnetd:333ffc49f21e675f3099772661549b7d md5:SunOS:4.1.1:Original Dist:sun4c:/usr/etc/in.telnetd:503be2c540d03281fdada476d5b0b247 md5:SunOS:4.1.2:Original Dist:sun4:/usr/etc/in.telnetd:913095f91bbf06e98635f964951e0e2d md5:SunOS:4.1.2:Original Dist:sun4c:/usr/etc/in.telnetd:503be2c540d03281fdada476d5b0b247 md5:SunOS:4.1.2:Original Dist:sun4m:/usr/etc/in.telnetd:503be2c540d03281fdada476d5b0b247 md5:SunOS:4.1.3:Original Dist:sun4:/usr/etc/in.telnetd:b94ac90e4fe63f1c7a0199a27a7c4d80 md5:SunOS:4.1.3:Original Dist:sun4c:/usr/etc/in.telnetd:503be2c540d03281fdada476d5b0b247 md5:SunOS:4.1.3c:Original Dist:sun4:/usr/etc/in.telnetd:b94ac90e4fe63f1c7a0199a27a7c4d80 md5:SunOS:4.1.3c:Original Dist:sun4m:/usr/etc/in.telnetd:503be2c540d03281fdada476d5b0b247 md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/etc/in.telnetd:831c59628b1197c612f19289a786eaeb #/usr/etc/ifconfig md5:SunOS:4.1.1:Original Dist:sun3x:/usr/etc/ifconfig:c9fe06259a49a58edfc6f1fe68665990 md5:SunOS:4.1.1:Original Dist:sun3:/usr/etc/ifconfig:0da82be29c7173759316f51417fb420a md5:SunOS:4.1.1:Original Dist:sun4:/usr/etc/ifconfig:c9fe06259a49a58edfc6f1fe68665990 md5:SunOS:4.1.2:Original Dist:sun4:/usr/etc/ifconfig:47d6e495207cc2b7037bd94a12cf565b md5:SunOS:4.1.2:Original Dist:sun4c:/usr/etc/ifconfig:c9fe06259a49a58edfc6f1fe68665990 md5:SunOS:4.1.2:Original Dist:sun4m:/usr/etc/ifconfig:c9fe06259a49a58edfc6f1fe68665990 md5:SunOS:4.1.3:Original Dist:sun4:/usr/etc/ifconfig:de44e217c94fa4f4c6fdfbcae419cb8b md5:SunOS:4.1.3:Original Dist:sun4c:/usr/etc/ifconfig:c9fe06259a49a58edfc6f1fe68665990 md5:SunOS:4.1.3c:Original Dist:sun4:/usr/etc/ifconfig:de44e217c94fa4f4c6fdfbcae419cb8b md5:SunOS:4.1.3c:Original Dist:sun4m:/usr/etc/ifconfig:c9fe06259a49a58edfc6f1fe68665990 md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/etc/ifconfig:22d9340368aec82ebdd63518613bc6ab #/usr/lib/libc.a md5:SunOS:4.1.1:100267-09:sun3:/usr/5lib/libc.a:af8a721ca332754cdff2a1f1b74b8e8f md5:SunOS:4.1.1:100267-09:sun3:/usr/5lib/libc_p.a:1b930986afb11494b4e1e0fd4f9540b0 md5:SunOS:4.1.1:100267-09:sun3:/usr/lib/libc.a:6b0ff2e11f3042d453ee502787ac29d7 md5:SunOS:4.1.1:100267-09:sun3:/usr/lib/libc_p.a:ad9bd3c42db06fb0c45674eaafc5c4f8 md5:SunOS:4.1.1:100267-09:sun4:/usr/5lib/libc.a:8c396b0695abb59fea66bc6615d9f101 md5:SunOS:4.1.1:100267-09:sun4:/usr/5lib/libc_p.a:d98a993e3f6c308f3679690dd4f5e8d7 md5:SunOS:4.1.1:100267-09:sun4:/usr/lib/libc.a:da7c2504a1cb5073d7e9bb7de580db32 md5:SunOS:4.1.1:100267-09:sun4:/usr/lib/libc_p.a:9879d72df71d9956f62f058ddf70d0f8 md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/5lib/libc.a:4daced1b11335f613bf7a5792bfeff77 md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/5lib/libc_p.a:bd2037193776678e48324f523064b95b md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/lib/libc.a:ae4bcb481e7267c1def082ed6acf4bd9 md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/lib/libc_p.a:696c03eb30c696b712f38907d3c2ee45 md5:SunOS:4.1.1:Original Dist:sun4:/usr/5lib/libc.a:68686e4ed99b5dcf98ac4e3350ff6645 md5:SunOS:4.1.1:Original Dist:sun4:/usr/lib/libc.a:cbba2b6e294f0087a0b9116290946d46 md5:SunOS:4.1.1:Original Dist:sun3:/usr/5lib/libc.a:89b9040707c28810554dfaca6993e7d0 md5:SunOS:4.1.1:Original Dist:sun3:/usr/lib/libc.a:15d385b850be70a30077e66b67dc5f09 md5:SunOS:4.1.2:Original Dist:sun4:/usr/5lib/libc.a:e7ab3d2658611114833f25a4279db158 md5:SunOS:4.1.2:Original Dist:sun4:/usr/lib/libc.a:f95fabcdbaaf34ac3da6174e635724e3 md5:SunOS:4.1.3:Original Dist:sun4:/usr/5lib/libc.a:c6669804e4def2e1e49ad5628c52ee75 md5:SunOS:4.1.3:Original Dist:sun4:/usr/lib/libc.a:ab06bfd723df7802d25291576736ce23 md5:SunOS:4.1.3c:Original Dist:sun4:/usr/5lib/libc.a:5ef2ccf958dc6734c3e412127884c559 md5:SunOS:4.1.3c:Original Dist:sun4:/usr/lib/libc.a:6f5d5c343b262c03a3f976d2830f4d06 md5:SunOS:4.1.1:Original Dist:sun4:/usr/5lib/libc_p.a:21766ed7fdb431bb0435e48ea0764d42 md5:SunOS:4.1.1:Original Dist:sun4:/usr/lib/libc_p.a:709d9a093b637e64234a03f1c48583e7 md5:SunOS:4.1.1:Original Dist:sun3:/usr/5lib/libc_p.a:3e3fcdfeb1636c708f1a2fec14c13b9f md5:SunOS:4.1.1:Original Dist:sun3:/usr/lib/libc_p.a:18f6043209f019ec58e50ab4f4771d40 md5:SunOS:4.1.2:Original Dist:sun4:/usr/5lib/libc_p.a:c0b13f61038a198e6be3c09e137dee0e md5:SunOS:4.1.2:Original Dist:sun4:/usr/lib/libc_p.a:a40b2af6cde4734289f06d8325c8cf2e md5:SunOS:4.1.3:Original Dist:sun4:/usr/5lib/libc_p.a:bb06ddd972dd5549a3d6cc38a9537893 md5:SunOS:4.1.3:Original Dist:sun4:/usr/lib/libc_p.a:72c8bee2000b2562225077784ea61bac md5:SunOS:4.1.3c:Original Dist:sun4:/usr/5lib/libc_p.a:8ccee0cc285a298c713b8bace38da815 md5:SunOS:4.1.3c:Original Dist:sun4:/usr/lib/libc_p.a:157a7dc7a8fc77f1a5a06a85d3bab16c #/usr/kvm/pstat md5:SunOS:4.1.1:Original Dist:sun3x:/usr/kvm/pstat:a131828d02092ab56e98ac8d63b1125d md5:SunOS:4.1.1:Original Dist:sun4:/usr/kvm/pstat:6de82bb539b54c2bd0be79dfc7712507 md5:SunOS:4.1.1:Original Dist:sun4c:/usr/kvm/pstat:5e6058397f8e86df7456e36ad54f9b1e md5:SunOS:4.1.2:Original Dist:sun4c:/usr/kvm/pstat:a1cfc4f23be423aede09e23bcbf6268a md5:SunOS:4.1.2:Original Dist:sun4m:/usr/kvm/pstat:c2abc2313450cfd72ccd93448fef967b md5:SunOS:4.1.3:Original Dist:sun4:/usr/kvm/pstat:0076043c06cd24ae927128f02da9b935 md5:SunOS:4.1.3:Original Dist:sun4c:/usr/kvm/pstat:225d4542b70f15af39c96a4d3b48a631 md5:SunOS:4.1.3c:Original Dist:sun4m:/usr/kvm/pstat:e3a519a93a8b6a02fd6c64a6b3db476d md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/kvm/pstat:2a1cbf06988208179adf132349c3a403 md5:SunOS:4.1.3_u1:Original Dist:sun4m:/usr/kvm/pstat:2f3af3afbfa5942575bbcb02b13ebac1 md5:SunOS:4.1.3_u1:Original Dist:sun4c:/usr/kvm/pstat:d15776947e0d60fc7d5ae755f65e779b #/usr/etc/in.ftpd md5:SunOS:4.1.1:Original Dist:sun3x:/usr/etc/in.ftpd:c95b40609c510cfcc65504972d1f3ae1 md5:SunOS:4.1.1:Original Dist:sun3:/usr/etc/in.ftpd:7ff869b0d0eeec61b08a81a085759681 md5:SunOS:4.1.1:Original Dist:sun4:/usr/etc/in.ftpd:7a17e92251d08c56d001a1f5654fcb35 md5:SunOS:4.1.1:Original Dist:sun4c:/usr/etc/in.ftpd:c95b40609c510cfcc65504972d1f3ae1 md5:SunOS:4.1.2:Original Dist:sun4:/usr/etc/in.ftpd:8b1bfb5ba15d2898fffa373b1005e7ff md5:SunOS:4.1.2:Original Dist:sun4c:/usr/etc/in.ftpd:c95b40609c510cfcc65504972d1f3ae1 md5:SunOS:4.1.2:Original Dist:sun4m:/usr/etc/in.ftpd:c95b40609c510cfcc65504972d1f3ae1 md5:SunOS:4.1.3:Original Dist:sun4:/usr/etc/in.ftpd:79a29ae3f1deb02efb743d9cd39f6f2f md5:SunOS:4.1.3:Original Dist:sun4c:/usr/etc/in.ftpd:c95b40609c510cfcc65504972d1f3ae1 md5:SunOS:4.1.3c:Original Dist:sun4:/usr/etc/in.ftpd:79a29ae3f1deb02efb743d9cd39f6f2f md5:SunOS:4.1.3c:Original Dist:sun4m:/usr/etc/in.ftpd:c95b40609c510cfcc65504972d1f3ae1 md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/etc/in.ftpd:3e8f757252dd562ad80ae79e78d06fb7 #/usr/etc/in.rexecd md5:SunOS:4.1.1:Original Dist:sun3x:/usr/etc/in.rexecd:fd51458be842565c712f8d57cf5a6f28 md5:SunOS:4.1.1:Original Dist:sun3:/usr/etc/in.rexecd:4d9811877f622348dd454172fbb40a66 md5:SunOS:4.1.1:Original Dist:sun4:/usr/etc/in.rexecd:fd51458be842565c712f8d57cf5a6f28 md5:SunOS:4.1.2:Original Dist:sun4:/usr/etc/in.rexecd:6d9f39193ac39bc9680a4fb44fdfb50f md5:SunOS:4.1.2:Original Dist:sun4c:/usr/etc/in.rexecd:fd51458be842565c712f8d57cf5a6f28 md5:SunOS:4.1.2:Original Dist:sun4m:/usr/etc/in.rexecd:fd51458be842565c712f8d57cf5a6f28 md5:SunOS:4.1.3:Original Dist:sun4:/usr/etc/in.rexecd:37316f4d63faa445ea448ec7c670f94f md5:SunOS:4.1.3:Original Dist:sun4c:/usr/etc/in.rexecd:fd51458be842565c712f8d57cf5a6f28 md5:SunOS:4.1.3c:Original Dist:sun4:/usr/etc/in.rexecd:37316f4d63faa445ea448ec7c670f94f md5:SunOS:4.1.3c:Original Dist:sun4m:/usr/etc/in.rexecd:fd51458be842565c712f8d57cf5a6f28 md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/etc/in.rexecd:be66f45bb60f31aaa23377f23c66caca #/usr/etc/in.rshd md5:SunOS:4.1.1:Original Dist:sun3x:/usr/etc/in.rshd:3d81a586add92ef033088d928c7ae7dc md5:SunOS:4.1.1:Original Dist:sun3:/usr/etc/in.rshd:17f91e72bbf70d5cf3e75a3068d5c461 md5:SunOS:4.1.1:Original Dist:sun4:/usr/etc/in.rshd:a4eb9385df064b9a751ede87fd0804a2 md5:SunOS:4.1.1:Original Dist:sun4c:/usr/etc/in.rshd:3d81a586add92ef033088d928c7ae7dc md5:SunOS:4.1.2:Original Dist:sun4:/usr/etc/in.rshd:e45ab7d2dc4c3e7346292f85259c0432 md5:SunOS:4.1.2:Original Dist:sun4c:/usr/etc/in.rshd:3d81a586add92ef033088d928c7ae7dc md5:SunOS:4.1.2:Original Dist:sun4m:/usr/etc/in.rshd:3d81a586add92ef033088d928c7ae7dc md5:SunOS:4.1.3:Original Dist:sun4c:/usr/etc/in.rshd:3d81a586add92ef033088d928c7ae7dc md5:SunOS:4.1.3:Original Dist:sun4:/usr/etc/in.rshd:686c2bb25752e6bec5090e2732a46207 md5:SunOS:4.1.3c:Original Dist:sun4:/usr/etc/in.rshd:686c2bb25752e6bec5090e2732a46207 md5:SunOS:4.1.3c:Original Dist:sun4m:/usr/etc/in.rshd:3d81a586add92ef033088d928c7ae7dc md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/etc/in.rshd:e5ca89c51427d917690fbcc1395507b4 #/usr/etc/in.tftpd md5:SunOS:4.1.1:Original Dist:sun3x:/usr/etc/in.tftpd:73ea84bdcff54ace0e601f5c3d2f90b0 md5:SunOS:4.1.1:Original Dist:sun3:/usr/etc/in.tftpd:ccec1773e5945a0b8397a74ec07112df md5:SunOS:4.1.1:Original Dist:sun4:/usr/etc/in.tftpd:e6b495aec9b8a24f5e58ebc19fd1eec7 md5:SunOS:4.1.1:Original Dist:sun4c:/usr/etc/in.tftpd:73ea84bdcff54ace0e601f5c3d2f90b0 md5:SunOS:4.1.2:Original Dist:sun4:/usr/etc/in.tftpd:4b924bda12c61674771c84caa0fa1e80 md5:SunOS:4.1.2:Original Dist:sun4c:/usr/etc/in.tftpd:73ea84bdcff54ace0e601f5c3d2f90b0 md5:SunOS:4.1.2:Original Dist:sun4m:/usr/etc/in.tftpd:73ea84bdcff54ace0e601f5c3d2f90b0 md5:SunOS:4.1.3:Original Dist:sun4:/usr/etc/in.tftpd:bfaf4492223126181ca9333220cbcf02 md5:SunOS:4.1.3:Original Dist:sun4c:/usr/etc/in.tftpd:73ea84bdcff54ace0e601f5c3d2f90b0 md5:SunOS:4.1.3c:Original Dist:sun4:/usr/etc/in.tftpd:bfaf4492223126181ca9333220cbcf02 md5:SunOS:4.1.3c:Original Dist:sun4m:/usr/etc/in.tftpd:73ea84bdcff54ace0e601f5c3d2f90b0 md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/etc/in.tftpd:0ff3883f2b99f06d4f897347c58a79d9 #/usr/etc/inetd md5:SunOS:4.1.1:Original Dist:sun3x:/usr/etc/inetd:c3a0f2bb985babcd43a438ce53de54ae md5:SunOS:4.1.1:Original Dist:sun3:/usr/etc/inetd:0764c23ac95b4ea5a8683c8761337485 md5:SunOS:4.1.1:Original Dist:sun4:/usr/etc/inetd:c3a0f2bb985babcd43a438ce53de54ae md5:SunOS:4.1.2:Original Dist:sun4:/usr/etc/inetd:e6054cbb343d21791c6457e78822d5f1 md5:SunOS:4.1.2:Original Dist:sun4c:/usr/etc/inetd:c3a0f2bb985babcd43a438ce53de54ae md5:SunOS:4.1.2:Original Dist:sun4m:/usr/etc/inetd:c3a0f2bb985babcd43a438ce53de54ae md5:SunOS:4.1.3:Original Dist:sun4:/usr/etc/inetd:c3a923cbf5023b48ffdef3d043190a81 md5:SunOS:4.1.3:Original Dist:sun4c:/usr/etc/inetd:c3a0f2bb985babcd43a438ce53de54ae md5:SunOS:4.1.3c:Original Dist:sun4:/usr/etc/inetd:c3a923cbf5023b48ffdef3d043190a81 md5:SunOS:4.1.3c:Original Dist:sun4m:/usr/etc/inetd:c3a0f2bb985babcd43a438ce53de54ae md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/etc/inetd:722d3e46a2f8e52ffadd7450fbbd1438 #/usr/bin/newgrp md5:SunOS:4.1.1:Original Dist:sun3:/usr/bin/newgrp:e3d6e9d43345372f5aa0d5c96570b155 md5:SunOS:4.1.1:Original Dist:sun4:/usr/bin/newgrp:d3749b2a6e99f14feede9430d1feee46 md5:SunOS:4.1.2:Original Dist:sun4:/usr/bin/newgrp:875e7cf58cec91c6fb44ec6e5d89ef0f md5:SunOS:4.1.3:Original Dist:sun4:/usr/bin/newgrp:7c0aad251ccb8de9c050d53c823f334f md5:SunOS:4.1.3c:Original Dist:sun4:/usr/bin/newgrp:7c0aad251ccb8de9c050d53c823f334f md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/bin/newgrp:04edbbb4d06bf056c4959d3b85560fe6 #/usr/bin/passwd md5:SunOS:4.1.1:Original Dist:sun3:/usr/bin/passwd:11499df2dfc4f75c5466e09b64fe1097 md5:SunOS:4.1.1:Original Dist:sun4:/usr/bin/passwd:d4e3ee198d6e3934bc2356ce495e77c7 md5:SunOS:4.1.2:Original Dist:sun4:/usr/bin/passwd:2dcec1f0e106354a85058f4c2c66e2bd md5:SunOS:4.1.3:Original Dist:sun4:/usr/bin/passwd:6fdb875b621de4dbffab6f6782ec2ba3 md5:SunOS:4.1.3c:Original Dist:sun4:/usr/bin/passwd:6fdb875b621de4dbffab6f6782ec2ba3 md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/bin/passwd:97f3231b48d6e29b829357b72043aadc #/usr/bin/su md5:SunOS:4.1.1:Original Dist:sun3:/usr/bin/su:829e4e39edc3a8d299f5525c866dc324 md5:SunOS:4.1.1:Original Dist:sun4:/usr/bin/su:94b0bc99dcb9dcdbc3e8ece7e127a906 md5:SunOS:4.1.2:Original Dist:sun4:/usr/bin/su:23fe0a40ec522c5add89cd6ab2731170 md5:SunOS:4.1.3:Original Dist:sun4:/usr/bin/su:0d2f5665c9befdf2f7aeafa4d77266bb md5:SunOS:4.1.3c:Original Dist:sun4:/usr/bin/su:0d2f5665c9befdf2f7aeafa4d77266bb md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/bin/su:c49812d55df4712194f832f099d40aa7 #Shared Libraries md5:SunOS:4.1.1:Original Dist:sun4:/usr/5lib/libc.so.2.6:1d66abbac68785d6f8fa8ff53200845e md5:SunOS:4.1.1:Original Dist:sun4:/usr/lib/libc.so.1.6:d4dc2514248834d95ee6b5c77a7eda86 md5:SunOS:4.1.1:Original Dist:sun3:/usr/5lib/libc.so.1.15:26c5c2e8b147f3f6d96bdff369853cad md5:SunOS:4.1.1:Original Dist:sun3:/usr/lib/libc.so.0.15:2262f263e711bff2bd4d9d6f87ea5edd md5:SunOS:4.1.2:Original Dist:sun4:/usr/5lib/libc.so.2.7:b1e624d4293907511e4ee9e8e77e74dd md5:SunOS:4.1.2:Original Dist:sun4:/usr/lib/libc.so.1.7:76c095597088ee5bc82a2c1ce0a419ce md5:SunOS:4.1.3:Original Dist:sun4:/usr/5lib/libc.so.2.8:d3c8366dca51488864cc8d80c106f190 md5:SunOS:4.1.3:Original Dist:sun4:/usr/lib/libc.so.1.8:aabfb3300f2d872cdc6d9fb10514e246 md5:SunOS:4.1.3c:Original Dist:sun4:/usr/5lib/libc.so.2.8:af3584319d80525c2ca8e8ea8920d131 md5:SunOS:4.1.3c:Original Dist:sun4:/usr/lib/libc.so.1.8:91a8dde1c328e474ec08557c211a4dcb md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/5lib/libc.so.2.9:722852b7e5df15de70e3c1a1f96c04d9 md5:SunOS:4.1.3_u1:Original Dist:sun4:/usr/lib/libc.so.1.9:2d5bc65422472f7d4119712ccf795bf3 -------------------------------------------------------------------- Appendix C: "cpm" The CPM 1.0 README File cpm - check for promiscuous mode in network interfaces. Copyright (c) Carnegie Mellon University 1994 Thursday Feb 3 1994 CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 This program is free software; you can distribute it and/or modify it as long as you retain the Carnegie Mellon copyright statement. It can be obtained via anonymous FTP from info.cert.org:pub/tools/cpm.tar.Z. This program is distributed WITHOUT ANY WARRANTY and without an IMPLIED WARRANTY of merchantability or fitness for a particular purpose. This package contains: README MANIFEST cpm.1 cpm.c To create cpm under SunOS, type: % cc -Bstatic -o cpm cpm.c On machines that support dynamic loading, such as Sun's, CERT recommends that programs be statically linked so that this feature is disabled. CERT recommends that after you install cpm in your favorite directory, you take measures to ensure the integrity of the program by noting the size and checksums of the source code and resulting binary. The following is an example of the output of cpm and its exit status. Running cpm on a machine where both the le0 and le2 interfaces are in promiscuous mode, under csh(1): % cpm le0 le2 % echo $status 2 % Running cpm on a machine where no interfaces are in promiscuous mode, under csh(1): % cpm % echo $status 0 % ------------------------------------------------------------- Appendix D: "SunOS security patches" Solaris and SunOS Security Patch Information For information about rdist see CIAC Bulletin C-04. For information about integer division under SunOS see CIAC Bulletin B-41. Previous CIAC notices are available on the Internet via anonymous FTP from irbis.llnl.gov (IP address 128.115.19.60). CIAC has compiled a list of all security related patches currently available from Sun Microsystems. The patches have been grouped by SunOS version and are detailed below. CIAC recommends the installation of any applicable patches that either are not currently present on a system or are present in the form of an older version of the patch. SunOS security patches are available through both your Sun Answer Center and anonymous FTP. In the U.S., ftp to ftp.uu.net (IP address 192.48.96.9) and retrieve the patches from the directory /systems/sun/sun-dist. In Europe, ftp to ftp.eu.net (IP address 192.16.202.2) and retrieve the patches from the /sun/fixes directory. The patches are contained in compressed tarfiles with filenames based on the ID number of the patch (e.g. patch 100085-03 is contained in the file 100085-03.tar.Z), and must be retrieved using FTP's binary transfer mode. After obtaining the patches, compute the checksum of each compressed tarfile and compare with the values indicated below. For example, the command "/usr/bin/sum 100085-03.tar.Z" should return "44177 740". Please note that Sun Microsystems occasionally updates patch files, resulting in a changed checksum. If you should find a checksum that differs from those listed below, please contact Sun Microsystems or CIAC for verification before using the patch. The patches may be extracted from the compressed tarfiles using the commands uncompress and tar. For example, to extract patch 100085-03 from the compressed tarfile 100085-03.tar.Z, execute the commands "uncompress 100085-03.tar.Z" and "tar -xvf 100085-03.tar". For specific instructions regarding the installation of a particular patch, consult the README file accompanying each patch. As multiple patches may affect the same files, it is recommended that patches be installed chronologically by revision date, with the exception of patches for which an explicit order is specified. ======================= SunOS 5.3 (Solaris 2.3) ======================= Patch ID Last Revised Checksum Description -------- ------------ --------- ------------------------------------- 101371-03 23-Dec-93 51272 377 sendmail vulnerabilities ======================= SunOS 5.2 (Solaris 2.2) ======================= Patch ID Last Revised Checksum Description -------- ------------ --------- ------------------------------------- 101090-01 28-Jun-93 44985 54 expreserve can overwrite any file 101301-01 21-Oct-93 4703 779 tar archives may contain extraneous info 101077-06 23-Dec-93 28185 358 sendmail vulnerabilities ======================= SunOS 5.1 (Solaris 2.1) ======================= Patch ID Last Revised Checksum Description -------- ------------ --------- ------------------------------------- 100833-02 12-Jan-93 24412 309 C2 auditing missing in some programs 100840-01 12-Jan-93 25050 220 sendmail bypasses mailhost 100884-01 12-Feb-93 63299 5220 Security fixes for sun4m machines 101089-01 28-Jun-93 4501 54 expreserve can overwrite any file 100975-02 21-Oct-93 13460 747 tar archives may contain extraneous info 100840-06 23-Dec-93 61100 390 sendmail vulnerabilities ======================= SunOS 5.0 (Solaris 2.0) is no longer supported (upgrade is essential for ======================= security) =========== SunOS 4.1.3 =========== Patch ID Last Revised Checksum Description -------- ------------ --------- ------------------------------------- 100478-01 14-Feb-92 64588 58 OpenWindows 3.0 xlock vulnerability 100296-04 18-Jun-92 15271 40 File systems exported incorrectly 100507-04 3-Sep-92 57590 61 tmpfs file system vulnerability 100372-02 8-Sep-92 22739 712 tfs fails under C2 100103-11 29-Sep-92 19847 6 Permissions incorrect on many files 100567-04 27-Oct-92 15728 11 ICMP packets can be forged 100564-05 11-Nov-92 00115 824 C2 jumbo patch 100482-04 16-Nov-92 06594 342 ypserv will send NIS maps to anyone 100513-02 2-Dec-92 34315 483 Console can be redirected 100623-03 11-Dec-92 56063 141 NFS file handles can be guessed 100173-10 7-Jan-93 48086 788 NFS jumbo patch 100383-06 26-Jan-93 58984 121 rdist can create setuid root files 100452-28 29-Jan-93 07299 1688 cmdtool may reveal passwords 100305-11 12-Feb-93 38582 500 The lp daemon can delete system files 100891-01 19-Feb-93 33195 3075 Netgroup and xlock vulnerabilities 100224-06 5-Mar-93 57647 54 mail and rmail can invoke root shells 101080-01 9-Jun-93 45221 13 expreserve can overwrite any file 100448-02 15-Dec-93 19410 5 OpenWindows 3.0 loadmodule hole 101200-02 15-Dec-93 41677 28 Security hole in modload 100377-08 23-Dec-93 05320 755 sendmail vulnerabilities 100593-03 17-Mar-94 52095 242 dump vulnerabilities 100272-07 17-Mar-94 26553 39 in.comsat vulnerabilities 101480-01 17-Mar-94 47917 44 in.talkd vulnerabilities 101481-01 17-Mar-94 46562 80 shutdown vulnerabilities 100909-02 17-Mar-94 61539 108 syslogd vulnerabilities 101482-01 17-Mar-94 61148 41 write vulnerabilities =========== SunOS 4.1.2 =========== Patch ID Last Revised Checksum Description -------- ------------ --------- ------------------------------------- 100184-02 14-Dec-90 06627 33 OpenWindows 2.0 vulnerability 100478-01 14-Feb-92 64588 58 OpenWindows 3.0 xlock vulnerability 100630-01 18-May-92 28074 39 Environment variables vulnerability 100633-01 22-May-92 33264 20 Environment variables with Sun's ARM 100296-04 18-Jun-92 15271 40 File systems exported incorrectly 100376-04 16-Jul-92 12884 100 Integer division vulnerability 100507-04 3-Sep-92 57590 61 tmpfs file system vulnerability 100372-02 8-Sep-92 22739 712 tfs fails under C2 100103-11 29-Sep-92 19847 6 Permissions incorrect on many files 100567-04 27-Oct-92 15728 11 ICMP packets can be forged 100564-05 11-Nov-92 00115 824 C2 jumbo patch 100482-04 16-Nov-92 06594 342 ypserv will send NIS maps to anyone 100513-02 2-Dec-92 34315 483 Console can be redirected 100623-03 11-Dec-92 56063 141 NFS file handles can be guessed 100173-10 7-Jan-93 48086 788 NFS jumbo patch 100383-06 26-Jan-93 58984 121 rdist can create setuid root files 100452-28 29-Jan-93 07299 1688 cmdtool may reveal passwords 100305-11 12-Feb-93 38582 500 The lp daemon can delete system files 100224-06 5-Mar-93 57647 54 mail and rmail can invoke root shells 101080-01 9-Jun-93 45221 13 expreserve can overwrite any file 100448-02 15-Dec-93 19410 5 OpenWindows 3.0 loadmodule hole 101200-02 15-Dec-93 41677 28 Security hole in modload 100377-08 23-Dec-93 05320 755 sendmail vulnerabilities 100593-03 17-Mar-94 52095 242 dump vulnerabilities 100272-07 17-Mar-94 26553 39 in.comsat vulnerabilities 101480-01 17-Mar-94 47917 44 in.talkd vulnerabilities 101481-01 17-Mar-94 46562 80 shutdown vulnerabilities 100909-02 17-Mar-94 61539 108 syslogd vulnerabilities 101482-01 17-Mar-94 61148 41 write vulnerabilities =========== SunOS 4.1.1 =========== Patch ID Last Revised Checksum Description -------- ------------ --------- ------------------------------------- 100085-03 5-Sep-90 44177 740 Sunview selection_svc vulnerability 100184-02 14-Dec-90 06627 33 OpenWindows 2.0 vulnerability 100125-05 8-Jul-91 41964 164 telnet permits password capture 100424-01 12-Nov-91 63070 50 NFS file handles can be guessed 100448-01 10-Dec-91 29285 5 OpenWindows 3.0 loadmodule hole 100478-01 14-Feb-92 64588 58 OpenWindows 3.0 xlock vulnerability 100630-01 18-May-92 28074 39 Environment variables vulnerability 100633-01 22-May-92 33264 20 Environment variables with Sun's ARM 100296-04 18-Jun-92 42492 40 File systems exported incorrectly 100376-04 16-Jul-92 12884 100 Integer division vulnerability 100507-04 3-Sep-92 57590 61 tmpfs file system vulnerability 100372-02 8-Sep-92 22739 712 tfs fails under C2 100103-11 29-Sep-92 19847 6 Permissions incorrect on many files 100567-04 27-Oct-92 15728 11 ICMP packets can be forged 100201-06 5-Nov-92 13145 164 C2 jumbo patch 100267-09 6-Nov-92 55338 5891 Netgroup membership check fails 100482-04 16-Nov-92 06594 342 ypserv will send NIS maps to anyone 100513-02 2-Dec-92 34315 483 Console can be redirected 100173-10 7-Jan-93 48086 788 NFS jumbo patch 100383-06 26-Jan-93 58984 121 rdist can create setuid root files 100452-28 29-Jan-93 07299 1688 cmdtool may reveal passwords 100305-11 12-Feb-93 38582 500 The lp daemon can delete system files 100224-06 5-Mar-93 57647 54 mail and rmail can invoke root shells 101080-01 9-Jun-93 45221 13 expreserve can overwrite any file 100448-02 15-Dec-93 19410 5 OpenWindows 3.0 loadmodule hole 101200-02 15-Dec-93 41677 28 Security hole in modload 100377-08 23-Dec-93 05320 755 sendmail vulnerabilities 100593-03 17-Mar-94 52095 242 dump vulnerabilities 100272-07 17-Mar-94 26553 39 in.comsat vulnerabilities 101480-01 17-Mar-94 47917 44 in.talkd vulnerabilities 101481-01 17-Mar-94 46562 80 shutdown vulnerabilities 100909-02 17-Mar-94 61539 108 syslogd vulnerabilities 101482-01 17-Mar-94 61148 41 write vulnerabilities ========= SunOS 4.1 ========= Patch ID Last Revised Checksum Description -------- ------------ --------- ------------------------------------- 100101-02 7-Aug-90 42872 34 ptrace security vulnerability 100085-03 5-Sep-90 44177 740 Sunview selection_svc vulnerability 100184-02 14-Dec-90 06627 33 OpenWindows 2.0 vulnerability 100125-05 8-Jul-91 41964 164 telnet permits password capture 100630-01 18-May-92 28074 39 Environment variables vulnerability 100376-04 16-Jul-92 12884 100 Integer division vulnerability 100103-11 29-Sep-92 19847 6 Permissions incorrect on many files 100567-04 27-Oct-92 15728 11 ICMP packets can be forged 100201-06 5-Nov-92 13145 164 C2 jumbo patch 100482-04 16-Nov-92 06594 342 ypserv will send NIS maps to anyone 100513-02 2-Dec-92 34315 483 Console can be redirected 100383-06 26-Jan-93 58984 121 rdist can create setuid root files 100452-28 29-Jan-93 07299 1688 cmdtool may reveal passwords 100305-11 12-Feb-93 38582 500 The lp daemon can delete system files 100121-09 24-Feb-93 57589 360 NFS jumbo patch 101080-01 9-Jun-93 45221 13 expreserve can overwrite any file 100448-02 15-Dec-93 19410 5 OpenWindows 3.0 loadmodule hole 101200-02 15-Dec-93 41677 28 Security hole in modload 100377-08 23-Dec-93 05320 755 sendmail vulnerabilities 100593-03 17-Mar-94 52095 242 dump vulnerabilities 100272-07 17-Mar-94 26553 39 in.comsat vulnerabilities 101480-01 17-Mar-94 47917 44 in.talkd vulnerabilities 101481-01 17-Mar-94 46562 80 shutdown vulnerabilities 100909-02 17-Mar-94 61539 108 syslogd vulnerabilities 101482-01 17-Mar-94 61148 41 write vulnerabilities ====================== SunOS 4.0.3c, 4.0.3, 4,0.2i, 4.0.2, and 4.0.1 are no longer supported ====================== (upgrade is essential for security) ---------------------------------------------------------- Appendix E: One-time Passwords The following information was compiled by the CERT Coordination Center. Given today's networked environments, CIAC recommends that sites concerned about the security and integrity of their systems and networks consider moving away from standard, reusable passwords. CIAC has seen many incidents involving Trojan network programs (e.g., telnet and rlogin) and network packet sniffing programs. These programs capture clear-text hostname, account name, password triplets. Intruders can use the captured information for subsequent access to those hosts and accounts. This is possible because 1) the password is used over and over (hence the term "reusable"), and 2) the password passes across the network in clear text. Several authentication techniques have been developed that address this problem. Among these techniques are challenge-response technologies that provide passwords that are only used once (commonly called one-time passwords). This document provides a list of sources for products that provide this capability. The decision to use a product is the responsibility of each organization, and each organization should perform its own evaluation and selection. I. Public Domain packages S/KEY(TM) The S/KEY package is publicly available (no fee) via anonymous FTP from: thumper.bellcore.com /pub/skey directory There are four subdirectories: skey UNIX source code for S/KEY. Includes the change needed to login, and stand-alone commands (such as "key"), that computes the one-time password for the user, given the secret password and the S/KEY command. dos DOS or DOS/WINDOWS S/KEY programs. Includes DOS version of "key" and "termkey" which is a TSR program. mac One-time password calculation utility for the Mac. docs Documentation. II. Commercial Products Secure Net Key (SNK) (Do-it-yourself project) Digital Pathways, Inc. 201 Ravendale Dr. Mountainview, Ca. 94043-5216 USA Phone: 415-964-0707 Fax: 415-961-7487 Products: handheld authentication calculators (SNK004) serial line auth interruptors (guardian) Note: Secure Net Key (SNK) is des-based, and therefore restricted from US export. Secure ID (complete turnkey systems) Security Dynamics One Alewife Center Cambridge, MA 02140-2312 USA Phone: 617-547-7820 Fax: 617-354-8836 Products: SecureID changing number authentication card ACE server software SecureID is time-synchronized using a 'proprietary' number generation algorithm WatchWord and WatchWord II Racal-Guardata 480 Spring Park Place Herndon, VA 22070 703-471-0892 1-800-521-6261 ext 217 Products: Watchword authentication calculator Encrypting modems Alpha-numeric keypad, digital signature capability SafeWord Enigma Logic, Inc. 2151 Salvio #301 Concord, CA 94520 510-827-5707 Fax: 510-827-2593 Products: DES Silver card authentication calculator SafeWord Multisync card authentication calculator Available for UNIX, VMS, MVS, MS-DOS, Tandem, Stratus, as well as other OS versions. Supports one-time passwords and super smartcards from several vendors. ______________________________________________________________________________ CIAC wishes to acknowledge the contributions of CERT Coordination Center for their timely and thorough advisory, detection tool, diligence and support throughout this ongoing incident. Our thanks also to Mark Graff, Sun Microsystems; Tony Bartoletti, SPI Project Leader; and members of FIRST for their assistance. ______________________________________________________________________________ For additional information or assistance, please contact CIAC: Voice: 510-422-8193 FAX: 510-423-8002 STU-III: 510-423-2604 E-mail: ciac@llnl.gov Previous CIAC Bulletins and other information are available via anonymous FTP from irbis.llnl.gov (IP address 128.115.19.60). CIAC has two self-subscribing mailing lists for its two types of electronic publications: 1. Advisories (highest priority, time critical information) or Bulletins (important computer security information) and 2. Notes (computer security articles of general interest). Our mailing lists are managed by a public domain software package called ListProcessor, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send E-mail to: ciac-listproc@llnl.gov with the following request as the E-mail message body, substituting CIAC-BULLETIN or CIAC-NOTES for (service) and valid information for the other items in parentheses: subscribe (service) (Full_Name) (Phone_number) ______________________________________________________________________________ PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes.