-----BEGIN PGP SIGNED MESSAGE----- <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Automated Systems Security Incident Support Team _____ ___ ___ _____ ___ _____ | / /\ / \ / \ | / \ | | / Integritas / \ \___ \___ | \___ | | < et /____\ \ \ | \ | | \ Celeritas / \ \___/ \___/ __|__ \___/ | |_____\ <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Bulletin 95-39 Release date: 17 October, 1995, 07:15 AM EDT (GMT -4) SUBJECT: Vulnerability in lsof versions 3.18 through 3.43 SUMMARY: It may be possible to write lsof's private device cache file to system locations that are normally inaccessible to the lsof user, depending on the UNIX dialect where lsof is installed and how that dialect grants permission to access kernel memory information. The vulnerability affects lsof revisions 3.18 through 3.43, installed on these UNIX dialects: AIX 3.2.4, 3.2.5, 4.1, the IBM RISC/System 6000 4.1.1, and 4.1.2 EP/IX 2.1.1 the CDC 4680 FreeBSD 1.1.5.1, 2.0, and Intel-based systems 2.0.5 HP-UX 8.x, 9.x, and 10 HP systems (some combinations) IRIX 4.0.5H, 5.2, 5.3, SGI systems 6.0, and 6.1 Linux through 1.3.0 Intel-based systems Motorola V/88 R32V3, M88K systems R40V4.[123] NetBSD 1.0 and 1.0A Intel and SPARC-based systems NEXTSTEP 2.1 and 3.[0123] all NEXTSTEP architectures OSF/1 1.3, 2.0, 3.0, and the DEC Alpha 3.2 RISC/os 4.52 MIPS R2000-based systems SCO OpenDesktop or Intel-based systems OpenServer 1.1, 3.0, and 5.0 Sequent Dynix 3.0.12 the Sequent Symmetry Sequent PTX 2.1.[156] and Sequent systems 4.0.[23] Solaris 2.[1234] and 2.5 Sun 4 and i86pc systems BETA SunOS 4.1.[1234] Sun 3 and 4 Ultrix 2.2, 4.2, 4.3, DEC RISC and VAX and 4.4 Users of the affected revisions of lsof on these dialects should install lsof revision 3.44, 3.45 or later. See RECOMMENDED SOLUTIONS for info on locations and some appropriate installation considerations for lsof versions 3.44 and up. BACKGROUND: A private device cache file feature was introduced at lsof revision 3.18 to speed up subsequent calls to lsof by reducing the need for a full scan of the nodes in /dev (or /devices). Accompanying the feature was an option (-D) that allowed the lsof user to specify where the device cache file was to be recorded. Since lsof normally runs with effective group ID permission set to the group that can read kernel memory devices, the -D option might allow lsof to write its device cache file to a location not normally accessible to the real user or group owning the lsof process. The locations where the lsof device cache file might be inappropriately recorded depend on the group that owns the memory devices and to what other files and directories the group has write permission. Here are two examples: 1) IBM's distribution of AIX sets group ownership of /dev/kmem and /etc to the "system" group and enables group write permission in /etc; and 2) Sun's Solaris distribution does the same thing, using the "sys" group. (Security conscious installations often create a new group -- e.g., "kmem" or "mem" -- that owns no files and is used solely for enabling read access to kernel memory devices.) A fix for this group ID vulnerability may be found in lsof revisions 3.44, 3.45, and above. A more serious vulnerability exists when lsof must run setuid to the root user and also has device cache file support. This happens for the lsof implementation that runs under Motorola's V/88 UNIX dialects R40V4.1, R40V4.2, and R40V4.3. This gives the lsof user an unlimited choice of places to record the device cache file. A partial fix for this vulnerability was introduced in lsof revision 3.43. The complete fix may be found in lsof revisions 3.44, 3.45, and above. IMPACT: The vulnerability affects all lsof revisions 3.18 through 3.43 on UNIX dialects where device cache file support has been implemented. Unauthorized users may be able to write the lsof device cache file to normally-restricted locations, possibly in place of important system files. The vulnerability can be exploited only by users with a valid account. It cannot be exploited by arbitrary remote users. RECOMMENDED SOLUTIONS: Retrieve and install lsof revision 3.44, 3.45, or later. lsof can be obtained in compressed tar format from: ftp://assist.mil/pub/tools/unix/lsof.tar.Z ftp://vic.cc.purdue.edu/pub/tools/unix/lsof/lsof.tar.Z Lsof 3.44 eliminates the vulnerability for all relevant UNIX dialects. However, its overly zealous restrictions for Solaris and SunOS and are relaxed in revision 3.45. Both tar archives are wrappers that contain authentication information (MD5 checksums and PGP certificates) and a tar archive of the lsof sources. To install the new version of lsof: A. Retrieve the wrapper archive, extract its three files, README.lsof_, lsof_.tar, and lsof_.tar.asc -- and verify its authentication information. ( should be 3.44 or greater.) B. Unpack the lsof source archive from lsof_.tar and read its documentation files. Pay particular attention to the 00DCACHE file that describes options for specifying the location of the device cache, and the security section in the 00README file. C. Having selected the lsof options appropriate to the UNIX dialect where you want to install it, run the Configure script, use make to build lsof, and install the resulting lsof executable. <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ASSIST would like to thank Vic Abell and the CERT Coordination Center for information contained in this bulletin. <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ASSIST is an element of the Defense Information Systems Agency (DISA), Center for Information Systems Security (CISS), that provides service to the entire DoD community. Constituents of the DoD with questions about ASSIST or computer security issues, can contact ASSIST using one of the methods listed below. Non-DoD organizations/ institutions, contact the Forum of Incident Response and Security Teams (FIRST) representative. To obtain a list of FIRST member organizations and their constituencies send an email to docserver@first.org with an empty "subject" line and a message body containing the line "send first-contacts". ASSIST Information Resources: To be included in the distribution list for the ASSIST bulletins, send your Milnet (Internet) e-mail address to assist-request@assist.mil. Back issues of ASSIST bulletins, and other security related information, are available from the ASSIST BBS at 703-607-4710, 327-4710, and through anonymous FTP from assist.mil (IP address 199.211.123.11). Note: assist.mil will only accept anonymous FTP connections from Milnet addresses that are registered with the NIC or DNS. If your system is not registered, you must provide your MILNET IP address to ASSIST before access can be provided. ASSIST Contact Information: PHONE: 800-357-4231, COMM 703-607-4700, DSN 327-4700. ELECTRONIC MAIL: assist@assist.mil. ASSIST BBS: COMM 703-607-4710, DSN 327-4710, leave a message for the "sysop". FAX: COMM 703-607-4735, DSN 607-4735 ASSIST uses Pretty Good Privacy (PGP) 2.6.2 as the digital signature mechanism for bulletins. PGP 2.6.2 incorporates the RSAREF(tm) Cryptographic Toolkit under license from RSA Data Security, Inc. A copy of that license is available via anonymous FTP from net-dist.mit.edu (IP 18.72.0.3) in the file /pub/PGP/rsalicen.txt, and through the world wide web from http://net-dist.mit.edu/pgp.html. In accordance with the terms of that license, PGP 2.6.2 may be used for non-commercial purposes only. Instructions for downloading the PGP 2.6.2 software can also be obtained from net-dist.mit.edu in the pub/PGP/README file. PGP 2.6.2 and RSAREF may be subject to the export control laws of the United States of America as implemented by the United States Department of State Office of Defense Trade Controls. The PGP signature information will be attached to the end of ASSIST bulletins. Reference herein to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by ASSIST. The views and opinions of authors expressed herein shall not be used for advertising or product endorsement purposes. - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: 2.6 mQCNAi4uZ40AAAEEAM1uraimCNeh5PtzX7KoGxC2u8uMTdl8V5sujk3MHbWvCuOM W0FqDy5s9iwfQLZWzJ7cbM6L0mNOj8eJGoz7TqGKZDDRFlKAwg0x8joleZLC2gXw FVdF/g6Mdv7ok7heoa+Y//YMeADnsSrmzqLCnhFbKYffww3EbdH6sbnW3Io9AAUR tB9BU1NJU1QgVGVhbSA8YXNzaXN0QGFzc2lzdC5taWw+iQCVAwUQL1xx7tH6sbnW 3Io9AQEBYwP9FvIJbnKjtMLUj8ghd6hophSx8WZnfQsOmZX/BbX8vKz1a5BkBn4q ANvW+uKGdUlE8LLMEm1PD59Cihcb3OoWDOU8zIOIErvry4eqa+LzEXV8nnBdes+A a1MCMGSz+K3OaP78lQ7JCGoY9TXTWIelfAdBVBG4VQcSQRn8tjRdG2e0KEFTU0lT VCBUZWFtIDxhc3Npc3RAYXNzaXN0Lmltcy5kaXNhLm1pbD6JAJUCBRAuLnHoh0Y9 0jC+b6kBAU0TA/4yXSL7K6tcfVm9ACnP4crCoutFM2w10e7YKxD850ajhWrh6rI9 O+sjU5WObqiPJ7sZHdEw/KARzPSijH/5h8HlyYa6ClksWxYuymzCsUYYJctdjcGr uakfXgYQ1TkkyUfNrN5G90NuRK/vTRe7bkmyGNYjN9Njac1Q18WVF59Chg== =d5rP - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBMIOO+tH6sbnW3Io9AQE1GwQAg/zQalm5WxRGuDADltTHRkEmkFih02dk vCppTaFH8VHLdwR3zv/gmbp1J+gb9tq/q3HqwBTEael7HwKvVgKwnAWI3rfORQTv ZZ+zr5rVzNTDjXiJhluD/odsCkBLaYeRjyg1qXWVnKYVHKQvEDvcJCRcoIgib581 1teSjcrV5eA= =0vCg -----END PGP SIGNATURE-----