*********************************************************************** DDN Security Bulletin 9011 DCA DDN Defense Communications System 3 Oct 90 Published by: DDN Security Coordination Center (SCC@NIC.DDN.MIL) (800) 235-3155 DEFENSE DATA NETWORK SECURITY BULLETIN The DDN SECURITY BULLETIN is distributed by the DDN SCC (Security Coordination Center) under DCA contract as a means of communicating information on network and host security exposures, fixes, & concerns to security & management personnel at DDN facilities. Back issues may be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.67.67.20] using login="anonymous" and password="guest". The bulletin pathname is SCC:DDN-SECURITY-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. SCC:DDN-SECURITY-9001). ********************************************************************** NeXT's System Software: Four Problems + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the Computer ! ! Emergency Response Team (CERT) and is being relayed unedited ! ! via the Defense Communications Agency's Security Coordination ! ! Center distribution system as a means of providing DDN ! ! subscribers with useful security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ------------------------------------------------------------------------------ CA-90:06 CERT Advisory October 2, 1990 NeXT's System Software ----------------------------------------------------------------------------- This message is to alert administrators of NeXT Computers of four potentially serious security problems. The information contained in this message has been provided by David Besemer, NeXT Computer, Inc. The following describes the four security problems, NeXT's recommended solutions and the known system impact. ------------------------------------------------------------------------------ Problem #1 DESCRIPTION: On Release 1.0 and 1.0a a script exists in /usr/etc/restore0.9 that is a setuid shell script. The existence of this script is a potential security problem. Problem #1 IMPACT: The script is only needed during the installation process and isn't needed for normal usage. It is possible for any logged in user to gain root access. Problem #1 SOLUTION: NeXT owners running Release 1.0 or 1.0a should remove /usr/etc/restore0.9 from all disks. This file is installed by the "BuildDisk" application, so it should be removed from all systems built with the standard release disk, as well as from the standard release disk itself (which will prevent the file from being installed on systems built with the standard release disk in the future). You must be root to remove this script, and the command that will remove the script is the following: # /bin/rm /usr/etc/restore0.9 --- Problem #2 DESCRIPTION: On NeXT computers running Release 1.0 or 1.0a that also have publicly accessible printers, users can gain extra permissions via a combination of bugs. Problem #2 IMPACT: Computer intruders are able to exploit this security problem to gain access to the system. Intruders, local users and remote users are able to gain root access. Problem #2 SOLUTION: NeXT computer owners running Release 1.0 or 1.0a should do two things to fix a potential security problem. First, the binary /usr/lib/NextPrinter/npd must be replaced with a more secure version. This more secure version of npd is available through your NeXT support center. Upon receiving a copy of the more secure npd, you must become root and install it in place of the old one in /usr/lib/NextPrinter/npd. The new npd binary needs to be installed with the same permission bits (6755) and owner (root) as the old npd binary. The commands to install the new npd binary are the following: # /bin/mv /usr/lib/NextPrinter/npd /usr/lib/NextPrinter/npd.old # /bin/mv newnpd /usr/lib/NextPrinter/npd (In the above command, "newnpd" is the npd binary that you obtained from your NeXT support center.) # /etc/chown root /usr/lib/NextPrinter/npd # /etc/chmod 6755 /usr/lib/NextPrinter/npd The second half of the fix to this potential problem is to change the permissions of directories on the system that are currently owned and able to be written by group "wheel". The command that will remove write permission for directories owned and writable by group "wheel" is below. This command is all one line, and should be run as root. # find / -group wheel ! -type l -perm -20 ! -perm -2 -ls -exec chmod g-w {} \; -o -fstype nfs -prune --- Problem #3 DESCRIPTION: On NeXT computers running any release of the system software, public access to the window server may be a potential security problem. The default in Release 1.0 or 1.0a is correctly set so that public access to the window server is not available. It is possible, when upgrading from a prior release, that the old configuration files will be reused. These old configuration files could possibly enable public access to the window server. Problem #3 IMPACT: This security problem will enable an intruder to gain access to the system. Problem #3 SOLUTION: If public access isn't needed, it should be disabled. 1. Launch the Preferences application, which is located in /NextApps 2. Select the UNIX panel by pressing the button with the UNIX certificate on it. 3. If the box next to Public Window Server contains a check, click on the box to remove the check. --- Problem #4 DESCRIPTION: On NeXT computers running any release of the system software, the "BuildDisk" application is executable by all users. Problem #4 IMPACT: Allows a user to gain root access. Problem #4 SOLUTION: Change the permissions on the "BuildDisk" application allowing only root to execute it. This can be accomplished with the command: # chmod 4700 /NextApps/BuildDisk To remove "BuildDisk" from the default icon dock for new users, do the following: 1. Create a new user account using the UserManager application. 2. Log into the machine as that new user. 3. Remove the BuildDisk application from the Application Dock by dragging it out. 4. Log out of the new account and log back in as root. 5. Copy the file in ~newuser/.NeXT/.dock to /usr/template/user/.NeXT/.dock (where ~newuser is the home directory of the new user account) 6. Set the protections appropriately using the following command: # chmod 555 /usr/template/user/.NeXT/.dock 7. If you wish, with UserManager, remove the user account that you created in step 1. In release 2.0, the BuildDisk application will prompt for the root password if it is run by a normal user. ----------------------------------------------------------------------------- CONTACT INFORMATION For further questions, please contact your NeXT support center. NeXT has also reported that these potential problems have been fixed in NeXT's Release 2.0, which will be available in November, 1990. Thanks to Corey Satten and Scott Dickson for discovering, documenting, and helping resolve these problems. ----------------------------------------------------------------------------- Edward DeHart Computer Emergency Response Team/Coordination Center (CERT/CC) Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Internet E-mail: cert@cert.sei.cmu.edu Telephone: 412-268-7090 24-hour hotline: CERT personnel answer 7:30a.m.-6:00p.m. EST, on call for emergencies other hours. Past advisories and other information are available for anonymous ftp from cert.sei.cmu.edu (128.237.253.5).