**************************************************************************
Security Bulletin 9608 DISA Defense Communications System
March 14, 1996 Published by: DISN Security Coordination Center
(SCC@NIC.DDN.MIL) 1-(800) 365-3642
DEFENSE INFORMATION SYSTEM NETWORK
SECURITY BULLETIN
The DISN SECURITY BULLETIN is distributed by the DISN SCC (Security
Coordination Center) under DISA contract as a means of communicating
information on network and host security exposures, fixes, and concerns
to security and management personnel at DISN facilities. Back issues may
be obtained via FTP (or Kermit) from NIC.DDN.MIL [192.112.36.5]
using login="anonymous" and password="guest". The bulletin pathname is
scc/sec-yynn (where "yy" is the year the bulletin is issued
and "nn" is a bulletin number, e.g. scc/sec-9544.txt). These are also
available at our WWW site, http://nic.ddn.mil.
**************************************************************************
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
! !
! The following important advisory was issued by the Automated !
! Systems Security Incident Support Team (ASSIST) and is being !
! relayed unedited via the Defense Information Systems Agency's !
! Security Coordination Center distribution system as a means !
! of providing DISN subscribers with useful security information. !
! !
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - +
-----BEGIN PGP SIGNED MESSAGE-----
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Automated Systems Security Incident Support Team
_____
___ ___ _____ ___ _____ | /
/\ / \ / \ | / \ | | / Integritas
/ \ \___ \___ | \___ | | < et
/____\ \ \ | \ | | \ Celeritas
/ \ \___/ \___/ __|__ \___/ | |_____\
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Bulletin 96-07
Release date: March 13, 1996 6:30 PM EST (GMT -5)
SUBJECT: Common Gateway Interface Vulnerability
SUMMARY: Some C-language based Common Gateway Interface programs
that call a shell to execute other programs can be tricked into
executing any arbitrary command. This vulnerability is contained
in ancillary, example software distributed with NCSA HTTPD and
Apache HTTPD. Many World Wide Web sites have been built using
these programs and hence may be vulnerable.
******************************************************************
THIS IS NOT AN HTTPD SERVER PROGRAM VULNERABILITY.
Commercial HTTPD server products developed and sold by Netscape
Communications Corporation, and IBM do not include this sample code on
their distribution media. If you have purchased one of these products
and have not installed any programs other than those on the
distribution media, you are not vulnerable to this problem. Note,
however, that if you previously had NCSA HTTPD or Apache HTTPD
installed, you may have remnants of the installation left over which
may be vulnerable.
If you have purchased another commercial HTTPD server product, you
may wish to contact your vendor to see if any action is necessary.
********************************************************************
BACKGROUND:
A. Background Information
Any CGI program built using the sample code
distributed with NCSA HTTPD Version 1.5A-Export and earlier or
Apache HTTPD Version 1.0.3 and earlier that accepts input from
the user and passes that input as arguments to a shell command
is subject to this vulnerability.
B. Vulnerability Details
NCSA HTTPD and Apache HTTPD, two of the most popular freely-
available World Wide Web server implementations, come with
several CGI programs that are compiled by the default build
procedure. These programs, because they are meant to serve as
examples, are frequently installed at a site even if they are not
being used. Furthermore, because the source code for these
programs is meant to be an example of how to implement CGI
programs, it is frequently copied into other CGI programs as well.
One of the utility functions offered by the CGI example source
code is called escape_shell_cmd(). It is intended to help
programmers avoid the vulnerability described above. This
function, when given an input string received from the user,
scans the string for characters that have special meaning to the
UNIX shell, and inserts escapes in front of these characters
to remove their special meaning. However, the list of
special characters is incomplete.
The CGI example source code also includes a program called
"phf," which implements a form-based interface to a local CCSO
Name Server. (The CCSO Name Server is a white pages service used
for looking up name and address information about people.) The
"phf" demonstration program uses the escape_shell_cmd() function
to check its inputs, and is thus vulnerable to attack as
described above.
Any World Wide Web server host that has been configured to allow
access to and execution of Common Gateway Interface programs and
1. Has installed the "phf" program from the NCSA HTTPD
distribution or the Apache HTTPD distribution in a CGI-BIN
directory (even if the program is not being used)
and/or
2. Has installed programs that are using the escape_shell_cmd() function
contained in the sample CGI-BIN source code distributed with
NCSA HTTPD or Apache HTTPD
and/or
3. Has installed CGI programs that do not adequately check their
inputs for the special characters listed above (including newline)
before passing these inputs to a shell command
is vulnerable to attack in this manner.
IMPACT: Many World Wide Web sites have been built using the CGI
programs in question. Therefore, the potential security exposure
may be widespread.
An attacker who knows how to exercise this vulnerability may have
the ability to:
A. Execute arbitrary commands on the server host using the same
user-id as the user running the "httpd" server. If "httpd" is
being run as "root," the attacker's commands are also run as
"root."
B. Access any file on the system that is accessible to the
user-id that is running the "httpd" server. If the "httpd"
server user-id has read access to the file, the attacker can
also read the file. If the "httpd" server user-id has write
access to the file, the attacker can change or destroy the
contents of the file. If the "httpd" server is being run as
"root," the attacker can read, modify, or destroy any file on
the server host.
RECOMMENDED SOLUTIONS:
A. Suggested actions
The ASSIST team recommends that you consider taking the
following actions (subject to any licensing restrictions
that may apply to your copies of the programs):
1. If you have installed the "phf" program from the NCSA or
Apache HTTPD binary or source distributions and are not using it,
REMOVE it or use the Monitoring script below (See Section B).
2. If you have installed the "phf" program from the NCSA or
Apache HTTPD source distributions and are using it, apply one of
the patches below, rebuild the "phf" program, and install the new
version.
3. If you have installed the "phf" program from the NCSA or
Apache HTTPD binary distributions and are using it, obtain the
NCSA or Apache source distributions:
NCSA:
ftp://ftp.ncsa.uiuc.edu/Web/httpd/Unix/ncsa_httpd/
httpd_1.5/httpd_1.5a-export_source.tar.Z
Apache:
ftp://ftp.apache.org/apache/dist/apache_1.0.3.tar.gz
Then apply one of the patches below, rebuild the "phf" program,
and install the new version.
4. If you have installed other C-language CGI programs obtained
from the Internet or elsewhere and have the source code for
these programs, examine them closely and make sure that they are
properly checking their inputs before passing them to a shell.
If these programs are using the escape_shell_cmd() function from
the NCSA or Apache distributions, the patches below can be
adapted to these programs.
5. If you have developed your own C-language CGI programs using
the sample code contained in the NCSA or Apache distributions,
adapt the patches below to your code, rebuild these programs,
and install the new versions.
6. If you have purchased CGI programs from third-party vendors,
contact your vendor to determine whether or not these programs
contain this vulnerability.
7. If you are running your "httpd" server as "root," seriously consider
running it as an unprivileged user instead.
B. Script to Monitor Unauthorized Use of the Phf Program
The following script will monitor the usage of the cgi-bin phf
program. It will give a small response to the person trying
to use it and will notify you (or whomever's e-mail address
you designate) of the fact that it was tried.
#!/bin/sh
# Provided by NAVCIRT
# Basically modified cgi-test to be a phf replacement
# navcirt@fiwc.navy.mil
# Set this path to mail for your system
MAIL=/bin/mail
echo Content-type: text/html
echo
# This is sort of what the phf would return
echo '
Query Results
'
echo ''
echo "/usr/local/bin/ph -m"
echo '
'
echo '
'
FILE=/tmp/$$
echo argc is $#. argv is "$*". >>$FILE
echo >>$FILE
echo SERVER_SOFTWARE = $SERVER_SOFTWARE >>$FILE
echo SERVER_NAME = $SERVER_NAME >>$FILE
echo GATEWAY_INTERFACE = $GATEWAY_INTERFACE >>$FILE
echo SERVER_PROTOCOL = $SERVER_PROTOCOL >>$FILE
echo SERVER_PORT = $SERVER_PORT >>$FILE
echo REQUEST_METHOD = $REQUEST_METHOD >>$FILE
echo HTTP_ACCEPT = "$HTTP_ACCEPT" >>$FILE
echo PATH_INFO = "$PATH_INFO" >>$FILE
echo PATH_TRANSLATED = "$PATH_TRANSLATED" >>$FILE
echo SCRIPT_NAME = "$SCRIPT_NAME" >>$FILE
echo QUERY_STRING = "$QUERY_STRING" >>$FILE
echo REMOTE_HOST = $REMOTE_HOST >>$FILE
echo REMOTE_ADDR = $REMOTE_ADDR >>$FILE
echo REMOTE_USER = $REMOTE_USER >>$FILE
echo AUTH_TYPE = $AUTH_TYPE >>$FILE
echo CONTENT_TYPE = $CONTENT_TYPE >>$FILE
echo CONTENT_LENGTH = $CONTENT_LENGTH >>$FILE
# Replace the with the complete mail address
# of the Local WWW Administrator.
$MAIL -s "phf hacker" <$FILE
/bin/rm $FILE
exit 0
C. Patch for escape_shell_cmd()
The escape_shell_cmd() function is contained in the "util.c"
file in the "cgi-src" directory of the NCSA HTTPD and Apache
HTTPD source distributions.
The patch below can be applied to the NCSA version of
"util.c" to fix this vulnerability:
- ---------------------------------- cut here ---------------------
*** httpd_1.5a-export/cgi-src/util.c.old Tue Nov 14 11:38:40 1995
- --- httpd_1.5a-export/cgi-src/util.c Thu Feb 22 20:37:07 1996
***************
*** 139,145 ****
l=strlen(cmd);
for(x=0;cmd[x];x++) {
! if(ind("&;`'\"|*?~<>^()[]{}$\\",cmd[x]) != -1){
for(y=l+1;y>x;y--)
cmd[y] = cmd[y-1];
l++; /* length has been increased */
- --- 139,145 ----
l=strlen(cmd);
for(x=0;cmd[x];x++) {
! if(ind("&;`'\"|*?~<>^()[]{}$\\\n",cmd[x]) != -1){
for(y=l+1;y>x;y--)
cmd[y] = cmd[y-1];
l++; /* length has been increased */
- ---------------------------------- cut here ----------------------
The patch below can be applied to the Apache version of
"util.c" to fix this vulnerability:
- ---------------------------------- cut here --------------------
*** apache_1.0.3/cgi-src/util.c.old Sat Feb 17 03:32:14 1996
- --- apache_1.0.3/cgi-src/util.c Fri Feb 23 10:48:43 1996
***************
*** 135,141 ****
l=strlen(cmd);
for(x=0;cmd[x];x++) {
! if(ind("&;`'\"|*?~<>^()[]{}$\\",cmd[x]) != -1){
for(y=l+1;y>x;y--)
cmd[y] = cmd[y-1];
l++; /* length has been increased */
- --- 135,141 ----
l=strlen(cmd);
for(x=0;cmd[x];x++) {
! if(ind("&;`'\"|*?~<>^()[]{}$\\\n",cmd[x]) != -1){
for(y=l+1;y>x;y--)
cmd[y] = cmd[y-1];
l++; /* length has been increased */
- ---------------------------------- cut here ----------------------
To apply the patch, save the text between the two
"-- cut here --" lines in a file, change directories to your
source tree (the directory that contains "httpd_1.5a-export"
or "apache_1.0.3" as a subdirectory) and issue the command:
patch < filename
If you do not have the "patch" program, you can obtain it from
ftp://prep.ai.mit.edu/pub/gnu/patch-2.1.tar.gz
or you can apply the patch by hand.
This fix is provied "AS IS" without warranty of any kind,
including, without limitation, any implied warranties of
merchantibility or fitness for a particular purpose. This
advisory does not create or imply any support obligations or
any other liability on the part of IBM or its subsidiaries.
D. Pending fix from NCSA
NCSA states that they have fixed this problem in HTTPD
Version 1.5.1, which is currently in the beta-testing stage.
You can obtain NCSA HTTPD 1.5.1 Beta 3 from
http://hoohoo.ncsa.uiuc.edu/beta-1.5/
if you wish to experiment with it. However, NCSA warns that
this is NOT a stable version of the server.
E. Pending fix from Apache
The Apache Project is aware of this problem, and states that
they plan to provide a fix for it in Apache HTTPD Version 1.1,
which is scheduled for release in early March. For more
information about the pending release of Apache HTTPD Version
1.1, see the Apache Project home page at
http://www.apache.org/
F. A second potential vulnerability
When examining your CGI programs that make use of the
escape_shell_cmd() function, note that escape_shell_cmd()
does not perform any check on the length of the buffer that
is passed. Because each character in the buffer has the
potential to be escaped with a backslash, the resulting
string can be up to twice as long as the original.
Any buffer that is passed into this function should be at
least (2n+1) bytes in size, where n is the length of the
unescaped string.
Programs that do not adhere to this requirement are
vulnerable to buffer overrun attacks, much like those
used successfully by the Internet worm against the finger
daemon, as well as in several more recent attacks against
other programs.
G. Additional information
If you have enabled the Common Gateway Interface in your
server, even if you are not yet actively using it, ASSIST
recommends that you learn as much as possible about the
security issues involved. We have provided URLs for some
good sources of information on this topic below:
CGI Security
------------
http://hoohoo.ncsa.uiuc.edu/cgi/security.html
http://www.cerf.net/~paulp/cgi-security/
WWW Security (Including CGI)
----------------------------
http://www-genome.wi.mit.edu/WWW/faqs/www-security-faq.html
H. When analyzing your http server for this vulnerability,
search the access_log for references to the phf program.
This will help to identify if the vulnerability was exploited
on your system. Please contact ASSIST or your service
response team if you find your system was exploited.
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
ASSIST would like to thank the IBM Global I/T Security
Consulting Group, the IBM Global Security Analysis Laboratory
at the IBM T. J. Watson Research Center, and NAVCIRT for
information contained in this bulletin.
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
ASSIST is an element of the Defense Information Systems Agency
(DISA), and provides service to the entire DoD community.
Constituents of the DoD with questions about ASSIST or computer
security issues, can contact ASSIST using one of the methods listed
below. Non-DoD organizations/institutions, contact the Forum of
Incident Response and Security Teams (FIRST) representative. To
obtain a list of FIRST member organizations and their constituencies
send an email to docserver@first.org with an empty "subject" line
and a message body containing the line "send first-contacts".
ASSIST Information Resources: To be included in the distribution
list for the ASSIST bulletins, send your Milnet (Internet) e-mail
address to assist-request@assist.mil. Back issues of ASSIST
bulletins, and other security related information, are available
from the ASSIST BBS at 703-607-4710, 327-4710, and through anonymous
FTP from ftp.assist.mil (IP address 199.211.123.12).
Note: ftp.assist.mil will only accept anonymous FTP connections
from Milnet addresses that are registered with the NIC or DNS.
If your system is not registered, you must provide your MILNET
IP address to ASSIST before access can be provided.
ASSIST Contact Information:
PHONE: 800-357-4231, COMM 703-607-4700, DSN 327-4700.
ELECTRONIC MAIL: assist@assist.mil.
ASSIST BBS: COMM 703-607-4710, DSN 327-4710, leave a message for
the "sysop".
FAX: COMM 703-607-4735, DSN 607-4735
ASSIST uses Pretty Good Privacy (PGP) 2.6.2 as the digital
signature mechanism for bulletins. PGP 2.6.2 incorporates the
RSAREF(tm) Cryptographic Toolkit under license from RSA Data
Security, Inc. A copy of that license is available via anonymous
FTP from net-dist.mit.edu (IP 18.72.0.3) in the file
/pub/PGP/rsalicen.txt, and through the world wide web from
http://net-dist.mit.edu/pgp.html. In accordance with the terms
of that license, PGP 2.6.2 may be used for non-commercial
purposes only. Instructions for downloading the PGP 2.6.2
software can also be obtained from net-dist.mit.edu in the
pub/PGP/README file. PGP 2.6.2 and RSAREF may be subject to the
export control laws of the United States of America as
implemented by the United States Department of State Office of
Defense Trade Controls. The PGP signature information will be
attached to the end of ASSIST bulletins.
Reference herein to any specific commercial product, process, or
service by trade name, trademark manufacturer, or otherwise, does
not constitute or imply its endorsement, recommendation, or
favoring by ASSIST. The views and opinions of authors expressed
herein shall not be used for advertising or product endorsement
purposes.
- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6
mQCNAi4uZ40AAAEEAM1uraimCNeh5PtzX7KoGxC2u8uMTdl8V5sujk3MHbWvCuOM
W0FqDy5s9iwfQLZWzJ7cbM6L0mNOj8eJGoz7TqGKZDDRFlKAwg0x8joleZLC2gXw
FVdF/g6Mdv7ok7heoa+Y//YMeADnsSrmzqLCnhFbKYffww3EbdH6sbnW3Io9AAUR
tB9BU1NJU1QgVGVhbSA8YXNzaXN0QGFzc2lzdC5taWw+iQCVAwUQMJVF1JtBJ/Qs
yeedAQFnqgQAp1rw7ONT41Mr3gHGs2aVpEwgOH6SeJ9sHZxUp4dJu+ogRMFrqdC+
+NBfzitzj9m1udFVDHpwsGawbv6wg43DDAKaTgIETCHYXa/OM5/9FCS3xJwC99Gb
V1iOm8S/Q9FcJruKID9DG2WUJp2yPj+CjTuBQeLjGkqGjuSOR1TNXQiJAJUDBRAw
lUPuYKf6jFkmJQkBAWg5A/9ykgo2ULWUsSzZjRkO9yPZUPAlpfH7ReaHwkapK69F
fBzqwwQ8Gig1mL+qgmOHS8Zv+OAT491sWWsECN+dfpopFdsgS4Sec19ZjcMyhL1c
BVIS9Cmbjetb6Kvfc39AMr0MRCrUlOkUd4qScjHysHFYRAwCl3STRjprNnUPKQbn
f4kAlQMFEDB482bk8movIjSrbQEB/VgD/iap/CAb1jq8wMA3QleU8d6/QUqoPzgp
jRhP0wP7K2GLVUV0d5sP4EptmzejqViZvlzt6ufnI1bML0Yt2U5loAeblnh714RX
JcOmyAah6niiJSKuhCsYUzW6f3EBzXBn5tcu3GP35h+1VQunCQCMICCfnZ0r8Wcv
EdwE9LxPYdueiQCVAwUQMHOjMwJPhGsUbeKNAQGOagQAgT5p6CwrIPpi+12yJ170
ekc3MPp8z0aNbvdCQWXTK6qtq1LmS65VeH0RE5xRponsgbWp+5JBvD22v0eGuSg7
7bnHT1HPXazPERAp8sw1zTERs7drMQE+JhHYylh3orKzHNf5EjFx10vwEXdfvGSc
sP3Vpcx2xu0lUYHp5oHtPFiJAJUDBRAwar4DFKHh5Qavqe0BAeQqA/4xd0tdq9yF
eUYrd1+ZriayzfSjCcIUlCDH1i7vXw1kiHkg2YpOoZLD9k+zNkbOyBs/r570fGHu
A23SvUcUfaBUijT1jf9YGU5MQMdpx3p5qqI4kJ0GWUNySZNtaFy0qWNH8Z8NsNp3
FWllVeisye0qe96aoizW0dAyUymlM6YYn4kAlQMFEDBqqvga2zTcAviMgQEBN8wE
AIu7O/Of4c1OvMc5tti4+gcyCVw41+fLjxQFB5EtkoW8Js6XhCsv3GcmzgCZw3g8
Sux7wxGe+lspZNV9rvv+JkDBWkA9O5HyOdmdv5JZM1UH41NettZM9Yw7kUtO7lAT
aOb4ybHlqrBwJ8/+Lig7r7PwTL847JyGa3g229pGG/uEiQCVAwUQMGpTK+glSuMP
TJd1AQE8KQP8Cu+FYuagNoBRllMIQryT9+0ngLRxJJTcTgIbLX4OPwa27JuXCukG
kUIXRWFCqkRqkM/7ImZXeuUL4PmAX07f9ygGH7BUyqefhIWkxWFDaGHJVlg3l/pS
Wh7NnC+nU6DUJNSzfwYStCABNptOcMiYaT1fY0+DkWpIgJVRTptquOWJAJUCBRAw
aHX+IlGW2WZtAFEBATkXA/40QTxVP/x3aJDgC11cvFhwT7M+qJvhGSTRJOtrFz8i
soZzihMeaQ8zLiu73dDlFz2E4f0+ettxsDcgFJADNmZ5H7WkPlf9gBUBne4KP2Y6
yIjOCMwd6T7HGm/ErF88DIJ2wn8irhzVRnBBWhnmQfSzr5a7mkjlA6GzAlFucGp3
eokAlQMFEDBpzIC58yc3bMt0GQEBgd4EAI0mE/5wXSWuBNApkALLjPAchBdeC4Kl
YF4hQkfY/4YddeIasgTmINKOc5gJWgTHxPI2xKxjTAQhIZlOxuDyXWnBuK+x2hr4
iCh5unEIH+qaqdipGwWjFq0IZEmOOJaBRxlVt2hrmY6nRMpekitFLw8dhWHgI968
WVhJpWfBg+MhiQCVAwUQMGnMcmJl+kgHVnRVAQF+nQP/XK4xmIx1SmjoN9D+vNRY
PSiKz8KEzh1Y2/5QTYA7iES8QXC4i/8HOWK7lyoL6FmWGxKYpU8isQ+DJpk0A4N0
U04JexpyFa0EeM/wsfp0YvAWesSVhV5UkDQU6hSC0U8rS1j/qtnSLZ4wXpapPSBh
82daDlxAQCVMzDoQYQZkMi+JAJUDBRAwacftBCZ9eY4KSdEBAbKGA/0VHArALL6v
d0a0x7sn4o60Bk2fFzuaCBNTNzb11OOtuu47KMOZLwrl2jv+32ysIVEOXx+puhXP
nQAgRrH0LGKV5FOY3B98AHuV+woOmfVjM2T3xB4Bs52Dz+HIIIhaWzzy3955tlp/
6UyvZnD0QFLS/bre/Pog1Lgl0pxonmILhYkAlQIFEDBpJpXAx/wW8A8EIQEBPVoD
/jwgG+7ZrWrb8/dqe6IZhSk8rq0JIHhSA2Hz1T7PhRvyDiquBJ3ulTeaX3BvuWqF
bMuLJ4CTqXw9dexDehEnhGlxYycSXVzy8a34pLnmldii8oNvI1bLWMgd4HdM/PPZ
GOgHmSIGrXMChkbddt9AoszDI0Whlbe9+wn6AeZVrJVaiQCVAgUQMGkkL2yh0IcG
ee2RAQHrTgQAvBRce0S9yBvI/ufC/1jhE3LuUoA3YDdA8+UQ+UekaslZzOEgPs4K
Za/nM9Y2vaRYscyzyIg8FGTzCdJQ2be9HZjSkB2xQuakeq88tlV32/cLcQSC8Zrw
xsnPWujbIcWYg7B0hv8cCovef/w4kC9GyhjhIzPIsQ/Cr7/TYzheK12JAJUDBRAw
Z/38o2xF3nu86kkBARanA/0XO4HBo6pT2xNCdQ7AW9UrvmTCiYUb0XVY7qCnkaPp
Sn1KjsK2nGueDMGUBzvx9zWZ0xHAS+BSNkoM61gb9455KcbDwRqw6+47O/WuX1w9
fh7egjTY0kqN6YsP/vtirOuP+Krh19w/s6cDxbEBNbJIiZofRDFRRsZcZ8E2mLCP
UIkAlQMFEDBn/EY7f8e8znZrHwEBxQwD/jP+CiwO3Nk45M5Ei++TZzdp7ak82hum
XxVXplV2G4w8DN86pfl3IV/XvU67FQXg4NKJr+wm3JknDtlKZTE5g+aKkOYK6Fqt
w3FjTd6PTDz11YRruCsdvBeYwMcHPe5XzIhgkwkMXX2Mp99q9LGKfV3087do2LNr
V/2S/atn6IuqiQCVAwUQMGW6OliXq3zaXLJBAQFLwgP/bQ1C/Ph54RlRqw9rovJo
SXp5wvQAfVqqnkL5nIIIK2uGputcmhMP8RqYKuRv4xaezkCDTeIE/P0327Ajc4//
ca4SZCojxfqtrhw3EkfZtvFLJh1tsvAkqZkgHmjJxwA+lY78lQ1ncBZ99dePpuHu
MBQew3769SkEA8kk/s5XiYqJAJUDBRAvXHHu0fqxudbcij0BAQFjA/0W8glucqO0
wtSPyCF3qGimFLHxZmd9Cw6Zlf8Ftfy8rPVrkGQGfioA29b64oZ1SUTwsswSbU8P
n0KKFxvc6hYM5TzMg4gSu+vLh6pr4vMRdXyecF16z4BrUwIwZLP4rc5o/vyVDskI
ahj1NdNYh6V8B0FUEbhVBxJBGfy2NF0bZ7QoQVNTSVNUIFRlYW0gPGFzc2lzdEBh
c3Npc3QuaW1zLmRpc2EubWlsPokAlQIFEC45Ys3KbyuD/AwC1QEBKPED/2dwnN+/
OE2iHhvGwv3jZtsm6cH+GVkpNpc0w0vQOKvVwUnLwuETSv+eryz9Fl7nL0U2tv/5
V81dXqqc5C7EvOQW1Dt9RBSjEOundYrOzsfELIMrwh1iJXsIxG7g7iil0HeKzxsQ
E/nBFwJbgP6SQaYF4wy7TPuXw+IVVddp0p1riQCVAgUQLi5x6IdGPdIwvm+pAQFN
EwP+Ml0i+yurXH1ZvQApz+HKwqLrRTNsNdHu2CsQ/OdGo4Vq4eqyPTvrI1OVjm6o
jye7GR3RMPygEcz0oox/+YfB5cmGugpZLFsWLspswrFGGCXLXY3Bq7mpH14GENU5
JMlHzazeRvdDbkSv700Xu25JshjWIzfTY2nNUNfFlRefQoY=
=8gi/
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: 2.6
iQCVAwUBMUdUyNH6sbnW3Io9AQFBTgP+PeAe78W1Xucb4h/gfr+RHfYRYlCeR2g5
yyFWCw/G4ApkpaO2gmzCyvk6N5AHswUuYCiwakAx29o0V36JmjbWYvwRjWZdrWN4
MbRDtBag4sSD02kV1dxx9ELI3ePbM3DOQv32B68L8uB7/fRixaeyE0nYsYviYooS
bSy6UsEoJiA=
=PANG
-----END PGP SIGNATURE-----
--
_______ A S S I S T
| / Automated Systems Security Incident Support Team
| / Duty phone: +1 800 357 4231 (DSN 327 4700) 24hr
| / Integritas Commercial +1 703 607 4700 24hr
| < et 24hr pager: +1 800 791 4857
| \ Celeritas BBS: +1 703 607 4710 (DSN 327 4710)
| \ Unclass FAX: +1 703 607 4735 (DSN 327 4735)
| \ e-mail: ASSIST@ASSIST.MIL
------- Anonymous FTP: FTP.ASSIST.MIL (IP 199.211.123.12)
****************************************************************************
* *
* The point of contact for NIPRNET security-related incidents is the *
* Security Coordination Center (SCC). *
* *
* E-mail address: SCC@NIC.DDN.MIL *
* *
* Telephone: 1-(800)-365-3642 *
* *
* NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, *
* Monday through Friday except on federal holidays. *
* *
****************************************************************************
PLEASE NOTE: Some users outside of the DOD computing communities may receive
DISN Security Bulletins. If you are not part of the DOD community, please
contact your agency's incident response team to report incidents. Your
agency's team will coordinate with DOD. The Forum of Incident Response and
Security Teams (FIRST) is a world-wide organization. A list of FIRST member
organizations and their constituencies can be obtained by sending email to
docserver@first.org with an empty subject line and a message body containing
the line: send first-contacts.
This document was prepared as an service to the DOD community. Neither the
United States Government nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for
the accuracy, completeness, or usefulness of any information, product, or
process disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products, process,
or service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring
by the United States Government. The opinions of the authors expressed herein
do not necessarily state or reflect those of the United States Government,
and shall not be used for advertising or product endorsement purposes.