NeXTSTEP Security Advisories Creation Date: June 29, 1998 Keywords: NEXTSTEP Disclaimer This document pertains to the NeXTSTEP operating system (versions 3.2 and previous). Apple Computer no longer provides support for these products. This information is provided only as a convenience to our customers who have not yet upgraded their systems, and may not apply to OPENSTEP, WebObjects, or any other product of Apple Enterprise Software. Introduction This document contains the security advisories issued for NeXTSTEP versions 3.2 and previous. NeXTSTEP 2.x Advisories =========================================================================== CA-91:20 CERT Advisory October 22, 1991 /usr/ucb/rdist Vulnerability --------------------------------------------------------------------------- The Computer Emergency Response Team/Coordination Center (CERT/CC) has received information concerning a vulnerability in /usr/ucb/rdist (the location of rdist may vary depending on the operating system). This vulnerability is present in possibly all versions of rdist. Vendors responding with patches are listed below. Additionally, some vendors who do not include rdist in their operating systems are identified. Operating systems from vendors not listed in either of the two categories below will probably be affected and the CERT/CC has proposed a workaround for those systems. VENDORS THAT DO NOT SHIP rdist (Note: Even though these vendors do not ship rdist, it may have been added later (for example, by the system administrator). It is also possible that vendors porting one of these operating systems may have added rdist. In both cases corrective action must be taken.) Amdahl AT&T System V Data General DG/UX for AViiON Systems VENDORS PROVIDING PATCHES Cray Research, Inc. UNICOS 6.0/6.E/6.1 Field Alert #132 SPR 47600 For further information contact the Support Center at 1-800-950-CRAY or 612-683-5600 or e-mail support@crayamid.cray.com. NeXT Computer, Inc. NeXTstep Release 2.x A new version of rdist may be obtained from your authorized NeXT Support Center. If you are an authorized support center, please contact NeXT through your normal channels. NeXT also plans to make this new version of rdist available on the public NeXT FTP archives. Silicon Graphics IRIX 3.3.x/4.0 (fixed in 4.0.1) Patches may be obtained via anonymous ftp from sgi.com in the sgi/rdist directory. Sun Microsystems, Inc. SunOS 4.0.3/4.1/4.1.1 Patch ID 100383-02 Patches may be obtained via anonymous ftp from ftp.uu.net or from local Sun Answer Centers worldwide. The CERT/CC is hopeful that other patches will be forthcoming. We will be maintaining a status file, rdist-patch-status, on the cert.org system. We will add patch availability information to this file as it becomes known. The file is available via anonymous ftp to cert.org and is found in pub/cert_advisories/rdist-patch-status. All trademarks are the property of their respective holders. --------------------------------------------------------------------------- I. Description A security vulnerability exists in /usr/ucb/rdist that can be used to gain unauthorized privileges. Under some circumstances /usr/ucb/rdist can be used to create setuid root programs. II. Impact Any user logged into the system can gain root access. III. Solution A. If available, install the appropriate patch provided by your operating system vendor. B. If no patch is available, restrict the use of /usr/ucb/rdist by changing the permissions on the file. # chmod 711 /usr/ucb/rdist --------------------------------------------------------------------------- The CERT/CC wishes to thank Casper Dik of the University of Amsterdam, The Netherlands, for bringing this vulnerability to our attention. We would also like to thank the vendors who have responded to this problem. --------------------------------------------------------------------------- If you believe that your system has been compromised, contact CERT/CC via telephone or e-mail. Computer Emergency Response Team/Coordination Center (CERT/CC) Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Internet E-mail: cert@cert.org Telephone: 412-268-7090 24-hour hotline: CERT/CC personnel answer 7:30a.m.-6:00p.m. EST(GMT-5)/EDT(GMT-4), on call for emergencies during other hours. Past advisories and other computer security related information are available for anonymous ftp from the cert.org (192.88.209.5) system. CA-91:06 CERT Advisory May 14, 1991 NeXT rexd, /private/etc, Username me Vulnerabilities --------------------------------------------------------------------------- The Computer Emergency Response Team/Coordination Center (CERT/CC) and NeXT Computer, Inc. have received information concerning three vulnerabilities in NeXT computers running various releases (see below) of NeXTstep software. For more information, please contact your authorized support center. If you are an authorized support provider, please contact NeXT through your normal channels. --------------------------------------------------------------------------- Problem 1 DESCRIPTION: By default, rexd(8C) is enabled in NeXTstep versions 2.0 and 2.1. (Note that no NeXT software uses rexd.) Problem 1 IMPACT: Leaving rexd enabled allows remote users to execute processes on a NeXT computer. Problem 1 SOLUTION: Comment out or remove the rexd line in /etc/inetd.conf (unless you're using the remote execution facility), and either restart the computer or cause inetd to re-read it's configuration file, using: kill -HUP Problem 2 DESCRIPTION: The /private/etc directory is shipped with group write permission enabled in all NeXTstep versions through and including 2.1. Problem 2 IMPACT: Group write permission in /private/etc enables any user in the "wheel" group to modify files in the /private/etc directory. Problem 2 SOLUTION: Turn off group write permission for the /private/etc directory, using the command: chmod g-w /private/etc or the equivalent operations from the Workspace Manager's Inspector panel. Problem 3 DESCRIPTION: Username "me" is a member of the "wheel" group in all NeXTstep versions through and including 2.1. Problem 3 IMPACT: Having username "me" in the "wheel" group enables "me" to use the su(8) command to become root (the user must still know the root password, however). Problem 3 SOLUTION: Unless you have specific reason(s) not to, remove the user "me" from the wheel group. --------------------------------------------------------------------------- The CERT/CC would like to thank NeXT Computer, Inc. for their response to this vulnerability. CERT/CC would also like to thank Fuat Baran for his technical assistance. --------------------------------------------------------------------------- If you believe that your system has been compromised, contact CERT/CC via telephone or e-mail. Computer Emergency Response Team/Coordination Center (CERT/CC) Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Internet E-mail: cert@cert.org Telephone: 412-268-7090 24-hour hotline: CERT/CC personnel answer 7:30a.m.-6:00p.m. EST, on call for emergencies during other hours. Past advisories and other computer security related information are available for anonymous ftp from the cert.org (192.88.209.5) system. =========================================================================== CA-91:12 CERT Advisory August 22, 1991 Trusted Hosts Configuration Vulnerability --------------------------------------------------------------------------- The Computer Emergency Response Team/Coordination Center (CERT/CC) has received information concerning a vulnerability in the configuration of several system files. This advisory discusses a workaround since there are no permanent patches available at this time. This vulnerability is present in a very large number of UNIX-based operating systems. Therefore, we recommend that ALL sites take the corrective actions listed below. --------------------------------------------------------------------------- I. DESCRIPTION: The presence of a '-' as the first character in /etc/hosts.equiv, /etc/hosts.lpd and .rhosts files may allow unauthorized access to the system. II. IMPACT: Remote users can gain unauthorized root access to the system. III. SOLUTION: Rearrange the order of entries in the hosts.equiv, hosts.lpd, and .rhosts files so that the first line does not contain a leading '-' character. Remove hosts.equiv, hosts.lpd, and .rhosts files containing only entries beginning with a '-' character. .rhosts files in ALL accounts, including root, bin, sys, news, etc., should be examined and modified as required. .rhosts files that are not needed should be removed. Please note that the CERT/CC strongly cautions sites about the use of hosts.equiv and .rhosts files. We suggest that they NOT be used unless absolutely necessary. --------------------------------------------------------------------------- The CERT/CC wishes to thank Alan Marcum, NeXT Computer, for bringing this security vulnerability to our attention. We would also like to thank CIAC for their assistance in testing this vulnerability. --------------------------------------------------------------------------- If you believe that your system has been compromised, contact CERT/CC via telephone or e-mail. Computer Emergency Response Team/Coordination Center (CERT/CC) Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Internet E-mail: cert@cert.org Telephone: 412-268-7090 24-hour hotline: CERT/CC personnel answer 7:30a.m.-6:00p.m. EST, on call for emergencies during other hours. Past advisories and other computer security related information are available for anonymous ftp from the cert.org (192.88.209.5) system. =========================================================================== CA-92:01 CERT Advisory January 20, 1992 NeXTstep Configuration Vulnerability --------------------------------------------------------------------------- The Computer Emergency Response Team/Coordination Center (CERT/CC) has received information concerning a vulnerability in release 2 of NeXTstep's NetInfo default configuration. This vulnerability will be corrected in future versions of NeXTstep. --------------------------------------------------------------------------- I. Description By default, a NetInfo server process will provide information to any machine that requests it. II. Impact Remote users can gain unauthorized access to the network's administrative information such as the passwd file. III. Solution Ensure that the trusted_networks property of each NetInfo domain's root NetInfo directory is set correctly, so that only those systems which should be obtaining information from NetInfo are granted access. The value for the trusted_networks property should be the network numbers of the networks the server should trust. Note that improperly setting trusted_networks can render your network unusable. Consult Chapter 16, "Security", of the "NeXT Network and System Administration" manual for release 2 for details on setting the trusted_networks property of the root NetInfo directory. --------------------------------------------------------------------------- The CERT/CC wishes to thank NeXT Computer, Inc. for their cooperation in documenting and publicizing this security vulnerability. --------------------------------------------------------------------------- If you believe that your system has been compromised, contact CERT/CC via telephone or e-mail. Internet E-mail: cert@cert.org Telephone: 412-268-7090 (24-hour hotline) CERT/CC personnel answer 7:30a.m.-6:00p.m. EST(GMT-5)/EDT(GMT-4), on call for emergencies during other hours. Computer Emergency Response Team/Coordination Center (CERT/CC) Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Past advisories and other information related to computer security are available for anonymous ftp from the cert.org (192.88.209.5) system. NeXTSTEP 3.x Advisories CA-93:02a CERT Advisory January 21, 1993 REVISION NOTICE: New Patch for NeXT NetInfo "_writers" Vulnerabilities ----------------------------------------------------------------------------- *** THIS IS A REVISED CERT ADVISORY *** *** IT CONTAINS NEW INFORMATION *** The CERT Coordination Center has received updated information from NeXT Computer, Inc. concerning vulnerabilities in the distributed printing facility of NeXT computers running all releases of NeXTSTEP software through NeXTSTEP Release 3.0. The online patch described in CERT Advisory CA-93:02 has been replaced with a new patch. The size and checksum information in this Advisory have been updated to reflect the new online patch. For more information, please contact your authorized support center. If you are an authorized support provider, please contact NeXT through your normal channels. ----------------------------------------------------------------------------- I. Description The default NetInfo "_writers" properties are configured to allow users to install printers and FAX modems and to export them to the network without requiring assistance from the system administrator. They also allow a user to configure other parts of the system, such as monitor screens, without requiring help from the system administrator. Vulnerabilities exist in this facility that could allow users to gain unauthorized privileges on the system. II. Impact In the case of the "/printers" and the "/fax_modems" directories, the "_writers" property can permit users to obtain unauthorized root access to a system. In the "/localconfig/screens" directory, the "_writers" property can potentially permit a user to deny normal login access to other users. III. Solution To close the vulnerabilities, remove the "_writers" properties from the "/printers", "/fax_modems", and "/localconfig/screens" directories in all NetInfo domains on the network, and from all immediate subdirectories of all "/printers", "/fax_modems", and "/localconfig/screens" directories. The "_writers" properties may be removed using any one of the following three methods: A. As root, use the "niutil" command-line utility. For example, to remove the "_writers" property from the "/printers" directory: # /usr/bin/niutil -destroyprop . /printers _writers B. Alternatively, use the NetInfoManager application: open the desired domain, open the appropriate directory, select the "_writers" property, choose the "Delete" command [Cmd-r] from the "Edit" menu, and save the directory. C. To assist system administrators in editing their NetInfo domains, a shell script, "writersfix", is available via anonymous FTP from next.com (129.18.1.2): Filename Size Checksum -------- ---- -------- pub/Misc/Utilities/WritersFix.compressed 5600 25625 6 After transferring this file using BINARY transfer type, double-click on the file. A "WritersFix" directory will be created in your file system, containing the script ("writersfix") and some documentation ("WritersFix.rtf"). Consider removing "_writers" from other NetInfo directories as well (for example, "/locations"), noting the following trade-off between ease-of-use and security. By removing the "_writers" properties, the network and the computers on the network become more secure, but a system administrator's assistance is required where it previously was not required. Please refer to the NeXTSTEP Network and System Administration manual for additional information on "_writers". Note that the subdirectories of the "/users" directory have "_writers_passwd" set to the user whose account is described by the directory. This is essential if users are to be able to change their own passwords, and this does not compromise system security. ----------------------------------------------------------------------------- The CERT Coordination Center wishes to thank Alan Marcum and Eric Larson of NeXT Computer, Inc. for notifying us about the existence of these vulnerabilities and for providing appropriate technical information. ----------------------------------------------------------------------------- If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in FIRST (Forum of Incident Response and Security Teams). Internet E-mail: cert@cert.org Telephone: 412-268-7090 (24-hour hotline) CERT personnel answer 7:30 a.m.-6:00 p.m. EST(GMT-5)/EDT(GMT-4), on call for emergencies during other hours. CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 Past advisories, information about FIRST representatives, and other information related to computer security are available for anonymous FTP from cert.org (192.88.209.5). The Computer Incident Advisory Capability ___ __ __ _ ___ / | / \ / \___ __|__ /___\ \___ _____________________________________________________ ADVISORY NOTICE Automated Scanning of Network Vulnerabilities September 30, 1993 1100 PDT Number D-25 __________________________________________________________________________ PROBLEM: Automated attacks on networked computers. PLATFORM: All systems supporting TCP/IP networking. DAMAGE: Unauthorized access to information and computer resources. SOLUTION: Examine machines for vulnerabilities detailed below and apply fixes as needed. __________________________________________________________________________ Critical Information about Automated Network Scanning Software CIAC has learned that software allowing automated scanning of networked computers for security vulnerabilities was recently made publicly available on the Internet. The software package, known as ISS or Internet Security Scanner, will interrogate all computers within a specified IP address range, determining the security posture of each with respect to several common system vulnerabilities. The software was designed as a security tool for system and network administrators. However, given its wide distribution and ability to scan remote networks, CIAC feels that it is likely ISS will also be used to locate vulnerable hosts for malicious reasons. While none of the vulnerabilities ISS checks for are new, their aggregation into a widely available automated tool represents a higher level of threat to networked machines. CIAC has analyzed the operation of the program and strongly recommends that administrators take this opportunity to re-examine systems for the vulnerabilities described below. Also detailed below are available security tools that may assist in the detection and prevention of malicious use of ISS. Finally, common symptoms of an ISS attack are outlined to allow detection of malicious use. ISS Vulnerabilities ------------------- The following vulnerabilities are tested for by the ISS tool. Administrators should verify the state of their systems and perform corrective actions as indicated. Default Accounts The accounts "guest" and "bbs", if they exist, should have non-trivial passwords. If login access to these accounts is not needed, they should be disabled by placing a "*" in the password field and the string "/bin/false" in the shell field in /etc/passwd. See the system manual entry for "passwd" for more information on changing passwords and disabling accounts. For example, the /etc/passwd entry for a disabled guest account should resemble the following: guest:*:2311:50:Guest User:/home/guest:/bin/false lp Account The account "lp", if it exists, should not allow logins. It should be disabled by placing a "*" in the password field and the string "/bin/false" in the shell field in /etc/passwd. Decode Alias Mail aliases for decode and uudecode should be disabled on UNIX systems. If the file /etc/aliases contains entries for these programs, they should be disabled by placing a "#" at the beginning of the line and then executing the command "newaliases". Consult the manual page for "aliases" for more information on UNIX mail aliases. A disabled decode alias should appear as follows: # decode: "|/usr/bin/uudecode" Sendmail The sendmail commands "wiz" and "debug" should be disabled. This may be verified by executing the following commands: % telnet hostname 25 220 host Sendmail 5.65 ready at Wed, 29 Sep 93 20:28:46 PDT wiz You wascal wabbit! Wandering wizards won't win! (or 500 Command unrecognized) quit % telnet hostname 25 220 host Sendmail 5.65 ready at Wed, 29 Sep 93 20:28:46 PDT debug 500 Command unrecognized quit If the "wiz" command returns "Please pass, oh mighty wizard", your system is vulnerable to attack. The command should be disabled by adding a line to the sendmail.cf configuration file containing the string: OW* If the "debug" command responds with the string "200 Debug set", you should immediately obtain a newer version of sendmail software from your vendor. Anonymous FTP Anonymous FTP allows users without accounts to have restricted access to certain directories on the system. The availability of anonymous FTP on a given system may be determined by executing the following commands: % ftp hostname Connected to hostname. 220 host FTP server ready. Name (localhost:jdoe): anonymous 530 User anonymous unknown. Login failed. The above results indicate that anonymous FTP is not enabled. If the system instead replies with the string "331 Guest login ok" and then prompts for a password, anonymous FTP access is enabled. The configuration of systems allowing anonymous FTP should be checked carefully, as improperly configured FTP servers are frequently attacked. Refer to CIAC Bulletin D-19 for more information. NIS SunOS 4.x machines using NIS are vulnerable unless the patch 100482 has been installed. See CIAC Bulletin C-25 for more information regarding this patch. NFS Filesystems exported under NFS should be mountable only by a restricted set of hosts. The UNIX "showmount" command will display the filesystems exported by a given host: % /usr/etc/showmount -e hostname export list for hostname: /usr hosta:hostb:hostc /usr/local (everyone) The above output indicates that this NFS server is exporting two partitions: /usr, which can be mounted by hosta, hostb, and hostc; and /usr/local which can be mounted by anyone. In this case, access to the /usr/local partition should be restricted. Consult the system manual entry for "exports" or "NFS" for more information. rusers The UNIX rusers command displays information about accounts currently active on a remote system. This may provide an attacker with account names or other information useful in mounting an attack. To check for the availability of rusers information on a particular machine, execute the following command: % rusers -l hostname hostname: RPC: Program not registered If the above example had instead generated a list of user names and login information, a rusers server is running on the host. The server may be disabled by placing a "#" at the beginning of the appropriate line in the file /etc/inetd.conf and then sending the SIGHUP signal to the inetd process. For example, a disabled rusers entry might appear as follows: #rusersd/2 dgram rpc/udp wait root /usr/etc/rusersd rusersd rexd The UNIX remote execution server rexd provides only minimal authentication and is easily subverted. It should be disabled by placing a "#" at the beginning of the rexd line in the file /etc/inetd.conf and then sending the SIGHUP signal to the inetd process. The disabled entry should resemble the following: #rexd/1 stream rpc/tcp wait root /usr/etc/rexd rexd Available Tools --------------- There are several available security tools that may be used to prevent or detect malicious use of ISS. They include the following: SPI SPI, the Security Profile Inspector, will detect the system vulnerabilities described above, as well as many others. U.S. Government agencies interested in obtaining SPI should send E-mail to spi@cheetah.llnl.gov or call (510) 422-3881 for more information. COPS The COPS security tool will also detect the vulnerabilities described above. It is available via anonymous FTP from ftp.cert.org in the directory /pub/tools/cops/1.04. ISS Running ISS on your systems will provide you with the same information an attacker would obtain, allowing you to correct vulnerabilities before they can be exploited. Note that the current version of the software is known to function poorly on some operating systems. If you should have difficulty using the software, please contact CIAC for assistance. ISS may be obtained via anonymous FTP from ftp.uu.net in the directory /usenet/comp.sources.misc/volume39/iss. TCP Wrappers Access to most UNIX network services can be more closely controlled using software known as a TCP wrapper. The wrapper provides additional access control and flexible logging features that may assist in both the prevention and detection of network attacks. This software is available via anonymous FTP from ftp.win.tue.nl in the file /pub/security/tcp_wrappers_6.0.shar.Z Detecting an ISS Attack ----------------------- Given the wide distribution of the ISS tool, CIAC feels that remote attacks are likely to occur. Such attacks can cause system warnings to be generated that may prove useful in tracking down the source of the attack. The most probable indicator of an ISS attack is a mail message sent to "postmaster" on the scanned system similar to the following: From: Mailer-Daemon@hostname (Mail Delivery Subsystem) Subject: Returned mail: Unable to deliver mail Message-Id: <9309291633.AB04591@> To: Postmaster@hostname ----- Transcript of session follows ----- <<< VRFY guest 550 guest... User unknown <<< VRFY decode 550 decode... User unknown <<< VRFY bbs 550 bbs... User unknown <<< VRFY lp 550 lp... User unknown <<< VRFY uudecode 550 uudecode... User unknown <<< wiz 500 Command unrecognized <<< debug 500 Command unrecognized 421 Lost input channel to remote.machine ----- No message was collected ----- If you should receive such a message, it is likely that your machine and others on your network have been scanned for vulnerabilities. You should immediately contact your computer security officer or CIAC for assistance in assessing the damage and taking corrective action. For additional information or assistance, please contact CIAC at (510) 423-9878 or send E-mail to ciac@llnl.gov. FAX messages to (510) 423-8002. PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes. ------------------------------------------------------------------------ NeXT SECURITY BULLETIN: NeXT-94:001-sendmail, 16 February 94 ------------------------------------------------------------------------ PROBLEM: A security vulnerability has been identified in all versions of NEXTSTEP up to and including Release 3.2. This vulnerability, described in CERT advisories CA-93:16 and CA-93:16a, may allow unauthorized remote or authorized local users to gain unauthorized privileges. All sendmail recipient machines within a domain could potentially be vulnerable. SOLUTION: NeXT has corrected this vulnerability and provided a patch containing new binaries for both NeXT and Intel-based computers running NEXTSTEP Release 3.1 or Release 3.2. DETAILS: This patch is available via anonymous FTP from FTP.NEXT.COM in the directory "/pub/NeXTanswers/Files/Patches/SendmailPatch.23950.1". Filename Checksum --------------------------------- --------- 1513_SendmailPatch.ReadMe.rtf 63963 4 1514_SendmailPatch.pkg.compressed 02962 290 This patch is also available via electronic mail by sending a message to NeXTanswers@NeXT.com with a subject line of "1513 1514". The two files noted above will be returned as NeXTmail attachments. This patch is for NEXTSTEP 3.1 and NEXTSTEP 3.2. Instructions for installing this patch are included in the ReadMe file. Note: At the present time, NeXT has no plans to make a patch available for releases of NEXTSTEP prior to Release 3.1. COMMENTS: NeXT recommends that all customers concerned with the security of their NEXTSTEP systems either apply the patch or edit the sendmail configuration files as soon as possible. Questions about this patch should be directed to NeXT's Technical Support Hotline at 1-800-848-NeXT (+1-415-424-8500 if outside the U.S.) or via email to ask_next@NeXT.com.