This document pertains to the NeXTSTEP operating system (versions 3.2 and previous). Apple Computer no longer provides support for these products. This information is provided only as a convenience to our customers who have not yet upgraded their systems, and may not apply to OPENSTEP, WebObjects, or any other product of Apple Enterprise Software.
Introduction
This document contains the security advisories issued for NeXTSTEP versions 3.2 and previous.
NeXTSTEP 2.x Advisories
===========================================================================
CA-91:20 CERT Advisory
October 22, 1991
/usr/ucb/rdist Vulnerability
The Computer Emergency Response Team/Coordination Center (CERT/CC) has
received information concerning a vulnerability in /usr/ucb/rdist (the
location of rdist may vary depending on the operating system). This
vulnerability is present in possibly all versions of rdist. Vendors
responding with patches are listed below. Additionally, some vendors
who do not include rdist in their operating systems are identified.
Operating systems from vendors not listed in either of the two categories
below will probably be affected and the CERT/CC has proposed a workaround
for those systems.
VENDORS THAT DO NOT SHIP rdist
(Note: Even though these vendors do not ship rdist, it may have been
added later (for example, by the system administrator). It is
also possible that vendors porting one of these operating systems
may have added rdist. In both cases corrective action must be taken.)
Amdahl
AT&T System V
Data General DG/UX for AViiON Systems
VENDORS PROVIDING PATCHES
Cray Research, Inc. UNICOS 6.0/6.E/6.1 Field Alert #132 SPR 47600
For further information contact the Support Center at 1-800-950-CRAY or
612-683-5600 or e-mail support@crayamid.cray.com.
NeXT Computer, Inc. NeXTstep Release 2.x
A new version of rdist may be obtained from your
authorized NeXT Support Center. If you are an authorized
support center, please contact NeXT through your normal
channels. NeXT also plans to make this new version of
rdist available on the public NeXT FTP archives.
Silicon Graphics IRIX 3.3.x/4.0 (fixed in 4.0.1)
Patches may be obtained via anonymous ftp from sgi.com in the
sgi/rdist directory.
Sun Microsystems, Inc. SunOS 4.0.3/4.1/4.1.1 Patch ID 100383-02
Patches may be obtained via anonymous ftp from ftp.uu.net or from local
Sun Answer Centers worldwide.
The CERT/CC is hopeful that other patches will be forthcoming. We will
be maintaining a status file, rdist-patch-status, on the cert.org
system. We will add patch availability information to this file as
it becomes known. The file is available via anonymous ftp to
cert.org and is found in pub/cert_advisories/rdist-patch-status.
All trademarks are the property of their respective holders.
---------------------------------------------------------------------------
I. Description
A security vulnerability exists in /usr/ucb/rdist that
can be used to gain unauthorized privileges. Under some
circumstances /usr/ucb/rdist can be used to create setuid
root programs.
II. Impact
Any user logged into the system can gain root access.
III. Solution
A. If available, install the appropriate patch provided by
your operating system vendor.
B. If no patch is available, restrict the use of /usr/ucb/rdist
by changing the permissions on the file.
# chmod 711 /usr/ucb/rdist
---------------------------------------------------------------------------
The CERT/CC wishes to thank Casper Dik of the University of Amsterdam,
The Netherlands, for bringing this vulnerability to our attention.
We would also like to thank the vendors who have responded to this problem.
---------------------------------------------------------------------------
If you believe that your system has been compromised, contact CERT/CC via
telephone or e-mail.
Computer Emergency Response Team/Coordination Center (CERT/CC)
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890
Internet E-mail: cert@cert.org
Telephone: 412-268-7090 24-hour hotline:
CERT/CC personnel answer 7:30a.m.-6:00p.m. EST(GMT-5)/EDT(GMT-4),
on call for emergencies during other hours.
Past advisories and other computer security related information are available
for anonymous ftp from the cert.org (192.88.209.5) system.
CA-91:06 CERT Advisory
May 14, 1991
NeXT rexd, /private/etc, Username me Vulnerabilities
The Computer Emergency Response Team/Coordination Center (CERT/CC) and
NeXT Computer, Inc. have received information concerning three
vulnerabilities in NeXT computers running various releases (see below)
of NeXTstep software. For more information, please contact your
authorized support center. If you are an authorized support provider,
please contact NeXT through your normal channels.
Problem 1 DESCRIPTION: By default, rexd(8C) is enabled in NeXTstep
versions 2.0 and 2.1. (Note that no NeXT software uses rexd.)
Problem 1 IMPACT: Leaving rexd enabled allows remote users to execute
processes on a NeXT computer.
Problem 1 SOLUTION: Comment out or remove the rexd line in
/etc/inetd.conf (unless you're using the remote execution facility),
and either restart the computer or cause inetd to re-read it's
configuration file, using:
kill -HUP <inetd pid>
Problem 2 DESCRIPTION: The /private/etc directory is shipped with
group write permission enabled in all NeXTstep versions through and
including 2.1.
Problem 2 IMPACT: Group write permission in /private/etc enables any
user in the "wheel" group to modify files in the /private/etc
directory.
Problem 2 SOLUTION: Turn off group write permission for the
/private/etc directory, using the command:
chmod g-w /private/etc
or the equivalent operations from the Workspace Manager's Inspector
panel.
Problem 3 DESCRIPTION: Username "me" is a member of the "wheel" group
in all NeXTstep versions through and including 2.1.
Problem 3 IMPACT: Having username "me" in the "wheel" group enables
"me" to use the su(8) command to become root (the user must still know
the root password, however).
Problem 3 SOLUTION: Unless you have specific reason(s) not to, remove
the user "me" from the wheel group.
The CERT/CC would like to thank NeXT Computer, Inc. for their response
to this vulnerability. CERT/CC would also like to thank Fuat Baran
for his technical assistance.
If you believe that your system has been compromised, contact CERT/CC
via telephone or e-mail.
Computer Emergency Response Team/Coordination Center (CERT/CC)
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890
Internet E-mail: cert@cert.org
Telephone: 412-268-7090 24-hour hotline:
CERT/CC personnel answer 7:30a.m.-6:00p.m. EST,
on call for emergencies during other hours.
Past advisories and other computer security related information are
available for anonymous ftp from the cert.org (192.88.209.5)
system.
The Computer Emergency Response Team/Coordination Center (CERT/CC) has
received information concerning a vulnerability in the configuration
of several system files. This advisory discusses a workaround since
there are no permanent patches available at this time.
This vulnerability is present in a very large number of UNIX-based
operating systems. Therefore, we recommend that ALL sites take the
corrective actions listed below.
The presence of a '-' as the first character in /etc/hosts.equiv,
/etc/hosts.lpd and .rhosts files may allow unauthorized access
to the system.
II. IMPACT:
Remote users can gain unauthorized root access to the system.
III. SOLUTION:
Rearrange the order of entries in the hosts.equiv, hosts.lpd,
and .rhosts files so that the first line does not contain
a leading '-' character.
Remove hosts.equiv, hosts.lpd, and .rhosts files containing only
entries beginning with a '-' character.
.rhosts files in ALL accounts, including root, bin, sys, news, etc.,
should be examined and modified as required. .rhosts files that
are not needed should be removed.
Please note that the CERT/CC strongly cautions sites about the
use of hosts.equiv and .rhosts files. We suggest that they NOT
be used unless absolutely necessary.
---------------------------------------------------------------------------
The CERT/CC wishes to thank Alan Marcum, NeXT Computer, for bringing
this security vulnerability to our attention. We would also like to
thank CIAC for their assistance in testing this vulnerability.
---------------------------------------------------------------------------
If you believe that your system has been compromised, contact CERT/CC via
telephone or e-mail.
Computer Emergency Response Team/Coordination Center (CERT/CC)
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890
Internet E-mail: cert@cert.org
Telephone: 412-268-7090 24-hour hotline:
CERT/CC personnel answer 7:30a.m.-6:00p.m. EST,
on call for emergencies during other hours.
Past advisories and other computer security related information are available
for anonymous ftp from the cert.org (192.88.209.5) system.
===========================================================================
CA-92:01 CERT Advisory
January 20, 1992
NeXTstep Configuration Vulnerability
The Computer Emergency Response Team/Coordination Center (CERT/CC)
has received information concerning a vulnerability in release 2 of
NeXTstep's NetInfo default configuration. This vulnerability will
be corrected in future versions of NeXTstep.
By default, a NetInfo server process will provide information to
any machine that requests it.
II. Impact
Remote users can gain unauthorized access to the network's
administrative information such as the passwd file.
III. Solution
Ensure that the trusted_networks property of each NetInfo domain's
root NetInfo directory is set correctly, so that only those systems
which should be obtaining information from NetInfo are granted
access. The value for the trusted_networks property should be the
network numbers of the networks the server should trust.
Note that improperly setting trusted_networks can render your
network unusable.
Consult Chapter 16, "Security", of the "NeXT Network and System
Administration" manual for release 2 for details on setting the
trusted_networks property of the root NetInfo directory.
---------------------------------------------------------------------------
The CERT/CC wishes to thank NeXT Computer, Inc. for their cooperation in
documenting and publicizing this security vulnerability.
---------------------------------------------------------------------------
If you believe that your system has been compromised, contact CERT/CC via
telephone or e-mail.
Internet E-mail: cert@cert.org
Telephone: 412-268-7090 (24-hour hotline)
CERT/CC personnel answer 7:30a.m.-6:00p.m. EST(GMT-5)/EDT(GMT-4),
on call for emergencies during other hours.
Computer Emergency Response Team/Coordination Center (CERT/CC)
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890
Past advisories and other information related to computer security are
available for anonymous ftp from the cert.org (192.88.209.5) system.
NeXTSTEP 3.x Advisories
CA-93:02a CERT Advisory
January 21, 1993
REVISION NOTICE: New Patch for NeXT NetInfo "_writers" Vulnerabilities
*** THIS IS A REVISED CERT ADVISORY ***
*** IT CONTAINS NEW INFORMATION ***
The CERT Coordination Center has received updated information from NeXT
Computer, Inc. concerning vulnerabilities in the distributed printing
facility of NeXT computers running all releases of NeXTSTEP software
through NeXTSTEP Release 3.0. The online patch described in CERT
Advisory CA-93:02 has been replaced with a new patch. The size and
checksum information in this Advisory have been updated to reflect
the new online patch.
For more information, please contact your authorized support center. If you
are an authorized support provider, please contact NeXT through your normal
channels.
The default NetInfo "_writers" properties are configured to allow
users to install printers and FAX modems and to export them to the
network without requiring assistance from the system administrator.
They also allow a user to configure other parts of the system, such as
monitor screens, without requiring help from the system administrator.
Vulnerabilities exist in this facility that could allow users to gain
unauthorized privileges on the system.
II. Impact
In the case of the "/printers" and the "/fax_modems" directories, the
"_writers" property can permit users to obtain unauthorized root
access to a system.
In the "/localconfig/screens" directory, the "_writers" property can
potentially permit a user to deny normal login access to other users.
III. Solution
To close the vulnerabilities, remove the "_writers" properties from
the "/printers", "/fax_modems", and "/localconfig/screens" directories
in all NetInfo domains on the network, and from all immediate
subdirectories of all "/printers", "/fax_modems", and
"/localconfig/screens" directories. The "_writers" properties may be
removed using any one of the following three methods:
A. As root, use the "niutil" command-line utility. For example, to
remove the "_writers" property from the "/printers" directory:
B. Alternatively, use the NetInfoManager application: open the
desired domain, open the appropriate directory, select the
"_writers" property, choose the "Delete" command [Cmd-r] from
the "Edit" menu, and save the directory.
C. To assist system administrators in editing their NetInfo
domains, a shell script, "writersfix", is available via
anonymous FTP from next.com (129.18.1.2):
After transferring this file using BINARY transfer type,
double-click on the file. A "WritersFix" directory will be
created in your file system, containing the script
("writersfix") and some documentation ("WritersFix.rtf").
Consider removing "_writers" from other NetInfo directories as well
(for example, "/locations"), noting the following trade-off between
ease-of-use and security. By removing the "_writers" properties, the
network and the computers on the network become more secure, but a
system administrator's assistance is required where it previously was
not required.
Please refer to the NeXTSTEP Network and System Administration manual
for additional information on "_writers". Note that the
subdirectories of the "/users" directory have "_writers_passwd" set to
the user whose account is described by the directory. This is
essential if users are to be able to change their own passwords, and
this does not compromise system security.
-----------------------------------------------------------------------------
The CERT Coordination Center wishes to thank Alan Marcum and Eric Larson of
NeXT Computer, Inc. for notifying us about the existence of these
vulnerabilities and for providing appropriate technical information.
-----------------------------------------------------------------------------
If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in FIRST (Forum of Incident
Response and Security Teams).
Internet E-mail: cert@cert.org
Telephone: 412-268-7090 (24-hour hotline)
CERT personnel answer 7:30 a.m.-6:00 p.m. EST(GMT-5)/EDT(GMT-4),
on call for emergencies during other hours.
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890
Past advisories, information about FIRST representatives, and other
information related to computer security are available for anonymous FTP
from cert.org (192.88.209.5).
September 30, 1993 1100 PDT Number D-25
__________________________________________________________________________
PROBLEM: Automated attacks on networked computers.
PLATFORM: All systems supporting TCP/IP networking.
DAMAGE: Unauthorized access to information and computer resources.
SOLUTION: Examine machines for vulnerabilities detailed below and apply
fixes as needed.
__________________________________________________________________________
Critical Information about Automated Network Scanning Software
CIAC has learned that software allowing automated scanning of networked
computers for security vulnerabilities was recently made publicly
available on the Internet. The software package, known as ISS or Internet
Security Scanner, will interrogate all computers within a specified IP
address range, determining the security posture of each with respect to
several common system vulnerabilities. The software was designed as a
security tool for system and network administrators. However, given its
wide distribution and ability to scan remote networks, CIAC feels that it
is likely ISS will also be used to locate vulnerable hosts for malicious
reasons.
While none of the vulnerabilities ISS checks for are new, their
aggregation into a widely available automated tool represents a higher
level of threat to networked machines. CIAC has analyzed the operation of
the program and strongly recommends that administrators take this
opportunity to re-examine systems for the vulnerabilities described below.
Also detailed below are available security tools that may assist in the
detection and prevention of malicious use of ISS. Finally, common
symptoms of an ISS attack are outlined to allow detection of malicious
use.
ISS Vulnerabilities
-------------------
The following vulnerabilities are tested for by the ISS tool.
Administrators should verify the state of their systems and perform
corrective actions as indicated.
Default Accounts The accounts "guest" and "bbs", if they exist, should
have non-trivial passwords. If login access to these
accounts is not needed, they should be disabled by
placing a "*" in the password field and the string
"/bin/false" in the shell field in /etc/passwd. See
the system manual entry for "passwd" for more
information on changing passwords and disabling
accounts.
For example, the /etc/passwd entry for a disabled guest
account should resemble the following:
guest:*:2311:50:Guest User:/home/guest:/bin/false
lp Account The account "lp", if it exists, should not allow logins.
It should be disabled by placing a "*" in the password
field and the string "/bin/false" in the shell field in
/etc/passwd.
Decode Alias Mail aliases for decode and uudecode should be disabled
on UNIX systems. If the file /etc/aliases contains
entries for these programs, they should be disabled by
placing a "#" at the beginning of the line and then
executing the command "newaliases". Consult the manual
page for "aliases" for more information on UNIX mail
aliases.
A disabled decode alias should appear as follows:
# decode: "|/usr/bin/uudecode"
Sendmail The sendmail commands "wiz" and "debug" should be
If the "wiz" command returns "Please pass, oh mighty
wizard", your system is vulnerable to attack. The
command should be disabled by adding a line to the
sendmail.cf configuration file containing the string:
OW*
If the "debug" command responds with the string
"200 Debug set", you should immediately obtain a newer
version of sendmail software from your vendor.
Anonymous FTP Anonymous FTP allows users without accounts to have
restricted access to certain directories on the system.
The availability of anonymous FTP on a given system may
be determined by executing the following commands:
% ftp hostname
Connected to hostname.
220 host FTP server ready.
Name (localhost:jdoe): anonymous
530 User anonymous unknown.
Login failed.
The above results indicate that anonymous FTP is not
enabled. If the system instead replies with the
string "331 Guest login ok" and then prompts for a
password, anonymous FTP access is enabled.
The configuration of systems allowing anonymous FTP
should be checked carefully, as improperly configured
FTP servers are frequently attacked. Refer to CIAC
Bulletin D-19 for more information.
NIS SunOS 4.x machines using NIS are vulnerable unless the
patch 100482 has been installed. See CIAC Bulletin
C-25 for more information regarding this patch.
NFS Filesystems exported under NFS should be mountable only
by a restricted set of hosts. The UNIX "showmount"
command will display the filesystems exported by a given
host:
% /usr/etc/showmount -e hostname
export list for hostname:
/usr hosta:hostb:hostc
/usr/local (everyone)
The above output indicates that this NFS server is
exporting two partitions: /usr, which can be mounted by
hosta, hostb, and hostc; and /usr/local which can be
mounted by anyone. In this case, access to the
/usr/local partition should be restricted. Consult the
system manual entry for "exports" or "NFS" for more
information.
rusers The UNIX rusers command displays information about
accounts currently active on a remote system. This may
provide an attacker with account names or other
information useful in mounting an attack. To check for
the availability of rusers information on a particular
machine, execute the following command:
% rusers -l hostname
hostname: RPC: Program not registered
If the above example had instead generated a list of
user names and login information, a rusers server is
running on the host. The server may be disabled by
placing a "#" at the beginning of the appropriate line
in the file /etc/inetd.conf and then sending the SIGHUP
signal to the inetd process. For example, a disabled
rusers entry might appear as follows:
rexd The UNIX remote execution server rexd provides only
minimal authentication and is easily subverted. It
should be disabled by placing a "#" at the beginning of
the rexd line in the file /etc/inetd.conf and then
sending the SIGHUP signal to the inetd process. The
disabled entry should resemble the following:
There are several available security tools that may be used to prevent or
detect malicious use of ISS. They include the following:
SPI SPI, the Security Profile Inspector, will detect the
system vulnerabilities described above, as well as many
others. U.S. Government agencies interested in
obtaining SPI should send E-mail to spi@cheetah.llnl.gov
or call (510) 422-3881 for more information.
COPS The COPS security tool will also detect the
vulnerabilities described above. It is available via
anonymous FTP from ftp.cert.org in the directory
/pub/tools/cops/1.04.
ISS Running ISS on your systems will provide you with the
same information an attacker would obtain, allowing you
to correct vulnerabilities before they can be exploited.
Note that the current version of the software is known
to function poorly on some operating systems. If you
should have difficulty using the software, please contact
CIAC for assistance. ISS may be obtained via anonymous
FTP from ftp.uu.net in the directory
/usenet/comp.sources.misc/volume39/iss.
TCP Wrappers Access to most UNIX network services can be more closely
controlled using software known as a TCP wrapper. The
wrapper provides additional access control and flexible
logging features that may assist in both the prevention
and detection of network attacks. This software is
available via anonymous FTP from ftp.win.tue.nl in the
file /pub/security/tcp_wrappers_6.0.shar.Z
Detecting an ISS Attack
-----------------------
Given the wide distribution of the ISS tool, CIAC feels that remote
attacks are likely to occur. Such attacks can cause system warnings to be
generated that may prove useful in tracking down the source of the attack.
The most probable indicator of an ISS attack is a mail message sent to
"postmaster" on the scanned system similar to the following:
From: Mailer-Daemon@hostname (Mail Delivery Subsystem)
Subject: Returned mail: Unable to deliver mail
Message-Id: <9309291633.AB04591@>
To: Postmaster@hostname
----- Transcript of session follows -----
<<< VRFY guest
550 guest... User unknown
<<< VRFY decode
550 decode... User unknown
<<< VRFY bbs
550 bbs... User unknown
<<< VRFY lp
550 lp... User unknown
<<< VRFY uudecode
550 uudecode... User unknown
<<< wiz
500 Command unrecognized
<<< debug
500 Command unrecognized
421 Lost input channel to remote.machine
----- No message was collected -----
If you should receive such a message, it is likely that your machine and
others on your network have been scanned for vulnerabilities. You should
immediately contact your computer security officer or CIAC for assistance
in assessing the damage and taking corrective action.
For additional information or assistance, please contact CIAC at
(510) 423-9878 or send E-mail to ciac@llnl.gov. FAX messages to
(510) 423-8002.
PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins. If you are not part of these communities, please
contact your agency's response team to report incidents. Your agency's team
will coordinate with CIAC. The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization. A list of FIRST member organizations
and their constituencies can be obtained by sending email to
docserver@first.org with an empty subject line and a message body containing
the line: send first-contacts.
This document was prepared as an account of work sponsored by an agency of
the United States Government. Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for
the accuracy, completeness, or usefulness of any information, product, or
process disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products, process,
or service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring
by the United States Government or the University of California. The views
and opinions of authors expressed herein do not necessarily state or reflect
those of the United States Government nor the University of California, and
shall not be used for advertising or product endorsement purposes.
------------------------------------------------------------------------
NeXT SECURITY BULLETIN: NeXT-94:001-sendmail, 16 February 94
------------------------------------------------------------------------
PROBLEM:
A security vulnerability has been identified in all versions of
NEXTSTEP up to and including Release 3.2. This vulnerability,
described in CERT advisories CA-93:16 and CA-93:16a, may allow
unauthorized remote or authorized local users to gain unauthorized
privileges. All sendmail recipient machines within a domain could
potentially be vulnerable.
SOLUTION:
NeXT has corrected this vulnerability and provided a patch containing
new binaries for both NeXT and Intel-based computers running NEXTSTEP
Release 3.1 or Release 3.2.
DETAILS:
This patch is available via anonymous FTP from FTP.NEXT.COM in the
directory "/pub/NeXTanswers/Files/Patches/SendmailPatch.23950.1".
This patch is also available via electronic mail by sending a message
to NeXTanswers@NeXT.com with a subject line of "1513 1514". The two
files noted above will be returned as NeXTmail attachments.
This patch is for NEXTSTEP 3.1 and NEXTSTEP 3.2. Instructions for
installing this patch are included in the ReadMe file.
Note: At the present time, NeXT has no plans to make a patch available
for releases of NEXTSTEP prior to Release 3.1.
COMMENTS:
NeXT recommends that all customers concerned with the security of
their NEXTSTEP systems either apply the patch or edit the sendmail
configuration files as soon as possible.
Questions about this patch should be directed to NeXT's Technical
Support Hotline at 1-800-848-NeXT (+1-415-424-8500 if outside the
U.S.) or via email to ask_next@NeXT.com.