Copy Link
Add to Bookmark
Report

CIAC B-23

  

_____________________________________________________
The Computer Incident Advisory Capability
___ __ __ _ ___
/ | / \ /
\___ __|__ /___\ \___
_____________________________________________________
Information Bulletin

May 1, 1991, 1200 PDT Number B-23

Ultrix V4.0 and V4.1 Vulnerability
________________________________________________________________________
PROBLEM: /usr/bin/chroot is installed with the setuid bit set.
PLATFORM: DEC Ultrix V4.0 and V4.1, all architectures.
DAMAGE: Allows authorized users to gain unauthorized privileges.
SOLUTIONS: Fixed in Ultrix V4.2. Manually change file mode of
/usr/bin/chroot to 700 for Ultrix V4.0 and V4.1
IMPACT OF WORKAROUND: Non-privileged users no longer have access to
the chroot command.
_______________________________________________________________________
Critical /usr/bin/chroot Vulnerability Facts

CIAC has been advised of a vulnerability in DEC's Ultrix V4.0 and V4.1
operating systems running on all architectures. DEC is aware of this
problem, and has corrected it in Ultrix V4.2. The DEC provided fix for
Ultrix V4.0 and V4.1 is:

(login as root)
# chmod 700 /usr/bin/chroot
# ls -l /usr/bin/chroot
(verify the file protections are "-rwx------")


For additional information or assistance, please contact CIAC:

Hal Brand
(415) 422-6312 or (FTS) 532-6312, or

Call CIAC at (415) 422-8193 or (FTS) 532-8193 or
send e-mail to ciac@cheetah.llnl.gov.

Send FAX messages to: (415) 423-0913 or (FTS) 543-0913
_____
The CERT/CC and Digital Equipment Corporation provided information
contained in this bulletin. This document was prepared as an account
of work sponsored by an agency of the United States Government. Neither
the United States Government nor the University of California nor any
of their employees, makes any warranty, express or implied, or assumes
any legal liability or responsibility for the accuracy, completeness,
or usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos from Google Play

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT