[comp.sys.next] CERT Advisory Update - NeXT Systems

ecd@cert.sei.cmu.edu (Edward DeHart) (10/05/90)

This message is an update of the October 2, 1990 CERT Advisory (CA-90:06).
There is one correction and an update that you need to know about.

For Problem #2 SOLUTION, the following line has been added:

  # /etc/chmod 440 /usr/lib/NextPrinter/npd.old

This will disable the old printer program.  An updated copy of the CERT
Advisory has been included with this message.

NeXT is also making the new printer program, npd, available electronically
via anonymous ftp for Internet sites.  The archives sites are:

        nova.cc.purdue.edu
        umd5.umd.edu
        cs.orst.edu

In addition, NeXT has asked the CERT to announce that if anyone cannot get
it fr
om the archives, NeXT Technical Support can provide it. Requests should
go to:

        ask_next@NeXT.COM [...!next!ask_next]

Thanks,
Ed DeHart
Computer Emergency Response Team

------------------------------------------------------------------------------
CA-90:06a                      CERT Advisory
			      October 3, 1990
                          NeXT's System Software

-----------------------------------------------------------------------------
This message is to alert administrators of NeXT Computers of four
potentially serious security problems.

The information contained in this message has been provided by David Besemer,
NeXT Computer, Inc.  The following describes the four security problems,
NeXT's recommended solutions and the known system impact.

------------------------------------------------------------------------------

  Problem #1 DESCRIPTION:  On Release 1.0 and 1.0a a script exists in
  /usr/etc/restore0.9 that is a setuid shell script.  The existence of  
  this script is a potential security problem.

  Problem #1 IMPACT:  The script is only needed during the installation
  process and isn't needed for normal usage.  It is possible for any
  logged in user to gain root access.

  Problem #1 SOLUTION:  NeXT owners running Release 1.0 or 1.0a should  
  remove /usr/etc/restore0.9 from all disks.  This file is installed by  
  the "BuildDisk" application, so it should be removed from all systems  
  built with the standard release disk, as well as from the standard  
  release disk itself (which will prevent the file from being installed  
  on system built with the standard release disk in the future).  You  
  must be root to remove this script, and the command that will remove  
  the script is the following:

  # /bin/rm /usr/etc/restore0.9

                                    ---

  Problem #2 DESCRIPTION:  On NeXT computers running Release 1.0 or
  1.0a that also have publicly accessible printers, users can gain
  extra permissions via a combination of bugs.
  
  Problem #2 IMPACT:  Computer intruders are able to exploit this security
  problem to gain access to the system.  Intruders, local users and remote
  users are able to gain root access.

  Problem #2 SOLUTION:  NeXT computer owners running Release 1.0 or  
  1.0a should do two things to fix a potential security problem.   
  First, the binary /usr/lib/NextPrinter/npd must be replaced with a  
  more secure version.  This more secure version of npd is available  
  through your NeXT support center.  Upon receiving a copy of the more  
  secure npd, you must become root and install it in place of the old  
  one in /usr/lib/NextPrinter/npd.  The new npd binary needs to be  
  installed with the same permission bits (6755) and owner (root) as  
  the old npd binary.  The commands to install the new npd binary are  
  the following:
  
  # /bin/mv /usr/lib/NextPrinter/npd /usr/lib/NextPrinter/npd.old
  # /bin/mv newnpd /usr/lib/NextPrinter/npd
	  (In the above command, "newnpd" is the npd binary
	  that you obtained from your NeXT support center.)
  # /etc/chown root /usr/lib/NextPrinter/npd
  # /etc/chmod 6755 /usr/lib/NextPrinter/npd
  # /etc/chmod 440 /usr/lib/NextPrinter/npd.old
  
  The second half of the fix to this potential problem is to change the  
  permissions of directories on the system that are currently owned and  
  able to be written by group "wheel".  The command that will remove  
  write permission for directories owned and writable by group "wheel"  
  is below.  This command is all one line, and should be run as root.
  
  # find / -group wheel ! -type l -perm -20 ! -perm -2 -ls -exec chmod  
  g-w {} \; -o -fstype nfs -prune

                                    ---

  Problem #3 DESCRIPTION:  On NeXT computers running any release of the
  system software,  public access to the window server may be a
  potential security problem.

  The default in Release 1.0 or 1.0a is correctly set so that public access
  to the window server is not available.  It is possible, when upgrading from
  a prior release, that the old configuration files will be reused.  These
  old configuration files could possibly enable public access to the window
  server.

  Problem #3 IMPACT:  This security problem will enable an intruder to gain
  access to the system.

  Problem #3 SOLUTION:  If public access isn't needed, it should be disabled.

  1. Launch the Preferences application, which is located in /NextApps
  2. Select the UNIX panel by pressing the button with the UNIX
     certificate on it.
  3. If the box next to Public Window Server contains a check, click on
     the box to remove the check.

                                    ---

  Problem #4 DESCRIPTION: On NeXT computers running any release of the
  system software, the "BuildDisk" application is executable by all users.

  Problem #4 IMPACT:  Allows a user to gain root access.

  Problem #4 SOLUTION: Change the permissions on the "BuildDisk" application
  allowing only root to execute it.  This can be accomplished with the
  command:

  # chmod 4700 /NextApps/BuildDisk

  To remove "BuildDisk" from the default icon dock for new users, do the
  following:

  1. Create a new user account using the UserManager application.
  2. Log into the machine as that new user.
  3. Remove the BuildDisk application from the Application Dock by dragging
     it out.
  4. Log out of the new account and log back in as root.
  5. Copy the file in ~newuser/.NeXT/.dock to /usr/template/user/.NeXT/.dock
	(where ~newuser is the home directory of the new user account)
  6. Set the protections appropriately using the following command:
        # chmod 555 /usr/template/user/.NeXT/.dock
  7. If you wish, with UserManager, remove the user account that you created
     in step 1.

  In release 2.0, the BuildDisk application will prompt for the root password
  if it is run by a normal user.

-----------------------------------------------------------------------------
CONTACT INFORMATION
 
For further questions, please contact your NeXT support center.

NeXT has also reported that these potential problems have been fixed in
NeXT's Release 2.0, which will be available in November, 1990.

Thanks to Corey Satten and Scott Dickson for discovering, documenting, and
helping resolve these problems.

-----------------------------------------------------------------------------
Edward DeHart
Computer Emergency Response Team/Coordination Center (CERT/CC)
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890

Internet E-mail: cert@cert.sei.cmu.edu
Telephone: 412-268-7090 24-hour hotline: CERT personnel answer
           7:30a.m.-6:00p.m. EST, on call for
           emergencies other hours.

Past advisories and other information are available for anonymous ftp
from cert.sei.cmu.edu (128.237.253.5).

abe@mace.cc.purdue.edu (Vic Abell) (10/05/90)

In article <850@cert.sei.cmu.edu> ecd@cert.sei.cmu.edu (Edward DeHart) writes:
>
>NeXT is also making the new printer program, npd, available electronically
>via anonymous ftp for Internet sites.  The archives sites are:
>
>        nova.cc.purdue.edu

The correct (new) host name and number are:

	sonata.cc.purdue.edu		128.210.15.30

The new npd may be found in;

	next/patches/newnpd.tar.Z

abe@mace.cc.purdue.edu (Vic Abell) (10/05/90)

In article <5701@mace.cc.purdue.edu>, abe@mace.cc.purdue.edu (Vic Abell) writes:
> 
> The correct (new) host name and number are:
> 
> 	sonata.cc.purdue.edu		128.210.15.30

My mistake: nova.cc.purdue.edu (128.210.7.22) and sonata.cc.purdue.edu
both DO contain the new npd in:

	pub/next/patches/newnpd.tar.Z

Sorry if I've sown confusion.

eps@toaster.SFSU.EDU (Eric P. Scott) (10/06/90)

I have two really stupid questions about newnpd at Purdue:

1) Why is the executable 40961 bytes (we all know it has to be a
   multiple of 8K)?
2) Since this version was apparently built last December(!), why
   did it take so long for it to be made available to customers?

					-=EPS=-

scott@sage.uchicago.edu (Scott Deerwester) (10/09/90)

In article <881@toaster.SFSU.EDU>, eps@toaster (Eric P. Scott) writes:
>I have two really stupid questions about newnpd at Purdue:
>
>1) Why is the executable 40961 bytes (we all know it has to be a
>   multiple of 8K)?
>2) Since this version was apparently built last December(!), why
>   did it take so long for it to be made available to customers?
>
>					-=EPS=-

Not to be paranoid, or anything, but... are we all very sure that
newnpd@cc.purdue.edu is legitimate?  I mean, it's not all that hard to
forge messages, and it's also not all that hard to build a Trojan
horse...

Disclaimer:
   I have *no* reason to suspect that newnpd is anything but
   legitimate, and greatly appreciate the effort to make a
   non-compromised version publically available, if the standard one
   is a security hole.  I'm just trying to be a little careful...
-------
Scott Deerwester            | Internet: scott@tira.uchicago.edu  | ~{P;N,5B~}
Center for Information and  | Phone:    312-702-6948             |
   Language Studies         | 1100 E. 57th, CILS                 |
University of Chicago       | Chicago, IL 60637                  |

gerrit@nova.cc.purdue.edu (Gerrit Huizenga) (10/09/90)

Scott Deerwester wonders:
> [EPS asks]
>>1) Why is the executable 40961 bytes ( [should be mulitple of 8K] )
>>2) Since this version was apparently built last December(!), why
>>   did it take so long for it to be made available to customers?

>Not to be paranoid, or anything, but... are we all very sure that newnpd@
> cc.purdue.edu is legitimate?  I mean, it's not all that hard to forge
> messages, and it's also not all that hard to build a Trojan horse...

The version of newnpd in the archives was emailed to me by trusted people
at NeXT, followed by my acknowledge and their counter-acknowledge
(generally a fairly safe way to do this email stuff :-).  I wrapped up
the README and newnpd and plopped them in the archives.  

I'm afraid I don't have any answers to Eric's questions, though.

gerrit