The debian-private mailing list leak, part 1. Volunteers have complained about Blackmail. Lynchings. Character assassination. Defamation. Cyberbullying. Volunteers who gave many years of their lives are picked out at random for cruel social experiments. The former DPL's girlfriend Molly de Blanc is given volunteers to experiment on for her crazy talks. These volunteers never consented to be used like lab rats. We don't either. debian-private can no longer be a safe space for the cabal. Let these monsters have nowhere to hide. Volunteers are not disposable. We stand with the victims.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
workman vulnerability

To: security@debian.org
Subject: workman vulnerability
From: bruce@pixar.com (Bruce Perens)
Date: Wed, 18 Sep 96 09:36 PDT
Delivered-to: security@debian.org
Reply-to: Bruce Perens <Bruce@Pixar.com>
Resent-from: debian-private@lists.debian.org
Resent-message-id: <"1DE7g2.0.U52.jR2Go"@primer>
Resent-reply-to: debian-private@lists.debian.org
Resent-sender: debian-private-request@lists.debian.org
--- Forwarded mail from nasirc@nasirc.hq.nasa.gov

Date: Wed, 18 Sep 1996 10:36:19 -0400
From: NASIRC <bulletin@nasirc.hq.nasa.gov>
Reply-To: nasirc@nasirc.hq.nasa.gov
To: nasirc-dist@nasirc.hq.nasa.gov (NASA General Distribution)
Subject: NASIRC BULLETIN - B-96-42: (unix any) Vulnerability in WorkMan

-----BEGIN PGP SIGNED MESSAGE-----



        NASIRC BULLETIN B-96-42         September 18, 1996

                            Vulnerability in WorkMan
         ===========================================================
            NASA Automated Systems Incident Response Capability
               __    __      __      ___   ___  ____     ____
              /_/\  /_/|    /_/\    / _/\ /_/| / __/ \  / __/\
              | |\ \| ||   /  \ \   | /\/ | || | /\ \/  | | \/
              | ||\ \ ||  / /\ \ \   \ \  | || |_\/ /\  | |
              | || \ \|| / /--\ \ \ /\_\\ | || | |\ \ \ | \_/\
              |_|/  \_|//_/    \_\/ \/__/ |_|/ |_| \_\/ \___\/
          Serving NASA and the International Aerospace Communities
         ===========================================================

         This bulletin reports a recently announced security vulner-
         ability.    It   may   contain   a   workaround or software
         patch.  Bulletins should be considered urgent  as  vulnera-
         bility information is likely to be widely known by the time
         a patch is issued or other solutions are developed.

         ===========================================================

        Researchers at IBM have discovered that the WorkMan CD-player can
        be exploited to make any file world-writable if it is installed
        set-uid to root.



SYSTEMS AFFECTED

        Linux and System V Release 4.0 systems are vulnerable.


 +--------------- BEGIN INCLUDED IBM WorkMan Bulletin ----------------
 | -
--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--
 | - ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL
RELEASE---
 |
 |                   =======  ============    ======       ======
 |                   =======  ==============  =======     =======
 |                     ===      ===     ====    ======   ======
 |                     ===      ===========     ======= =======
 |                     ===      ===========     === ======= ===
 |                     ===      ===     ====    ===  =====  ===
 |                   =======  ==============  =====   ===   =====
 |                   =======  ============    =====    =    =====
 |
 |                            EMERGENCY RESPONSE SERVICE
 |                        SECURITY VULNERABILITY ALERT
 |
 | 28 August 1996 18:00 GMT                         Number:
ERS-SVA-E01-1996:005.1
 |
===============================================================================
 |                              VULNERABILITY  SUMMARY
 |
 | VULNERABILITY:       When the "WorkMan" compact disc playing program is
installed
 |              set-user-id "root," it can be used to make any file on the
 |              system world-writable.
 |
 | PLATFORMS:   Linux, UNIX System V Release 4.0 (and derivatives)
 |
 | SOLUTION:    Remove the set-user-id bit from the "workman" program.
 |
 | THREAT:              A non-privileged user can use "WorkMan" to make any
file on
 |              the system world-writable, and then modify that file's
 |              contents.
 |
 |
===============================================================================
 |                               DETAILED INFORMATION
 |
 | NOTE: This advisory is NOT a re-hash of the problem reported on several
lists
 |       earlier this week by a group calling itself "r00t."  The vulnerability
 |       described by "r00t" is essentially a subset of the problem described
in
 |       this alert.
 |
 | I. Description
 |
 | "WorkMan" is a popular program used for playing audio compact disks on local
 | workstation CD-ROM drives that is widely available from many sites around
the
 | Internet.  Versions of "WorkMan" are also included with some operating
system
 | distributions, such as Linux.
 |
 | On systems where "WorkMan" was built and installed using the procedures that
 | are given in "Makefile.linux" or "Makefile.svr4" (in general, this means on
 | Linux systems and UNIX System V Release 4.0 systems), the "workman" program
 | is installed set-user-id "root."  This means that when the program is run,
 | it will execute with super-user permissions.
 |
 | In order to allow signals to be sent to it, "WorkMan" writes its process-id
 | to a file called "/tmp/.wm_pid."  The "-p" option to the program allows the
 | user to specify a different file name in which to record this information.
 | When a file is specified with "-p", "WorkMan" simply attempts to create
and/or
 | truncate the file, and if this succeeds, "WorkMan" changes the permissions
on
 | the file so that it is world-readable and world-writable.
 |
 | In the general case, when "WorkMan" is installed without the set-user-id bit
 | set, the normal file access permissions provided by the operating system
will
 | prevent users from creating or truncating files they are not authorized to
 | create or truncate.  However, when "WorkMan" is installed set-user-id
"root,"
 | this process breaks down (because "root" is allowed to create/truncate any
 | file).
 |
 | II. Impact
 |
 | A user executing a set-user-id "root" version of "WorkMan" can use the "-p"
 | option to create a file anywhere in the file system, or to truncate any file
 | in the file system.  More importantly, the file specified with "-p" will be
 | world-readable and world-writable when "WorkMan" is finished.  This can
enable
 | the user to create accounts, destroy log files, and perform other
unauthorized
 | actions.
 |
 | III. Solutions
 |
 | "WorkMan" does not require the set-user-id bit to work; it is installed this
 | way only on systems that do not make the CD-ROM device file world-readable
 | by default.
 |
 | This vulnerability can be alleviated by:
 |
 | 1) Removing the set-user-id bit from the "WorkMan" program, via a command
 |    such as
 |
 |      chmod u-s /usr/local/bin/workman
 |
 | and
 |
 | 2) Making the CD-ROM device world-readable, via a command such as
 |
 |      chmod +r /dev/cdrom
 |
 | Note that on multi-user systems, part (2) of the above procedure will allow
 | any user to access the contents of the disc installed in the CD-ROM; this
 | may not be desirable in all environments.
 |
 | IV. Acknowledgements
 |
 | IBM-ERS would like to thank the IBM Global Security Analysis Laboratory at
the
 | IBM T. J. Watson Research Center for their discovery of this vulnerability,
 | bringing it to our attention, providing the steps to fix it, and assistance
in
 | developing this alert.
 |
 | UNIX is a technology trademark of X/Open Company, Ltd.
 |
 |
===============================================================================
 |
 | IBM's Internet Emergency Response Service (IBM-ERS) is a subscription-based
 | Internet security response service that includes computer security incident
 | response and management, regular electronic verification of your Internet
 | gateway(s), and security vulnerability alerts similar to this one that are
 | tailored to your specific computing environment.  By acting as an extension
 | of your own internal security staff, IBM-ERS's team of Internet security
 | experts helps you quickly detect and respond to attacks and exposures across
 | your Internet connection(s).
 |
 | As a part of IBM's Business Recovery Services organization, the IBM Internet
 | Emergency Response Service is a component of IBM's SecureWay(tm) line of
 | security products and services.  From hardware to software to consulting,
 | SecureWay solutions can give you the assurance and expertise you need to
 | protect your valuable business resources.  To find out more about the IBM
 | Internet Emergency Response Service, send an electronic mail message to
 | ers-sales@vnet.ibm.com, or call 1-800-742-2493 (Prompt 4).
 |
 | IBM-ERS maintains a site on the World Wide Web at http://www.ers.ibm.com/.
 | Visit the site for information about the service, copies of security alerts,
 | team contact information, and other items.
 |
 | IBM-ERS uses Pretty Good Privacy* (PGP*) as the digital signature mechanism
for
 | security vulnerability alerts and other distributed information.  The
IBM-ERS
 | PGP* public key is available from
http://www.ers.ibm.com/team-info/pgpkey.html.
 | "Pretty Good Privacy" and "PGP" are trademarks of Philip Zimmerman.
 |
 | IBM-ERS is a Member Team of the Forum of Incident Response and Security
Teams
 | (FIRST), a global organization established to foster cooperation and
response
 | coordination among computer security teams worldwide.
 |
 | Copyright 1996 International Business Machines Corporation.
 |
 | The information in this document is provided as a service to customers of
 | the IBM Emergency Response Service.  Neither International Business Machines
 | Corporation, Integrated Systems Solutions Corporation, nor any of their
 | employees, makes any warranty, express or implied, or assumes any legal
 | liability or responsibility for the accuracy, completeness, or usefulness of
 | any information, apparatus, product, or process contained herein, or
 | represents that its use would not infringe any privately owned rights.
 | Reference herein to any specific commercial products, process, or service by
 | trade name, trademark, manufacturer, or otherwise, does not necessarily
 | constitute or imply its endorsement, recommendation or favoring by IBM or
 | its subsidiaries.  The views and opinions of authors expressed herein do not
 | necessarily state or reflect those of IBM or its subsidiaries, and may not
be
 | used for advertising or product endorsement purposes.
 |
 | The material in this security alert may be reproduced and distributed,
 | without permission, in whole or in part, by other security incident response
 | teams (both commercial and non-commercial), provided the above copyright is
 | kept intact and due credit is given to IBM-ERS.
 |
 | This security alert may be reproduced and distributed, without permission,
 | in its entirety only, by any person provided such reproduction and/or
 | distribution is performed for non-commercial purposes and with the intent of
 | increasing the awareness of the Internet community.
 |
 | - ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL
RELEASE---
 | -
--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--ERS-ALERT--
 +--------------- END INCLUDED IBM WorkMan Bulletin ----------------




        -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
                ACKNOWLEDGMENTS: IBM for their research and bulletin on
                        this vulnerability.

                BULLETIN AUTHOR: Allen Chen
        -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


        This advisory may be forwarded without restriction.  Persons
        within the NASA community or operating in support of a NASA
        contract may contact NASIRC with any questions about this
        advisory.

            Telephone: 1-800-7-NASIRC (1-800-762-7472) FAX: 1-301-441-1853
            International: +1-301-441-4398         STU III: 1-301-918-4347
            Internet E-Mail: nasirc@nasa.gov
            24-Hour/Emergency Pager: 1-800-759-7243/Pin:2023056
            WWW: http://nasirc.nasa.gov/NASIRC_home.html
            FTP: nasirc.nasa.gov, login "anonymous"

        Anyone requiring assistance or wishing to report a security
        incident but not operating in support of NASA may contact the
        Forum of Incident Response and Security Teams (FIRST), an
        international organization of incident response teams, to
        determine the appropriate team.  A list of FIRST member
        organizations and their constituencies may be obtained by
        sending E-mail to "docserver@first.org" with an empty "subject"
        line and a message body containing the line "send first-contacts"
        or via WWW at  http://www.first.org/  .

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMkAIvWOrrK//NbM5AQHkjgP9EUAgrvakbMyzvSM+Yd3hy7VSMr9zb2GH
e8HEXCQdOaF0z7jHN7V2wxdgIIvJ3fyoPhgRQg7UQ1qUT6hEdNam6ViqINFZ39Zx
gtWMIs858DwhUGAAYNi2qJ1nUrqS2tl7CaC3aOzEQn5wsS16/HYttxGnjt7gEicg
X/nSN82DBns=
=F/sD
-----END PGP SIGNATURE-----


---End of forwarded mail from nasirc@nasirc.hq.nasa.gov
Prev by Date: Qmail question...
Next by Date: Re: Qmail question...
Previous by thread: Re: Qmail question...
Next by thread: I need to shed some packages
Index(es):
- Date
- Thread