FW: SDSC Researchers Detect Security Loophole Exploited "in the Wild" (fwd)

Dan Kohn (dan@teledesic.com)
Fri, 8 Nov 1996 17:48:40 -0800


>----------
>From: kc[SMTP:kc@nlanr.net]
>Sent: Friday, November 08, 1996 5:39 PM
>To: nlanr@nlanr.net
>Subject: SDSC Researchers Detect Security Loophole Exploited "in the
>Wild" (fwd)
>
>Forwarded message:
>From list-relay@UCSD.EDU Fri Nov 8 13:36:17 1996
>Date: Fri, 8 Nov 1996 13:32:53 -0800
>X-Sender: redelfs@pop.sdsc.edu
>Message-Id: <v02120d0baea637cde854@[198.202.84.33]>
>Mime-Version: 1.0
>Content-Type: text/plain; charset="us-ascii"
>To: (SDSC.releases)
>From: redelfs@SDSC.EDU (Ann Redelfs)
>Subject: SDSC Researchers Detect Security Loophole Exploited "in the
>Wild"
>Cc: redelfs@SDSC.EDU
>
>For Immediate Release
>November 8, 1996
>
>SDSC Researchers Detect Security Loophole Exploited "in the Wild"
>
>For more information, contact:
>Ann Redelfs, SDSC
>619-534-5032/5113 (fax)
>redelfs@sdsc.edu
>
>San Diego, CA -- Researchers at the San Diego Supercomputer Center
>(SDSC)
>and the Pacific Institute of Computer Security (PICS) have detected "in
>the
>wild" and analyzed an automated attack related to problems with a
>low-level
>network file system function in the Unix operating system. Across the
>country, tens of thousands of machines without appropriate software
>patches
>could be at risk.
>
>The essence of the attack is to give the vulnerable program a very long
>file name that includes computer instructions rather than a valid name.
>These instructions become a "grappling hook" to give the attacker a
>"root
>shell"--full interactive access with all access rights and no
>permission
>checking. The grappling hook must be tailored to specific machine types
>and
>operating systems.
>
>SDSC, PICS, and the San Diego Regional Info Watch (SDRIW) issued an
>advisory on the problem based on an analysis by SDSC and PICS
>researcher
>Andrew Gross. Information in the bulletin was produced by Gross, SDSC
>programmer/analyst Henry Ptasinski, and Tom Perrine, manager of SDSC's
>security technologies group.
>
>"This loophole was first reported to CERT [the national CERT
>Coordination
>Center] by Andrew Gross in January 1995, but at the time of CERT's
>original
>advisory, there had been no reports of anyone exploiting it," Perrine
>said.
>"The CERT and Gross both believed that the vulnerability could only be
>used
>to remove or create files, but the attacks we observed have
>contradicted
>those early assumptions."
>
>When the CERT Coordination Center released its original advisory in
>March,
>most UNIX vendors issued software patches that would eliminate the
>original
>loophole--and coincidentally the new vulnerability. The attack
>witnessed by
>the PICS team would only be successful on an unpatched system from a
>particular vendor, although they did see attack attempt on several
>different types of systems.
>
>The SDSC and PICS researchers detected the attack on these machines and
>reverse engineered the attack, showing that other UNIX operating system
>versions are vulnerable to similar, if not identical, attacks, with
>only a
>different grappling hook required.
>
>"There is no obvious way to determine if the attack was successful,
>other
>than system logs, tripwire databases, and cryptographic checksums of
>critical software," Perrine said. "If a system administrator hasn't
>added
>the system patches from the vendor, then chances are they haven't put
>these
>security measures in place either." The PICS advisory provides some
>clues
>that might be left behind, but careful attackers could cover their
>trails
>completely.
>
>The SDSC advisory is at
>http://www.sdsc.edu/Security/public_bulletins/96.03.rpc.statd. For more
>information on SDRIW, see http://www.sdriw.org; for information on PICS
>and
>the SDSC Security Technologies group, see http://www.sdsc.edu/Security.
>The
>CERT Coordination Center Web site is at http://www.cert.org and the
>original advisory is at
>ftp://ftp.cert.org/pub/cert_advisories/CA-96.09.rpc.statd
>
>SDSC, a national laboratory for computational science and engineering,
>is
>sponsored by NSF, other federal agencies, the State and University of
>California, and private organizations; is affiliated with the
>University of
>California, San Diego; and is administered by General Atomics. For more
>information, see http://www.sdsc.edu or contact Ann Redelfs, SDSC,
>redelfs@sdsc.edu, 619-534-5032.
>
>###
>
>
>