ID4 virus, Alien/OS Vulnerability

CobraBoy (tbyars@earthlink.net)
Sat, 6 Jul 1996 15:36:47 -0700


CERT(sm) Advisory CA-96.13
July 4, 1996

Topic: ID4 virus, Alien/OS Vulnerability

- -----------------------------------------------------------------------------

The CERT Coordination Center has received reports of weaknesses in
Alien/OS that can allow species with primitive information sciences
technology to initiate denial-of-service attacks against MotherShip(tm)
hosts. One report of exploitation of this bug has been received.

When attempting takeover of planets inhabited by such races, a trojan
horse attack is possible that permits local access to the MotherShip
host, enabling the implantation of executable code with full root access
to mission-critical security features of the operating system.

The vulnerability exists in versions of EvilAliens' Alien/OS 34762.12.1
or later, and all versions of Microsoft's Windows/95. CERT advises
against initiating further planet takeover actions until patches
are available from these vendors. If planet takeover is absolutely
necessary, CERT advises that affected sites apply the workarounds as
specified below.

As we receive additional information relating to this advisory, we will
place it in

ftp://info.cert.org/pub/cert_advisories/CA-96.13.README

We encourage you to check our README files regularly for updates on
advisories that relate to your site.

- -----------------------------------------------------------------------------

I. Description

Alien/OS contains a security vulnerability, which strangely enough
can be exploited by a primitive race running Mac OS 7.5.3/~Aaron.
Although
Alien/OS has been extensively field tested over millions of years by
EvilAliens, Inc., the bug was only recently discovered during a
routine invasion of a backwater planet. EvilAliens notes that
the operating system had never before been tested against a race
with "such a kick-ass president."

The vulnerability allows the insertion of executable code with
root access to key security features of the operating system. In
particular, such code can disable the NiftyGreenShield (tm)
subsystem, allowing child processes to be terminated by unauthorized
users.

Additionally, Alien/OS networking protocols can provide a
low-bandwidth covert timing channel to a determined attacker.

II. Impact

Non-privileged primitive users can cause the total destruction of
your entire invasion fleet and gain unauthorized access to
files.

III. Solution

EvilAliens has supplied a workaround and a patch, as follows:

A. Workaround

To prevent unauthorized insertion of executables, install a
firewall to selectively vaporize incoming packets that do not
contain valid aliens. Also, disable the "Java" option in
Netscape.

To eliminate the covert timing channel, remove untrusted
hosts from routing tables. As tempting as it is, do not use
target species' own satellites against them.

B. Patch

As root, install the "evil" package from the distribution tape.

(Optionally) save a copy of the existing /usr/bin/sendmail and
modify its permission to prevent misuse.

--

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- I beat up your honor student ...bumper sticker seen in Huntingtion Beach, CA -=-=-=-=-=-=-= -=-=-=-=-=-=-=-=- "Yeah, I broke the 4 line rule, and I'm proud of it." -=-=-=-=-=-=-=-=-=-=-=- tbyars@earthlink.net