|
CIAC Advisory number A- 14
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
________________________________________________________________________
THE COMPUTER INCIDENT ADVISORY CAPABILITY
CIAC
INFORMATION BULLETIN
________________________________________________________________________
Additional information on the vulnerability in the UNIX DECODE alias
January 23, 1990, 1130 PST Number A-14
CIAC information bulletin A-13 described preliminary information about
a vulnerability in some versions of the UNIX operating system. This
bulletin gives additional information and a procedure for patching
this vulnerability.
The UNIX operating system maintains a global mail aliases data base
used by the "sendmail" program to re-route electronic mail. This
database file is contained in /usr/lib/aliases for most UNIX systems
(with exceptions noted below). One standard alias delivered with some
versions of UNIX is "decode." When mail is sent to "decode" at a UNIX
host, the message is re-routed to the program "uudecode", which will
translate a file that has been encoded with "uuencode". There is a
vulnerability associated with this default alias, and CIAC maintains
that there is a strong possibility that this vulnerability has been or
is currently being exploited.
To determine if your UNIX system has this vulnerability, CIAC
recommends the following procedure:
1. Find the global aliases file for your UNIX system.
Traditionally this file is kept in /usr/lib/aliases, but for some
systems such as SUN OS 4.X and ULTRIX 3.X systems it may be in
/etc/aliases. If you do not have either of these files, it is
possible that you are not running the SENDMAIL program, and thus do
not have this vulnerability. The global aliases file will be referred
to as <aliases> in the following steps.
2. Determine if the decode alias is present in your global
aliases file. To do this execute the command "grep decode <aliases>"
If this command results in nothing being displayed, your system does
not have a decode alias, and probably does not have this
vulnerability. If you see a line such as
'decode: "|/usr/bin/uudecode" ' or a similar line, proceed to step 3.
3. Become a super-user for your system if you are not already
running as root. Create a backup copy of the aliases file found in
step 1, and edit this file. Insert a "#" at the beginning of the line
containing the decode alias. The line should now read:
'#decode: "|/usr/bin/uudecode" ' Save the file and exit.
4. Assure that the ownership and permissions of this aliases file
are still set properly, by executing the command "ls -l <aliases>" The
line should begin with "-rw--r--r--" If this is not the case, run the
command "chmod 644 <aliases>"
5. Once the aliases file has been altered, run the command
"newaliases" so that the changed aliases file will take effect. The
vulnerability has now been closed.
If you do not wish to disable the DECODE alias, you can redirect
DECODE to postmaster. In step 3 above, change the decode alias to
"decode: postmaster" Now mail to decode will be forwarded to
postmaster, allowing the designated postmaster to manually uudecode
the file if desired. If neither of these solutions is appropriate for
your system, you may call CIAC for additional alternatives.
If you have questions, please contact CIAC.
Tom Longstaff
(415) 423-4416 or (FTS) 543-4416
FAX: (FTS) 543-0913 or (415) 294-5054
CIAC's business hours phone number is (415) 422-8193 or (FTS) 532-8193.
CIAC's 24-hour emergency hot-line number is (415) 971-9384
or send e-mail to: [email protected]
Neither the United States Government nor the University of California
nor any of their employees, makes any warranty, express or implied, or
assumes any legal liability or responsibility for the accuracy,
completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation, or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government nor the University of California, and shall not be used for
advertising or product endorsement purposes.
|
|
