Old (?) News: CERT Advisories "dip" Re: CERT Advisories (fwd)

[cyoung at noc.bbn.com (Charles Young)]

My apologies if this is really old news - I never saw it the first time around.
 I guess one could always unplug one's shoe in a real emergency, if one knew...


> -----BEGIN PGP SIGNED MESSAGE-----
>
> =============================================================================
> CERT(sm) Advisory CA-96.13
> July 9, 1996
>
> Topic: Vulnerability in the dip program
>
> -
-----------------------------------------------------------------------------
>
> The CERT Coordination Center has received several reports of exploitations of
> a vulnerability in the dip program on Linux systems. The dip program is
> shipped with most versions of the Linux system; and versions up to and
> including version 3.3.7n are vulnerable. An exploitation script for Linux
> running on X86-based hardware is publicly available. Although exploitation
> scripts for other architectures and operating systems have not yet been
found,
> we believe that they could be easily developed.
>
> The CERT Coordination Center recommends that you disable dip and re-enable it
> only after you have installed a new version. Section III below describes how
> to do that.
>
> As we receive additional information relating to this advisory, we
> will place it in
>
>         ftp://info.cert.org/pub/cert_advisories/CA-96.13.README
>
> We encourage you to check our README files regularly for updates on
> advisories that relate to your site.
>
> -
-----------------------------------------------------------------------------
>
> I.   Description
>
>      dip is a freely available program that is included in most distributions
>      of Linux. It is possible to build it for and use it on other UNIX
systems.
>
>      The dip program manages the connections needed for dial-up links such
>      as SLIP and PPP. It can handle both incoming and outgoing connections.
>      To gain access to resources it needs to establish these IP connections,
>      the dip program must be installed as set-user-id root.
>
>      A vulnerability in dip makes it possible to overflow an internal buffer
>      whose value is under the control of the user of the dip program. If this
>      buffer is overflowed with the appropriate data, a program such as a
>      shell can be started. This program then runs with root permissions on
the
>      local machine.
>
>      Exploitation scripts for dip have been found running on Linux systems
for
>      X86 hardware. Although exploitation scripts for other architectures
>      and operating systems have not yet been found, we believe that they
could
>      be easily developed.
>
> II.  Impact
>
>      On a system that has dip installed as set-user-id root, anyone with
>      access to an account on that system can gain root access.
>
> III. Solution
>
>      Follow the steps in Section A to disable your currently installed
version
>      of dip. Then, if you need the functionality that dip provides, follow
the
>      steps given in Section B.
>
>      A.  Disable the presently installed version of dip.
>          As root,
>                 chmod 0755 /usr/sbin/dip
>
>          By default, dip is installed in the /usr/sbin directory. Note that
it
>          may be installed elsewhere on your system.
>
>
>      B.  Install a new version of dip.
>          If you need the functionality that dip provides, retrieve and
install
>          the following version of the source code for dip, which fixes this
>          vulnerability. dip is available from
>
> ftp://sunsite.unc.edu/pub/Linux/system/Network/serial/dip/dip337o-uri.tgz
> ftp://sunsite.unc.edu/pub/Linux/system/Network/serial/dip/dip337o-uri.tgz.sig
>
>          MD5   (dip337o-uri.tgz) = 45fc2a9abbcb3892648933cadf7ba090
>          SHash (dip337o-uri.tgz) = 6e3848b9b5f9d5b308bbac104eaf858be4dc51dc
>
> - ---------------------------------------------------------------------------
> The CERT Coordination Center staff thanks Uri Blumenthal for his solution to
> the problem and Linux for their support in the development of this advisory.
> - ---------------------------------------------------------------------------
>
> If you believe that your system has been compromised, contact the CERT
> Coordination Center or your representative in the Forum of Incident
> Response and Security Teams (FIRST).
>
> We strongly urge you to encrypt any sensitive information you send by email.
> The CERT Coordination Center can support a shared DES key and PGP. Contact
> the CERT staff for more information.
>
> Location of CERT PGP key
>          ftp://info.cert.org/pub/CERT_PGP.key
>
> CERT Contact Information
> - ------------------------
> Email    cert at cert.org
>
> Phone    +1 412-268-7090 (24-hour hotline)
>                 CERT personnel answer 8:30-5:00 p.m. EST
>                 (GMT-5)/EDT(GMT-4), and are on call for
>                 emergencies during other hours.
>
> Fax      +1 412-268-6989
>
> Postal address
>         CERT Coordination Center
>         Software Engineering Institute
>         Carnegie Mellon University
>         Pittsburgh PA 15213-3890
>         USA
>
> CERT publications, information about FIRST representatives, and other
> security-related information are available for anonymous FTP from
>         http://www.cert.org/
>         ftp://info.cert.org/pub/
>
> CERT advisories and bulletins are also posted on the USENET newsgroup
>         comp.security.announce
>
> To be added to our mailing list for CERT advisories and bulletins, send your
> email address to
>         cert-advisory-request at cert.org
>
>
> Copyright 1996 Carnegie Mellon University
> This material may be reproduced and distributed without permission provided
> it is used for noncommercial purposes and the copyright statement is
> included.
>
> CERT is a service mark of Carnegie Mellon University.
>
>
> This file: ftp://info.cert.org/pub/cert_advisories/CA-96.13.dip_vul
>            http://www.cert.org
>                click on "CERT Advisories"
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.2
>
> iQCVAwUBMeJzdXVP+x0t4w7BAQEJdAQAt0Y9zXDjpeuRYFI+vmceXpHL8QJPm1GL
> zArG5qhGx5+9hTioQCUiq/kl6uXMI0IAbfdwDG3I0wg5i7Jvi8PLYyDujpl8+gVT
> jzJFEQ/S9CjZ6LUxzo2Twg90urQrphFzwnY4L5DVEftKaoL1zCpg6i4SadC7vQUm
> n0HWkh7kV4M=
> =zcQN
> -----END PGP SIGNATURE-----
>


-- 
======================================================================
Chuck Young				General Info: www.bbn.com
BBN Corporation				Specific inquiries/requests:
Network Operations Center		ops at bbnplanet.com (24hr-email)
150 CambridgePark Drive			1.800.632.7638 (24hr-phone)
M/S 20/2d, Cambridge, MA 02140		1.617.873.6351 (24hr-fax)
======================================================================