AOH :: HP Unsorted U :: BU-1193.HTM

DISA Unix SRR root compromise / CVE-2009-4211 / VU#433821



UPDATE: DISA Unix SRR root compromise / CVE-2009-4211 / VU#433821
UPDATE: DISA Unix SRR root compromise / CVE-2009-4211 / VU#433821



This is a multi-part message in MIME format.
--------------050306060807010605030903
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 7bit

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

After the issue in CVE-2009-4211 was made public, the Unix SRR script
was removed from http://iase.disa.mil/stigs/SRR/unix.html with a note 
saying:

?Due to a recently identified security issue, please do not run any
version of the UNIX SRR scripts until further notice.  The UNIX SRR
scripts will be corrected and posted as soon as possible. Please check
back at a later time for the updated scripts. Thanks for your
understanding and support.?

As of today, a new version dated December 7, 2009 is available for
download.  Unfortunately, although some changes were made, it is still
vulnerable to the issue described in CVE-2009-4211.

The CVE should be updated to reflect that the December, 2009 version is
also vulnerable.  The script should be re-evaluated to remove any
invocations of untrusted programs (especially any done as root).  Users
should continue to avoid running the Unix SRR script until a fixed
version is available.

Below is a walk-through:

#######################################################################
Script started on Tue Dec 08 23:35:31 2009

### Starting with a clean directory
Don't Panic! # ls -al
total 6
drwxr-xr-x   2 root     root           2 Dec  8 23:35 .
drwxrwxrwt   6 root     sys            7 Dec  8 23:28 ..

### Untar the new SRR script
Don't Panic! # tar xf ../UNIX_51-15Dec2009.tar

Don't Panic! # cd Script.December

### Verify the output directory is empty
Don't Panic! # ls -al /var/tmp/fcs/outdir
total 8
drwx------   2 root     root           2 Dec  8 23:00 .
drwxr-xr-x   4 fstuart  sysadmin      47 Dec  8 21:47 ..

### Verify my unprivileged, simulated malware is in place.  It will
### write a root-owned file in the /var/tmp/fcs/outdir if executed
### by root.
Don't Panic! # ls -dl /var/tmp/fcs/testdir/vncserver
- -rwxr-xr-x   1 nobody   nobody       174 Dec  8 23:28
/var/tmp/fcs/testdir/vncserver

### Start the SRR script
Don't Panic! # ./Start-SRR
[[ SRR output omitted ]]

### root-owned output file is created
Don't Panic! # ls -al /var/tmp/fcs/outdir/vncserver.out
- -rw-------   1 root     root         370 Dec  8 23:39
/var/tmp/fcs/outdir/vncserver.out

### Contents of file show how it was invoked
Don't Panic! # cat /var/tmp/fcs/outdir/vncserver.out
/var/tmp/fcs/testdir/vncserver -help
24749 zsched
  23773 ksh -o vi
    3664  script /tmp/script.out
      3665  script /tmp/script.out
        3666  sh -i
          3685  /bin/sh ./Start-SRR
            27701 sh /var/tmp/SRR/Script.December/Solaris/2006-T-0013
              27719 /bin/ksh /var/tmp/fcs/testdir/vncserver -help
                27722 ptree 27719

script done on Tue Dec 08 23:42:11 2009
#######################################################################

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ 

iQEVAwUBSx9CiWKGA6cQSpZSAQKfrQf/TnDxgx4+4qK6XhGsoK6XMe9pTxqB+Z1v
jl8CxMLdxGihVjSJzRSEZFjx3qTOIyv6Lt58KLKp75yGGlqSESde8vSUBwoUqcl8
SM3PKPboXfETrxMeBCKwIL85DJKlZsQolgVEYtILlwUC5I2XCIGM/FoAskDEIjKZ
V0Jiv2mh5mWi/DlzF/81KURipcyPRuCYmr0qfsJjOYHZ/lbHxDCQKv7oCMij4iZv
IG3UQpO4IRMjapKdXYGAGBEaO14MfDoo928RLPBlRmlVvpPP+39gIb+SRJO/ix+o
gafMd7P9hDvG7NPWGyv6zSh4bBJvGfG5c72zknXxrg9e+rm41bsOrw==5/H4
-----END PGP SIGNATURE-----

--------------050306060807010605030903
Content-Type: text/x-vcard; charset=utf-8;
 name="fstuart.vcf"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
 filename="fstuart.vcf"

begin:vcard
fn:Frank Stuart
n:Stuart;Frank
org:F. Stuart Consulting, LLC
adr;dom:;;;Montgomery;AL
email;internet:fstuart@fstuart.com 
title:Owner, Senior Unix Consultant
tel;cell:703-599-7777
x-mozilla-html:TRUE
url:http://www.fstuart.com/ 
version:2.1
end:vcard


--------------050306060807010605030903--

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.