FW: SDSC Researchers Detect Security Loophole Exploited "in the Wild" (fwd)

Dan Kohn (dan@teledesic.com)
Fri, 8 Nov 1996 17:48:40 -0800

>From: kc[SMTP:kc@nlanr.net]
>Sent: Friday, November 08, 1996 5:39 PM
>To: nlanr@nlanr.net
>Subject: SDSC Researchers Detect Security Loophole Exploited "in the
>Wild" (fwd)
>Forwarded message:
>From list-relay@UCSD.EDU Fri Nov 8 13:36:17 1996
>Date: Fri, 8 Nov 1996 13:32:53 -0800
>X-Sender: redelfs@pop.sdsc.edu
>Message-Id: <v02120d0baea637cde854@[]>
>Mime-Version: 1.0
>Content-Type: text/plain; charset="us-ascii"
>To: (SDSC.releases)
>From: redelfs@SDSC.EDU (Ann Redelfs)
>Subject: SDSC Researchers Detect Security Loophole Exploited "in the
>Cc: redelfs@SDSC.EDU
>For Immediate Release
>November 8, 1996
>SDSC Researchers Detect Security Loophole Exploited "in the Wild"
>For more information, contact:
>Ann Redelfs, SDSC
>619-534-5032/5113 (fax)
>San Diego, CA -- Researchers at the San Diego Supercomputer Center
>and the Pacific Institute of Computer Security (PICS) have detected "in
>wild" and analyzed an automated attack related to problems with a
>network file system function in the Unix operating system. Across the
>country, tens of thousands of machines without appropriate software
>could be at risk.
>The essence of the attack is to give the vulnerable program a very long
>file name that includes computer instructions rather than a valid name.
>These instructions become a "grappling hook" to give the attacker a
>shell"--full interactive access with all access rights and no
>checking. The grappling hook must be tailored to specific machine types
>operating systems.
>SDSC, PICS, and the San Diego Regional Info Watch (SDRIW) issued an
>advisory on the problem based on an analysis by SDSC and PICS
>Andrew Gross. Information in the bulletin was produced by Gross, SDSC
>programmer/analyst Henry Ptasinski, and Tom Perrine, manager of SDSC's
>security technologies group.
>"This loophole was first reported to CERT [the national CERT
>Center] by Andrew Gross in January 1995, but at the time of CERT's
>advisory, there had been no reports of anyone exploiting it," Perrine
>"The CERT and Gross both believed that the vulnerability could only be
>to remove or create files, but the attacks we observed have
>those early assumptions."
>When the CERT Coordination Center released its original advisory in
>most UNIX vendors issued software patches that would eliminate the
>loophole--and coincidentally the new vulnerability. The attack
>witnessed by
>the PICS team would only be successful on an unpatched system from a
>particular vendor, although they did see attack attempt on several
>different types of systems.
>The SDSC and PICS researchers detected the attack on these machines and
>reverse engineered the attack, showing that other UNIX operating system
>versions are vulnerable to similar, if not identical, attacks, with
>only a
>different grappling hook required.
>"There is no obvious way to determine if the attack was successful,
>than system logs, tripwire databases, and cryptographic checksums of
>critical software," Perrine said. "If a system administrator hasn't
>the system patches from the vendor, then chances are they haven't put
>security measures in place either." The PICS advisory provides some
>that might be left behind, but careful attackers could cover their
>The SDSC advisory is at
>http://www.sdsc.edu/Security/public_bulletins/96.03.rpc.statd. For more
>information on SDRIW, see http://www.sdriw.org; for information on PICS
>the SDSC Security Technologies group, see http://www.sdsc.edu/Security.
>CERT Coordination Center Web site is at http://www.cert.org and the
>original advisory is at
>SDSC, a national laboratory for computational science and engineering,
>sponsored by NSF, other federal agencies, the State and University of
>California, and private organizations; is affiliated with the
>University of
>California, San Diego; and is administered by General Atomics. For more
>information, see http://www.sdsc.edu or contact Ann Redelfs, SDSC,
>redelfs@sdsc.edu, 619-534-5032.