AUSCERT External Security Bulletin Redistribution

                     ESB-97.156 -- CERT Summary CS-97.06
                              4 December 1997


The CERT Coordination Centre has released the following summary describing
types of attacks that are currently being reported to them.  AUSCERT is
seeing similar trends within our constituency.  In particular, a large
number of successful attacks against IMAP continue to be reported.

        AUSCERT has released a number of additional advisories concerning
	vulnerabilities not contained in the summary below.  All of
	AUSCERT's advisories can be found at:


The following security bulletin is provided as a service to AUSCERT's
members.  As AUSCERT did not write this document, AUSCERT has had no
control over its content.  As such, the decision to use any or all of this
information is the responsibility of each user or organisation, and should
be done so in accordance with site policies and procedures.

NOTE: This is only the original release of the security bulletin.  It will
not be updated when the original bulletin is.  If downloading at a later
date, it is recommended that the bulletin is retrieved from the original
authors to ensure that the information is still current.

Contact information for CERT/CC is included in the Security Bulletin
below.  If you have any questions or need further information, please
contact them directly. 

Previous advisories and external security bulletins can be retrieved from:


If you believe that your system has been compromised, contact AUSCERT or your
representative in FIRST (Forum of Incident Response and Security Teams).

Internet Email: auscert@auscert.org.au
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AUSCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for emergencies.
Facsimile:      (07) 3365 7031

- --------------------------BEGIN INCLUDED TEXT--------------------


- - ---------------------------------------------------------------------------
CERT* Summary CS-97.06 
December 1, 1997

The CERT Coordination Center periodically issues the CERT Summary to
draw attention to the types of attacks currently being reported to our
Incident Response Team. The summary includes pointers to sources of
information for dealing with the problems. We also list new or updated
files that are available for anonymous FTP from

Past CERT Summaries are available from
- - ---------------------------------------------------------------------------

Recent Activity
- - ---------------

Since the August CERT Summary, we have seen these continuing trends in
incidents reported to us.

1. Continuing IMAP Exploits

Although it's been mentioned in past CERT Summaries (CS-97.04, CS-97.05), we
continue to receive a significant stream of reports relating to IMAP
attacks. These reports show that intruders are launching large scale,
automated scans against many networks--identifying many potentially vulnerable

The impact of an IMAP attack is that the remote user (e.g., intruder) will be
able to gain root-level access on a vulnerable host.

We cannot stress enough the importance for sites to check for the IMAP
vulnerability and take immediate action to address the problem. For more
information see the following:


 - If you have a host that has a vulnerable IMAP server installed by default
   as part of the OS version, but that is not using IMAP, you should
   investigate any connection to port 143 for signs of a root compromise.

 - If you have a host that is using a vulnerable version of the IMAP server,
   you should investigate connections that are from outside the network or the
   constituency of the network for signs of a root compromise.

        NOTE: If you discover that you have suffered a root compromise as a
        result of conditions like those described in the two previous
        paragraphs, we would like to know. We also encourage you to recover
        by taking the steps outlined in


 - If you are not running an IMAP server, connection attempts (internal or
   external) to port 143 are probably probes by an intruder; they could also
   be the result of a misconfiguration if the connection attempts originate
   from within your constituency.

 - If you are running a patched IMAP server, connections that are from outside
   your network or the constituency of the network are very likely to be
   probes by intruders.

        NOTE: If you have been probed (as described in the two previous
        paragraphs) and the attack was not successful, we would like to hear
        about that, too. We encourage you to contact the site from which the
        probe originated to alert them to the activity, in case the account
        used to launch the attack was compromised.

        Your reports will help us to continue to determine the scope of the
        problem and coordinate appropriate responses, although we may not be
        able to respond to each report individually.

2. Root Compromises

In addition to the compromises occurring as a result of the above activity, we
also continue to receive daily reports of sites that have suffered a root
compromise. Many of these compromises can be traced to systems that are
unpatched or misconfigured, which the intruders exploit using well-known
vulnerabilities for which CERT advisories have been published.

We encourage you to check for signs of compromise. The following documents can
help you review your systems:

Intruder Detection Checklist

        This document outlines suggested steps for determining if your system
        has been compromised.


Steps for Recovering from a UNIX Root Compromise

        This document sets out suggested steps for responding to a root


UNIX Configuration Guidelines

        This document describes common UNIX system configuration problems that
        have been exploited by intruders and recommends practices that can be
        used to help deter several types of break-ins.


List of Security Tools

        This document describes tools that can be used to help secure a system
        and deter break-ins.


3. CGI Scripts

We continue to receive reports concerning exploitation of vulnerable cgi-bin
scripts. As mentioned in recent CERT documents, the cause of the problem is
not in the CGI scripting language (such as Perl and C), but in how the script
is written.

The CERT/CC team urges you to check all CGI scripts that are available via the
World Wide Web services at your site and ensure that they sanitize
user-supplied data. For more information, please see


These CERT advisories discuss vulnerabilities relating to cgi-bin topics:


4. Relaying of Spam Email through Victim Sites

For quite some time, the CERT Coordination Center has received reports of
email spam being relayed through other sites. These reports are becoming more
frequent as more spammers learn to disguise their activities by relaying their
mail through unsuspecting sites (who are using older versions of sendmail,
poor logging, and no anti-spam features).

Since the default configuration of sendmail 8.8.8 (and prior releases) allows
spam to be relayed, we encourage you to review your mail configuration and
evaluate your exposure to this type of abuse. With a default sendmail
configuration, no authentication is required for remote hosts (including
people sending spam mail) to connect to your mail server for the purpose of
relaying mail.

There are features in sendmail version 8.8 that will prevent your host from
being misused as a relay gateway. A document titled "Anti-Spam Provisions in
sendmail 8.8", provided by the author of sendmail (Eric Allman), describes the
modifications to the sendmail.cf file. It is available at


These modifications to the sendmail.cf file will help prevent a variety of
email spamming and bombing attacks.

What's New in the CERT FTP Archive
- - ----------------------------------
We have made the following changes since the last CERT Summary (August 26,

* New Additions


    CA-97.23.rdist                              Discusses a buffer overflow
                                                problem in rdist. This is a
                                                different vulnerability from
                                                the one described in CA-96.14.

    CA-97.24.Count_cgi                          Describes a buffer overrun
                                                vulnerability in the Count.cgi
                                                cgi-bin program. This
                                                vulnerability allows intruders
                                                to force Count.cgi to execute
                                                arbitrary commands.

    CA-97.25.CGI_metachar                       Reports a vulnerability that
                                                exists in some CGI scripts and
                                                allows an attacker to execute
                                                arbitrary commands on a WWW
                                                server under the effective
                                                user-id of the server process.


    VB-97.07.sgi                                A Silicon Graphics
                                                Inc. Security Advisory
                                                addressing vulnerabilities in
                                                the IRIX webdist.cgi, handler,
                                                and wrap programs, part of the
                                                Outbox subsystem

    VB-97.08.transarc                           Information from Transarc
                                                Corp. about a vulnerability in
                                                Transarc DCE Integrated login
                                                for sites running both AFS and

    VB-97.09.cisco                              Information from Cisco Systems
                                                about vulnerabilities in CHAP

    VB-97.10.samba                              Information from the Samba
                                                Team about a vulnerability
                                                that allows remote users to
                                                obtain root access on the
                                                Samba server

    VB-97.11.nec                                Details about a problem with
                                                the "nosuid" mount(1)

    VB-97.12.opengroup                          Information about a potential
                                                problem in the OSF/DCE
                                                security server that could
                                                allow for a denial of service

    VB-97.13.GlimpseHTTP.WebGlimpse             Information about a
                                                vulnerability that may allow
                                                intruders to execute arbitrary
                                                commands with the privileges
                                                of the httpd process

    VB-97.14.scoterm                            Information from the Santa
                                                Cruz Operation about a
                                                vulnerability in the
                                                implementation of scoterm that
                                                could allow unprivileged users
                                                to gain unauthorized root
                                                access to the system


    rdist                                       Pointer to rdist 6.1.3

    sendmail                                    Pointer to sendmail 8.8.8


    cgi_metacharacters                          Discusses how to remove meta
                                                characters from user-supplied
                                                data in CGI scripts


    rdist/                                      Added rdist 6.1.3

    sendmail/                                   Added sendmail 8.8.8

* Updated Files


    CA-93:19.Solaris.Startup.vulnerability      Updates - Added Sun
                                                Microsystems, Inc. patch

    CA-95:14.Telnetd_Environment_Vulnerability  Updated information for
                                                Sun Microsystems, Inc.

    CA-95:17.rpc.ypupdated.vul                  Updated information for
                                                Sun Microsystems, Inc.

    CA-96.08.pcnfsd                             Updated information for
                                                IBM Corporation

    CA-96.10.nis+_configuration                 Updates - Added
                                                information for Sun
                                                Microsystems, Inc.

    CA-96.15.Solaris_KCMS_vul                   Updates - Added
                                                information for Sun
                                                Microsystems, Inc.

    CA-96.16.Solaris_admintool_vul              Updates - Added
                                                information for Sun
                                                Microsystems, Inc.

    CA-96.17.Solaris_vold_vul                   Updates - Added
                                                information for Sun
                                                Microsystems, Inc.

    CA-96.20.sendmail_vul                       Updated information
                                                from Sun Microsystems, Inc.

    CA-96.25.sendmail_groups                    Updated information
                                                from Sun Microsystems, Inc.

    CA-96.26.ping                               Updated information
                                                from Sun Microsystems, Inc.

    CA-97.06.rlogin-term                        Updated information
                                                from Sun Microsystems, Inc.;
                                                added information from Data
                                                General Corporation

    CA-97.09.imap_pop                           Section III.A and Appendix A -
                                                added information for
                                                IBM Corporation

    CA-97.11.libXt                              Appendix A - updated
                                                information for Sun
                                                Microsystems, Inc.

    CA-97.14.metamail                           Updated information for
                                                Red Hat

    CA-97.15.sgi_login                          Updated information from
                                                Silicon Graphics, Inc.

    CA-97.16.ftpd                               Added information for NCR

    CA-97.18.at                                 Added information for NCR

    CA-97.20.javascript                         Appendix A - updated
                                                Netscape's URLs

    CA-97.21.sgi_buffer_overflow                Updates Section - updated
                                                information for Silicon
                                                Graphics, Inc.

    CA-97.22.bind                               Appendix A - Added information
                                                for BSDI

    CA-97.23.rdist                              Appendix A - added information
                                                for OpenBSD and Silicon
                                                Graphics, Inc., Caldera, and


    CS-97.05                                    Corrected BIND version number

A New Look on the CERT Web Site
- - ------------------------------
If you haven't visited our Web site (http://www.cert.org) since November 10,
check it out. We have a new look and some new documents. We've tried to
organize things so that it's easier for you to find the information you
need. Some highlights include

CERT incident and vulnerability statistics

CERT annual reports for 1994, 1995, and 1996

Security Improvement Modules

An Analysis of Security Incidents on the Internet 1989-1995

Report to the President's Commission on Critical Infrastructure Protection

Links to other sources of advisories and Internet security information

- - ---------------------------------------------------------------------------
How to Contact the CERT Coordination Center

Email    cert@cert.org

Phone    +1 412-268-7090 (24-hour hotline)
                CERT personnel answer 8:30-5:00 p.m. EST
                (GMT-5)/EDT(GMT-4), and are on call for
                emergencies during other hours.

Fax      +1 412-268-6989

Postal address
        CERT Coordination Center
        Software Engineering Institute
        Carnegie Mellon University
        Pittsburgh PA 15213-3890

To be added to our mailing list for CERT advisories and bulletins, send your
email address to
In the subject line, type
        SUBSCRIBE your-email-address

CERT advisories and bulletins are posted on the USENET news group

CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from

If you wish to send sensitive incident or vulnerability information to CERT
staff by electronic mail, we strongly advise you to encrypt your message.
We can support a shared DES key or PGP. Contact the CERT staff for more

Location of CERT PGP key

- - ---------------------------------------------------------------------------

Copyright 1997 Carnegie Mellon University. Conditions for use, disclaimers,
and sponsorship information can be found in
http://www.cert.org/legal_stuff.html and ftp://ftp.cert.org/pub/legal_stuff .
If you do not have FTP or web access, send mail to cert@cert.org with
"copyright" in the subject line.

* CERT is registered in the U.S. Patent and Trademark Office.

Version: 2.6.2


- --------------------------END INCLUDED TEXT--------------------

Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key