Advisories : DEC Ultrix Vulnerability

main menu

- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news

discussions

- read forum
- new topic
- search

meetings

- meetings list
- recent additions
- add your info

top 100 sites

- visit top sites
- sign up now
- members

webmasters

- add your url
- add domain
- search box
- link to us

projects

- our projects
- free email

m4d network

- security software
- secureroot
- m4d.com

Home : Advisories : DEC Ultrix Vulnerability - /usr/bin/chroot

Title:	DEC Ultrix Vulnerability - /usr/bin/chroot
Released by:	CERT
Date:	1st May 1991
Printable version:	Click here

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



CA-91:05

Last Revised:  September 18,1997

                Attached copyright statement



                                CERT Advisory

                                 May 1, 1991

                           DEC Ultrix Vulnerability



- ---------------------------------------------------------------------------



The Computer Emergency Response Team/Coordination Center (CERT/CC) has

received information concerning a vulnerability in Digital Equipment 

Corporation's (DEC) Ultrix operating system versions 4.0 and 4.1 for all

DEC architectures.  The vulnerability has been fixed in version 4.2 which 

will be shipped beginning in late May.  DEC has also provided a suggested 

fix for versions 4.0 and 4.1.

  

- ---------------------------------------------------------------------------

I.   DESCRIPTION:

     By default, /usr/bin/chroot is improperly installed in Ultrix 

     versions 4.0 and 4.1.

     

II.  IMPACT:

     System users can gain unauthorized privileges.



III. SOLUTION:

     Change the permission on the file /usr/bin/chroot.



     # chmod 700 /usr/bin/chroot    



- ---------------------------------------------------------------------------

Our thanks to Eric R. Jorgensen and Brian Ellis of UnixOps / Distributed 

Computing Services at the University of Colorado, Boulder, for bringing this 

problem to our attention.  The CERT/CC would also like to thank Digital for 

their response to this vulnerability.

- ---------------------------------------------------------------------------



If you believe that your system has been compromised, contact CERT/CC via

telephone or e-mail.



Computer Emergency Response Team/Coordination Center (CERT/CC)

Software Engineering Institute

Carnegie Mellon University

Pittsburgh, PA 15213-3890



Internet E-mail: cert@cert.org

Telephone: 412-268-7090 24-hour hotline:

           CERT/CC personnel answer 7:30a.m.-6:00p.m. EST,

           on call for emergencies during other hours.



Past advisories and other computer security related information are available

for anonymous ftp from the cert.org (192.88.209.5) system.



- ---------------------------------------------------------------------------



Copyright 1991 Carnegie Mellon University. Conditions for use, disclaimers,

and sponsorship information can be found in

http://www.cert.org/legal_stuff.html and http://ftp.cert.org/pub/legal_stuff .

If you do not have FTP or web access, send mail to cert@cert.org with

"copyright" in the subject line.



CERT is registered in the U.S. Patent and Trademark Office.



~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Revision History



September 18,1997  Attached Copyright Statement



-----BEGIN PGP SIGNATURE-----

Version: PGP for Personal Privacy 5.0

Charset: noconv



iQA/AwUBOBS8/lr9kb5qlZHQEQIm0ACgvMEs+ADFJoJGBQn5Wzy2lU4d98YAnA+5

GcTGR1siW6Bk6dSfn6HdMYv4

=l5Z9

-----END PGP SIGNATURE-----