[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
- read forum
- new topic
- search

- meetings list
- recent additions
- add your info
 top 100 sites
- visit top sites
- sign up now
- members

- add your url
- add domain
- search box
- link to us

- our projects
- free email
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Vulnerability in WorkMan

Title: Vulnerability in WorkMan
Released by: CERT
Date: 28th October 1996
Printable version: Click here

Hash: SHA1


CERT(*) Advisory CA-96.23

Original issue date: October 28, 1996

Last Revised: September 24, 1997

              Updated copyright statement

              A complete revision history is at the end of this file.

Topic: Vulnerability in WorkMan

- -----------------------------------------------------------------------------

                The original technical content for this advisory

                was published by the IBM-ERS response team and

                is used here with their permission.

There is a vulnerability in the WorkMan compact disc-playing program that

affects UNIX System V Release 4.0 and derivatives and Linux systems.

When the program is installed set-user-id root, it can be used to make any

file on the system world-writable.

To address this problem, you should remove the set-user-id bit from the


We will update this advisory as we receive additional information.

Please check advisory files regularly for updates that relate to your site.

- -----------------------------------------------------------------------------

I.   Description

WorkMan is a popular program used for playing audio compact disks on local

workstation CD-ROM drives that is widely available from many sites around the

Internet. Versions of WorkMan are also included with some operating system

distributions, such as Linux.

On systems where WorkMan was built and installed using the procedures that

are given in "Makefile.linux" or "Makefile.svr4" (in general, this means on

Linux systems and UNIX System V Release 4.0 systems), the WorkMan program

is installed set-user-id root. This means that when the program is run,

it will execute with super-user permissions.

In order to allow signals to be sent to it, WorkMan writes its process-id

to a file called /tmp/.wm_pid. The "-p" option to the program allows the

user to specify a different file name in which to record this information.

When a file is specified with "-p", WorkMan simply attempts to create and/or

truncate the file, and if this succeeds, WorkMan changes the permissions on

the file so that it is world-readable and world-writable.

In the general case, when WorkMan is installed without the set-user-id bit

set, the normal file access permissions provided by the operating system will

prevent users from creating or truncating files they are not authorized to

create or truncate.  However, when WorkMan is installed set-user-id root,

this process breaks down (because "root" is allowed to create/truncate any


WorkMan does not require the set-user-id bit to work; it is installed this

way only on systems that do not make the CD-ROM device file world-readable

by default.

Note: The vulnerability described by "r00t" on several mailing lists is not

      the same one that we describe in this advisory.

II.  Impact

A user with access to an account on the system can use the "-p" option to

create a file anywhere in the file system or to truncate any file in the file

system. The file specified with "-p" will be world-readable and world-writable

when WorkMan is finished.  This can enable the user to create accounts,

destroy log files, and perform other unauthorized actions.

III. Solution

1. Remove the set-user-id bit from the WorkMan program using a command

   such as

        chmod u-s /usr/local/bin/workman

2. Make the CD-ROM device world-readable using a command such as

        chmod +r /dev/cdrom

   On multi-user systems, Step 2 will allow any user to access the contents

   of the disc installed in the CD-ROM; this may not be desirable in all


The vulnerability described in this advisory is related to the WorkMan

program, not to the products of particular vendors. However, if a vendor sends

us advice for their users, we will put it in Appendix A.


Appendix A - Vendor Information

This appendix contains advice vendors wish to offer their users. Note that the

vulnerability described in this advisory is related to the WorkMan program,

not particular vendors' products.

Sun Microsystems, Inc.


        Sun does not recommend that workman and other utility programs

        be installed setuid root (or anything else) unless that step is

        absolutely necessary. Programs which were not designed with

        security in mind (and most non-setuid programs are not) are

        unlikely to have built-in allowances for abuse. The proper way to

        allow such programs to work is to install them as unprivileged,

        ordinary software, then modify device permissions as necessary

        to allow them to function.

        When an unprivileged users executes a recent version of the workman

        program on a properly configured Solaris 2.x system, a message

        similar to the following appears. (Ellipses added to save space.)

                As root, please run

                        chmod 666 /devices/iommu@0,...sd@6,0:c,raw

                to give yourself permission to access the CD-ROM device.

        That's pretty good advice. Of course, if you don't want to give

        every user access to the contents of a CD (which will sometimes

        be data or software, and sometimes music) such permissions are

        not appropriate.

- -----------------------------------------------------------------------------

The CERT Coordination Center thanks IBM-ERS for permission to reproduce the

technical content in their IBM Emergency Response Service Security

Vulnerability Alert ERS-SVA-E01-1996:005.1. These alerts are copyrighted 1996

International Business Machines Corporation.

- -----------------------------------------------------------------------------

If you believe that your system has been compromised, contact the CERT

Coordination Center or your representative in the Forum of Incident Response

and Security Teams (see http://info.cert.org/pub/FIRST/first-contacts).

CERT/CC Contact Information

- ----------------------------

Email    cert@cert.org

Phone    +1 412-268-7090 (24-hour hotline)

                CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)

                and are on call for emergencies during other hours.

Fax      +1 412-268-6989

Postal address

         CERT Coordination Center

         Software Engineering Institute

         Carnegie Mellon University

         Pittsburgh PA 15213-3890


Using encryption

   We strongly urge you to encrypt sensitive information sent by email. We can

   support a shared DES key or PGP. Contact the CERT/CC for more information.

   Location of CERT PGP key


Getting security information

   CERT publications and other security information are available from



   CERT advisories and bulletins are also posted on the USENET newsgroup


   To be added to our mailing list for advisories and bulletins, send your

   email address to


- ------------------------------------------------------------------------------

Copyright 1996 Carnegie Mellon University. Conditions for use, disclaimers,

and sponsorship information can be found in

http://www.cert.org/legal_stuff.html and http://ftp.cert.org/pub/legal_stuff .

If you do not have FTP or web access, send mail to cert@cert.org with

"copyright" in the subject line.

CERT is registered in the U.S. Patent and Trademark Office.

- ---------------------------------------------------------------------------

This file: http://info.cert.org/pub/cert_advisories/CA-96.23.workman_vul


               click on "CERT Advisories"


Revision history

Sep. 24, 1997  Updated copyright statement


Version: PGP for Personal Privacy 5.0

Charset: noconv





(C) 1999-2000 All rights reserved.