1996 Fools: CERT Advisory CA-96.13 - Alien/OS Vulnerability

From cert-advisory-request@cert.org Fri Jul  5 18:34:35 EDT 1996
Article: 145 of comp.security.announce
Path: ai-lab!bloom-beacon.mit.edu!gatech!ncar!imci4
      !newsfeed.internetmci.com!usenet.eel.ufl.edu
      !warwick!news.herts.ac.uk!usenet
From: CERT Bulletin <cert-advisory@cert.org>
Newsgroups: comp.security.announce,rec.humor
Subject: CERT Advisory CA-96.13 - Alien/OS Vulnerability
Date: 4 July 1996 20:52:15 GMT
Organization: CERT(sm) Coordination Center -  +1 412-268-7090
Lines: 138
Approved: cert-advisory@cert.org
Distribution: world
Message-ID: <4rjri1$86s@helios.herts.ac.uk>
Reply-To: cert-advisory-request@cert.org
NNTP-Posting-Host: 128.252.173.198
Keywords: security CERT
Originator: cert-advisory@cert.org
Originator: cert-advisory@why.cert.org
Xref: ai-lab comp.security.announce:145 rec.humor:192553

=============================================================================
CERT(sm) Advisory CA-96.13
July 4, 1996

Topic: ID4 virus, Alien/OS Vulnerability

- -----------------------------------------------------------------------------

The CERT Coordination Center has received reports of weaknesses in
Alien/OS that can allow species with primitive information sciences
technology to initiate denial-of-service attacks against MotherShip(tm)
hosts.  One report of exploitation of this bug has been received.

When attempting takeover of planets inhabited by such races, a trojan
horse attack is possible that permits local access to the MotherShip
host, enabling the implantation of executable code with full root access
to mission-critical security features of the operating system.

The vulnerability exists in versions of EvilAliens' Alien/OS 34762.12.1
or later, and all versions of Microsoft's Windows/95.  CERT advises
against initiating further planet takeover actions until patches
are available from these vendors.  If planet takeover is absolutely
necessary, CERT advises that affected sites apply the workarounds as
specified below.

As we receive additional information relating to this advisory, we will
place it in

        ftp://info.cert.org/pub/cert_advisories/CA-96.13.README

We encourage you to check our README files regularly for updates on
advisories that relate to your site.

- -----------------------------------------------------------------------------

I.    Description

      Alien/OS contains a security vulnerability, which strangely enough
      can be exploited by a primitive race running Windows/95.  Although
      Alien/OS has been extensively field tested over millions of years by
      EvilAliens, Inc., the bug was only recently discovered during a
      routine invasion of a backwater planet.  EvilAliens notes that
      the operating system had never before been tested against a race
      with "such a kick-ass president."

      The vulnerability allows the insertion of executable code with
      root access to key security features of the operating system.  In
      particular, such code can disable the NiftyGreenShield (tm)
      subsystem, allowing child processes to be terminated by unauthorized
      users.

      Additionally, Alien/OS networking protocols can provide a
      low-bandwidth covert timing channel to a determined attacker.


II.   Impact

      Non-privileged primitive users can cause the total destruction of
      your entire invasion fleet and gain unauthorized access to
      files.


III.  Solution

      EvilAliens has supplied a workaround and a patch, as follows:

      A. Workaround

         To prevent unauthorized insertion of executables, install a
         firewall to selectively vaporize incoming packets that do not
         contain valid aliens.  Also, disable the "Java" option in
         Netscape.

         To eliminate the covert timing channel, remove untrusted
         hosts from routing tables.  As tempting as it is, do not use
         target species' own satellites against them.


      B. Patch

         As root, install the "evil" package from the distribution tape.

         (Optionally) save a copy of the existing /usr/bin/sendmail and
         modify its permission to prevent misuse.


- ---------------------------------------------------------------------------
The CERT Coordination Center thanks Jeff Goldblum and Fjkxdtssss for
providing information for this advisory.
- ---------------------------------------------------------------------------

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident
Response and Security Teams (FIRST).

We strongly urge you to encrypt any sensitive information you send by email.
The CERT Coordination Center can support a shared DES key and PGP. Contact the
CERT staff for more information.

Location of CERT PGP key
         ftp://info.cert.org/pub/CERT_PGP.key

CERT Contact Information
- ------------------------
Email    cert@cert.org

Phone    +1 412-268-7090 (24-hour hotline)
                CERT personnel answer 8:30-5:00 p.m. EST
                (GMT-5)/EDT(GMT-4), and are on call for
                emergencies during other hours.

Fax      +1 412-268-6989

Postal address
        CERT Coordination Center
        Software Engineering Institute
        Carnegie Mellon University
        Pittsburgh PA 15213-3890
        USA

CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from
        http://www.cert.org/
        ftp://info.cert.org/pub/

CERT advisories and bulletins are also posted on the USENET newsgroup
        comp.security.announce

To be added to our mailing list for CERT advisories and bulletins, send your
email address to
        cert-advisory-request@cert.org


Copyright 1996 Carnegie Mellon University
This material may be reproduced and distributed without permission provided it
is used for noncommercial purposes and the copyright statement is included.

CERT is a service mark of Carnegie Mellon University.

Back