Alien/OS


Paul Boehm (pb@insecurity.net)
Mon, 12 Oct 1998 13:52:45 +0200


CERT(sm) Advisory CA-96.13

July 4, 1996

Topic: ID4 virus, Alien/OS Vulnerability

The CERT Coordination Center has received reports of weaknesses in Alien/OS that
can allow species with primitive information sciences technology to initiate
denial-of-service attacks against MotherShip(tm) hosts. One report of
exploitation of this bug has been received.

When attempting takeover of planets inhabited by such races, a trojan horse
attack is possible that permits local access to the MotherShip host, enabling
the implantation of executable code with full root access to mission-critical
security features of the operating system.

The vulnerability exists in versions of EvilAliens' Alien/OS 34762.12.1 or later,
and all versions of Microsoft's Windows/95. CERT advises against initiating
further planet takeover actions until patches are available from these vendors.
If planet takeover is absolutely necessary, CERT advises that affected sites
apply the workarounds as specified below.

As we receive additional information relating to this advisory,
we will place it in

        ftp://info.cert.org/pub/cert_advisories/CA-96.13.README

We encourage you to check our README files regularly for updates on advisories
that relate to your site.

I. Description

Alien/OS contains a security vulnerability, which strangely enough can be
exploited by a primitive race running Windows/95. Although Alien/OS has been
extensively field tested over millions of years by EvilAliens, Inc., the bug
was only recently discovered during a routine invasion of a backwater planet.
EvilAliens notes that the operating system had never before been tested against
a race with "such a kick-ass president."

The vulnerability allows the insertion of executable code with root access to
key security features of the operating system. In particular, such code can
disable the NiftyGreenShield (tm) subsystem, allowing child processes to be
terminated by unauthorized users.

Additionally, Alien/OS networking protocols can provide a low-bandwidth covert
timing channel to a determined attacker.

II. Impact

Non-privileged primitive users can cause the total destruction of your entire
invasion fleet and gain unauthorized access to files.

III. Solution

EvilAliens has supplied a workaround and a patch, as follows:

A. Workaround

     To prevent unauthorized insertion of executables, install a firewall to
     selectively vaporize incoming packets that do not contain valid aliens.
     Also, disable the "Java" option in Netscape.

     To eliminate the covert timing channel, remove untrusted hosts from routing
     tables. As tempting as it is, do not use target species' own satellites
     against them.

B. Patch

     As root, install the "evil" package from the distribution tape.

     (Optionally) save a copy of the existing /usr/bin/sendmail and modify its
     permission to prevent misuse.

The CERT Coordination Center thanks Jeff Goldblum and Fjkxdtssss for providing
information for this advisory.

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident Response and
Security Teams (FIRST).

We strongly urge you to encrypt any sensitive information you send by email.
The CERT Coordination Center can support a shared DES key and PGP. Contact the
CERT staff for more information.

Location of CERT PGP key
         ftp://info.cert.org/pub/CERT_PGP.key

CERT Contact Information
------------------------
Email cert@cert.org

Phone +1 412-268-7090 (24-hour hotline)
                CERT personnel answer 8:30-5:00 p.m. EST
                (GMT-5)/EDT(GMT-4), and are on call for
                emergencies during other hours.

Fax +1 412-268-6989

Postal address
        CERT Coordination Center
        Software Engineering Institute
        Carnegie Mellon University
        Pittsburgh PA 15213-3890
        USA

CERT publications, information about FIRST representatives, and other
security-related information are available for anonymous FTP from
        http://www.cert.org/
        ftp://info.cert.org/pub/

CERT advisories and bulletins are also posted on the USENET newsgroup
        comp.security.announce

To be added to our mailing list for CERT advisories and bulletins, send
your email address to
        cert-advisory-request@cert.org

Copyright 1996 Carnegie Mellon University
This material may be reproduced and distributed without permission provided it
is used for noncommercial purposes and the copyright statement is included.

CERT is a service mark of Carnegie Mellon University.



This archive was generated by hypermail 2.0b3 on Mon Oct 12 1998 - 14:05:36 CEST