CERT
search  


 
Historical Documents Authorized Users of "CERT" Vulnerability Notes Database Vulnerability Disclosure Policy Courses Link to US-CERT cylab
 

CERT® Advisory CA-1993-02 New Patch for NeXT NetInfo _writers Vulnerabilities

Original issue date: January 21, 1993
Last revised: September 19, 1997
Attached copyright statement

A complete revision history is at the end of this file. THIS IS A REVISED CERT ADVISORY
IT CONTAINS NEW INFORMATION

The CERT Coordination Center has received updated information from NeXT Computer, Inc. concerning vulnerabilities in the distributed printing facility of NeXT computers running all releases of NeXTSTEP software through NeXTSTEP Release 3.0. The online patch described in CERT Advisory CA-93.02 has been replaced with a new patch. The size and checksum information in this Advisory have been updated to reflect the new online patch.

For more information, please contact your authorized support center. If you are an authorized support provider, please contact NeXT through your normal channels.

I. Description

The default NetInfo "_writers" properties are configured to allow users to install printers and FAX modems and to export them to the network without requiring assistance from the system administrator. They also allow a user to configure other parts of the system, such as monitor screens, without requiring help from the system administrator. Vulnerabilities exist in this facility that could allow users to gain unauthorized privileges on the system.

II. Impact

In the case of the "/printers" and the "/fax_modems" directories, the "_writers" property can permit users to obtain unauthorized root access to a system.

In the "/localconfig/screens" directory, the "_writers" property can potentially permit a user to deny normal login access to other users.

III. Solution

To close the vulnerabilities, remove the "_writers" properties from the "/printers", "/fax_modems", and "/localconfig/screens" directories in all NetInfo domains on the network, and from all immediate subdirectories of all "/printers", "/fax_modems", and "/localconfig/screens" directories. The "_writers" properties may be removed using any one of the following three methods:

  1. As root, use the "niutil" command-line utility. For example, to remove the "_writers" property from the "/printers" directory: 
       # /usr/bin/niutil -destroyprop . /printers _writers

  2. Alternatively, use the NetInfoManager application: open the desired domain, open the appropriate directory, select the "_writers" property, choose the "Delete" command [Cmd-r] from the "Edit" menu, and save the directory.

  3. To assist system administrators in editing their NetInfo domains, a shell script, "writersfix", is available via anonymous FTP from next.com (129.18.1.2): 
      Filename                                   Size   Checksum
  --------                                   ----   --------
  pub/Misc/Utilities/WritersFix.compressed   5600   25625  6

    After transferring this file using BINARY transfer type, double-click on the file. A "WritersFix" directory will be created in your file system, containing the script
    ("writersfix") and some documentation ("WritersFix.rtf").

Consider removing "_writers" from other NetInfo directories as well (for example, "/locations"), noting the following trade-off between ease-of-use and security. By removing the "_writers" properties, the network and the computers on the network become more secure, but a system administrator's assistance is required where it previously was not required.

Please refer to the NeXTSTEP Network and System Administration manual for additional information on "_writers". Note that the subdirectories of the "/users" directory have "_writers_passwd" set to the user whose account is described by the directory. This is essential if users are to be able to change their own passwords, and this does not compromise system security.

The CERT Coordination Center wishes to thank Alan Marcum and Eric Larson of NeXT Computer, Inc. for notifying us about the existence of these vulnerabilities and for providing appropriate technical information.

This document is available from: http://www.cert.org/advisories/CA-1993-02.html

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.

Conditions for use, disclaimers, and sponsorship information

Copyright 1993 Carnegie Mellon University.

Revision History 
September 19, 1997  Attached Copyright Statement