CERT® Advisory CA-1995-07 SATAN Vulnerability: Password DisclosureOriginal issue date: April 21, 1995
Last revised: September 23, 1997
Update copyright statement
A complete revision history is at the end of this file.
It addresses inaccurate information in CA-95.07
and contains information about SATAN 1.1.1.
There was a potential vulnerability introduced into systems running SATAN 1.0 and earlier, as described below. The problem has been addressed in version 1.1 and later. The CERT/CC team recommends that you take the precautions described in Section III below before you run SATAN and that you upgrade to the latest version of SATAN--currently 1.1.1.
The following two statements from CA-95.07 are inaccurate.
We will update this advisory as we receive additional information. Please check advisory files regularly for updates that relate to your site.
For an overview of a beta version of SATAN, see CERT advisory CA-95.06.
I. DescriptionIn SATAN version 1.0, access to the SATAN processes is protected by a session key (also referred to as a "magic cookie" or "password"). SATAN itself never sends this session key over the network. However, depending on the configuration at your site, the supporting HTML browser, and how you use SATAN, your session key may be disclosed through the network. Local or remote users who obtain your session key can run perl scripts that are on the system running SATAN.
If you use SATAN only through the command line interface, your system is not vulnerable to the problem because there is no session key.
Additional details are in the "SATAN Password Disclosure" tutorial provided with SATAN. We have included the tutorial as an Appendix B of this advisory.
II. ImpactIf the session key is disclosed while SATAN 1.0 is running, unauthorized local or remote users can execute perl scripts as the user of the process running SATAN (typically root).
1. Obtain and install SATAN version 1.1.1, which addresses the problem.For details on how the problem is addressed, see the section entitled "Additional SATAN Defenses" in the SATAN Password Disclosure tutorial. The SATAN authors also provide guidance on protecting access; see the tutorial section, "Preventing SATAN Password Disclosure." SATAN 1.1.1 is available from many sites, including
MD5 (satan-1.1.1.tar.Z) = de2d3d38196ba6638b5d7f37ca8c54d7
and put in the body of the message (not the subject line):
get satan mirror-sites
There are reports of modified copies of SATAN, so ensure that the copy that you obtain is authentic by checking the MD5 checksum or SATAN author Wietse Venema's PGP signature. Appendix A of this advisory contains his PGP key.
We urge you to read the SATAN documentation carefully before running SATAN.
2. We also recommend that you take the following precautions:
Appendix A: Wietse Venema's PGP Key
-----BEGIN PGP PUBLIC KEY BLOCK-----
Appendix B: Tutorial - SATAN Password DisclosureThe following tutorial can be found in
SATAN Password Disclosure
SATAN password disclosure via flawed HTML clients or environmental problems
Unauthorized users may execute commands through SATAN
By default, SATAN runs as a custom HTML (hypertext markup language) server, executing requests from a user-provided HTML browser, or client program. Examples of common HTML clients are Netscape, NCSA Mosaic and Lynx.
An HTML client request is nothing but a network message, and
network messages may be sent by any user on the network. To defend
itself against requests from unauthorized users, SATAN takes the
The protection scheme used by SATAN is in essence the same as the scheme used by many implementations of the X Window system: MIT magic cookies. These secrets are normally kept in the user's home directory, in a file called .Xauthority. Before it is granted access to the screen, keyboard and mouse, an X client program needs to prove that it is authorized, by handing over the correct magic cookie. This requirement prevents unauthorized access, provided that the magic cookie information is kept secret.
It is important that the current SATAN password is kept secret. When the password leaks out, unauthorized users can send commands to the SATAN HTML server where the commands will be executed with the privileges of the SATAN process.
Note that SATAN generates a new password every time you start it up under an HTML client, so if you are suspicious, simply restart the program.
SATAN never sends its current password over the network. However,
the password, or parts of it, may be disclosed due to flaws in
HTML clients or due to weak protection of the environment that
SATAN is running in. One possible scenario for disclosure is:
Other scenarios for SATAN password disclosure are discussed in the next section, as part of a list of counter measures.
PREVENTING SATAN PASSWORD DISCLOSURE
The security of SATAN is highly dependent on the security of environment that it runs in. In the case of an X Window environment:
Steps that can help to keep the X magic cookie information secret:
Finally, steps that can help to keep the current SATAN password
ADDITIONAL SATAN DEFENSES
The SATAN software spends a lot of effort to protect your computer and data against password disclosure. With version 1.1 and later, SATAN even attempts to protect you after the password has fallen into the hands of unauthorized users:
The CERT Coordination Center staff thanks Wietse Venema for his cooperation and assistance with this revised advisory.
This document is available from: http://www.cert.org/advisories/CA-1995-07.html
CERT/CC Contact Information
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.
We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from
If you prefer to use DES, please call the CERT hotline for more information.
Getting security information
CERT publications and other security information are available from our web site
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
Conditions for use, disclaimers, and sponsorship information
Copyright 1995, 1996 Carnegie Mellon University.
Sep. 23, 1997 - Updated copyright statement Aug. 30, 1996 - Information previously in the CA-95.07 and CA-95.07a README files was inserted into the advisory.