CERT-SEI

NeXT's System Software

Original issue date: October 3, 1990
Last revised: September 17, 1997
Attached Copyright statement

A complete revision history is at the end of this file.

This message is an update of the October 2, 1990 CERT Advisory (CA-90.06). There is one correction and an update that you need to know about.

For Problem #2 SOLUTION, the following line has been added:

# /etc/chmod 440 /usr/lib/NextPrinter/npd.old
This will disable the old printer program.  An updated copy of the CERT Advisory has been included with this message.

NeXT is also making the new printer program, npd, available electronically via anonymous ftp for Internet sites.  The archives sites are:

nova.cc.purdue.edu
        umd5.umd.edu
cs.orst.edu

In addition, NeXT has asked the CERT to announce that if anyone cannot get it from the archives, NeXT Technical Support can provide it. Requests should go to:

ask_next@NeXT.COM

Thanks,
Computer Emergency Response Team


NeXT's System Software


This message is to alert administrators of NeXT Computers of four potentially serious security problems.

The information contained in this message has been provided by David Besemer, NeXT Computer, Inc.  The following describes the four security problems, NeXT's recommended solutions and the known system impact.


Problem #1 Description

On Release 1.0 and 1.0a a script exists in /usr/etc/restore0.9 that is a setuid shell script.  The existence of  this script is a potential security problem.

Problem #1 Impact

  The script is only needed during the installation process and isn't needed for normal usage.  It is possible for any logged in user to gain root access.

Problem #1 Solution

  NeXT owners running Release 1.0 or 1.0a should  remove /usr/etc/restore0.9 from all disks.  This file is installed by  the "BuildDisk" application, so it should be removed from all systems built with the standard release disk, as well as from the standard  release disk itself (which will prevent the file from being installed  on system built with the standard release disk in the future).  You  must be root to remove this script, and the command that will remove  the script is the following:
# /bin/rm /usr/etc/restore0.9

Problem #2 Description

  On NeXT computers running Release 1.0 or 1.0a that also have publicly accessible printers, users can gain extra permissions via a combination of bugs.

Problem #2 Impact

  Computer intruders are able to exploit this security problem to gain access to the system.  Intruders, local users and remote users are able to gain root access.

Problem #2 Solution

  NeXT computer owners running Release 1.0 or  1.0a should do two things to fix a potential security problem.  First, the binary /usr/lib/NextPrinter/npd must be replaced with a  more secure version.  This more secure version of npd is available  through your NeXT support center.  Upon receiving a copy of the more  secure npd, you must become root and install it in place of the old  one in /usr/lib/NextPrinter/npd.  The new npd binary needs to be  installed with the same permission bits (6755) and owner (root) as  the old npd binary.  The commands to install the new npd binary are  the following:
   # /bin/mv /usr/lib/NextPrinter/npd /usr/lib/NextPrinter/npd.old
   # /bin/mv newnpd /usr/lib/NextPrinter/npd
(In the above command, "newnpd" is the npd binary   that you obtained from your NeXT support center.)
  # /etc/chown root /usr/lib/NextPrinter/npd
  # /etc/chmod 6755 /usr/lib/NextPrinter/npd
  # /etc/chmod 440 /usr/lib/NextPrinter/npd.old
  
The second half of the fix to this potential problem is to change the  permissions of directories on the system that are currently owned and  able to be written by group "wheel".  The command that will remove  write permission for directories owned and writable by group "wheel"  is below.  This command is all one line, and should be run as root.  
# find / -group wheel ! -type l -perm -20 ! -perm -2 -ls -exec chmod  
g-w {} \; -o -fstype nfs -prune

Problem #3 Description

  On NeXT computers running any release of the system software,  public access to the window server may be a potential security problem.

The default in Release 1.0 or 1.0a is correctly set so that public access to the window server is not available.  It is possible, when upgrading from a prior release, that the old configuration files will be reused.  These old configuration files could possibly enable public access to the window server.

Problem #3 Impact

  This security problem will enable an intruder to gain access to the system.

Problem #3 Solution

If public access isn't needed, it should be disabled.

  1.   Launch the Preferences application, which is located in /NextApps
  2.   Select the UNIX panel by pressing the button with the UNIX      certificate on it.
  3. If the box next to Public Window Server contains a check, click on  the box to remove the check.

Problem #4 Description

On NeXT computers running any release of the system software, the "BuildDisk" application is executable by all users.

Problem #4 Impact

  Allows a user to gain root access.

Problem #4 Solution

Change the permissions on the "BuildDisk" application allowing only root to execute it.  This can be accomplished with the command:
# chmod 4700 /NextApps/BuildDisk
To remove "BuildDisk" from the default icon dock for new users, do the following:

  1. Create a new user account using the UserManager application.
  2. Log into the machine as that new user.
  3. Remove the BuildDisk application from the Application Dock by dragging      it out.
  4. Log out of the new account and log back in as root.
  5. Copy the file in ~newuser/.NeXT/.dock to /usr/template/user/.NeXT/.dock
  6. (where ~newuser is the home directory of the new user account)

  7. Set the protections appropriately using the following command:
  8.      
     # chmod 555 /usr/template/user/.NeXT/.dock

  9. If you wish, with UserManager, remove the user account that you created  in step 1.
In release 2.0, the BuildDisk application will prompt for the root password if it is run by a normal user. CONTACT INFORMATION

For further questions, please contact your NeXT support center.

NeXT has also reported that these potential problems have been fixed in NeXT's Release 2.0, which will be available in November, 1990.


Thanks to Corey Satten and Scott Dickson for discovering, documenting, and helping resolve these problems.



This document is available from: http://www.preview.cert.org/advisories/CA-1990-06.html

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email.  Our public PGP key is available from

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.


NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.


Conditions for use, disclaimers, and sponsorship information

Copyright 1990 Carnegie Mellon University.


Revision History
September 17,1997 Attached Copyright statement