_____________________________________________________
             The Computer Incident Advisory Capability
                         ___  __ __    _     ___
                        /       |     / \   /
                        \___  __|__  /___\  \___
        _____________________________________________________
                         Information Bulletin

May 1, 1991, 1200 PDT                                     Number B-24

       Ultrix V4.0 and V4.1 Vulnerability
________________________________________________________________________
PROBLEM:  /usr/bin/chroot is installed with the setuid bit set.
PLATFORM: DEC Ultrix V4.0 and V4.1, all architectures.
DAMAGE:  Allows authorized users to gain unauthorized privileges.
SOLUTIONS: Fixed in Ultrix V4.2. Manually change file mode of
  /usr/bin/chroot to 700 for Ultrix V4.0 and V4.1
IMPACT OF WORKAROUND:  Non-privileged users no longer have access to
  the chroot command.
_______________________________________________________________________
        Critical /usr/bin/chroot Vulnerability Facts

CIAC has been advised of a vulnerability in DEC's Ultrix V4.0 and V4.1
operating systems running on all architectures. DEC is aware of this
problem, and has corrected it in Ultrix V4.2. The DEC provided fix for
Ultrix V4.0 and V4.1 is:

  (login as root)
  # chmod 700 /usr/bin/chroot
  # ls -l /usr/bin/chroot
  (verify the file protections are "-rwx------")


For additional information or assistance, please contact CIAC:   
 
  Hal Brand
  (415) 422-6312 or (FTS) 532-6312, or

  Call CIAC at (415) 422-8193 or (FTS) 532-8193 or 
        send e-mail to ciac@cheetah.llnl.gov.  
    
  Send FAX messages to:  (415) 423-0913 or (FTS) 543-0913
_____
The CERT/CC and Digital Equipment Corporation provided information
contained in this bulletin.  This document was prepared as an account
of work sponsored by an agency of the United States Government. Neither
the United States Government nor the University of California nor any
of their employees, makes any warranty, express or implied, or assumes
any legal liability or responsibility for the accuracy, completeness,
or usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights.  Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.