CA-94:09.README
Issue Date:     May 23, 1994
Date of last revision:  February 2, 1995

This file is a supplement to the CERT Advisory
CA-94:09.bin.login.vulnerability of May 23,1994, and will be updated
as additional information becomes available.


The text below originally appeared as an Appendix in the advisory.

As of February 1, 1995, information about LINUX has been added to the original
text.


We have received feedback from these vendors, who indicated that their
currently supported products are not vulnerable: 

    Amdahl
    Apple 
    BSD   
    BSDI  
    Harris
    HP    
    LINUX       (Added to the list as of Feb. 1, 1995. See description below)
    Motorola 
    NeXT     
    Pyramid  
    SCO
    Sequent    
    SGI      
    Solbourne
    Sony     
    Sun      

CERT has verified that the following vendor products are not vulnerable:

     Free BSD 

CERT has received feedback from the following vendors, who have made
patches available to address the /bin/login vulnerability.  Please
note that vendors sometimes update patch files.  If you find that the
checksum is different, please contact the vendor.


  IBM AIX 3:
      Workaround:     Please refer to Section III.A in CERT advisory
                      CA-94:09.bin.login.vulnerability.

      Emergency fix:  Available via anonymous FTP from:
                      software.watson.ibm.com:/pub/rlogin

                      This directory contains the latest available emergency
                      fix for APAR IX44254.  As updates become available,
                      any new versions will be placed in this directory with
                      the name rlogin<#>.tar.Z with <#> being incremented 
                      for each update.  See the README.FIRST file in that
                      directory for details.
 
      Official patch: APAR IX44254.  Please refer to Section III.C in
                      CERT advisory CA-94:09.bin.login.vulnerability.

      Checksum information for rlogin2.tar.Z:
          BSD:      26523   384
          SystemV:  26603 767 rlogin2.tar.Z
          MD5:      MD5 (rlogin2.tar.Z) = 6997afb11a3ec508c47819c98f725de8

      Official patch: APAR IX44254.  Please refer to Section III.C in
                      CERT advisory CA-94:09.bin.login.vulnerability.


  LINUX:
      Patch:  Please refer to Section VI in CERT advisory
             CA-94:09.bin.login.vulnerability. 

////////////////////
Added Feb. 2, 1995

As of February 1, 1995, we have learned that the pointer to the site with the
LINUX patch is no longer valid. CERT staff has received information that a
more comprehensive set of tools has been released by Florian La Roche
<flla@stud.uni-sb.de> under the name "NetKit."  It is available via
the FTP sites listed below.

An excerpt from the README provides the following general
      information: 

      This directory contains a collection of net source programs for LINUX.

      NetKit-A  A is the first character in the alphabet -> basic things
                contains a collection of LINUX-specific programs and
                several small utility programs found somewhere in the
                Internet or on News
                (contains also net-032 from Alan Cox)
      NetKit-B  B like BSD, even if we only think about LINUX
                contains source code derived from NetBSD
      NetKit-M  M like mail
                contains context diffs and some source code to make a
                good mail system
      NetKit-N  N like news
                contains context diffs for a good News system
                (news readers and also INN for your own newsfeed)
      NetKit-X  X like eXtra
                will maybe be necessary, if NetKit-A grows too large


sunacm.swan.ac.uk:/pub/misc/Linux/Networking/PROGRAMS/Packages
-----------------------------------------------------------------------------
MD5 (NetKit-A-0.05.bin.tar.gz) = afe45e04f359b0ff99e66cc58b4e758c
MD5 (NetKit-A-0.05.tar.gz) = a17fae1b58e1cf8a79aef30296f65672
MD5 (NetKit-A-0.06.bin.tar.gz) = e0f813427341b070ab9f8374ad721134
MD5 (NetKit-A-0.06.tar.gz) = adb00607cb2887c44f5aa8981fb8120b
MD5 (NetKit-B-0.04.bin.tar.gz) = ffe7099a0271a85eb22c78f7c3373bc6
MD5 (NetKit-B-0.04.tar.gz) = 156be1d3571b1681485b47255f7e202c
MD5 (NetKit-B-0.05.bin.tar.gz) = 3b270017ce28328c5596291e6d2687f0
MD5 (NetKit-B-0.05.tar.gz) = ba2327f741a265edc252e86b442a0a0d
MD5 (NetKit-M-0.01.tar.gz) = 392cbe6454965ad0d9e12f98af4cdd4a
MD5 (NetKit-N-0.01.tar.gz) = 55957726205a52621a15938c3bea593b


sunsite.unc.edu:/pub/Linux/system/Network/sunacm
-----------------------------------------------------------------------------
MD5 (NetKit-A-0.05.bin.tar.gz) = afe45e04f359b0ff99e66cc58b4e758c
MD5 (NetKit-A-0.05.tar.gz) = a17fae1b58e1cf8a79aef30296f65672
MD5 (NetKit-A-0.06.bin.tar.gz) = e0f813427341b070ab9f8374ad721134
MD5 (NetKit-A-0.06.tar.gz) = adb00607cb2887c44f5aa8981fb8120b
MD5 (NetKit-B-0.04.bin.tar.gz) = ffe7099a0271a85eb22c78f7c3373bc6
MD5 (NetKit-B-0.04.tar.gz) = 156be1d3571b1681485b47255f7e202c
MD5 (NetKit-B-0.05.bin.tar.gz) = 3b270017ce28328c5596291e6d2687f0
MD5 (NetKit-B-0.05.tar.gz) = ba2327f741a265edc252e86b442a0a0d
MD5 (NetKit-M-0.01.tar.gz) = 392cbe6454965ad0d9e12f98af4cdd4a
MD5 (NetKit-N-0.01.tar.gz) = 55957726205a52621a15938c3bea593b
============================================================================


////////////////////
Added May 27, 1994

CERT is aware that there have been several /bin/login wrapper
programs posted as proposed workarounds for this vulnerability.  None
of the wrappers that CERT has reviewed have fully addressed all
aspects of this vulnerability.  CERT will not undertake any further
review of such wrappers.  Instead, we encourage sites to apply the
appropriate workaround or patches available, as described in
CA-94:09.bin.login.vulnerability and this file.

Frequently Asked Question about this CERT advisory:

    Question:  Why is rshd not mentioned in this advisory?
    Answer:    From the man page for RSH(1C):
     
                    rsh hostname [ -l username ] [ -n ] [ command ]

                    rsh connects to the specified hostname and
                    executes the specified command.
                    If you omit [ command ], instead of executing a
                    single command, rsh logs you in on the remote host
                    using rlogin(1C).

                       rsh hostname [ -l username ] [ -n ]

               Exploitation of the vulnerability via rsh requires the
               use of rlogind, which then invokes /bin/login.
               Exploitation of this vulnerability by this method is
               addressed by this advisory. 

               CERT are not aware of any exploitation method for this
               vulnerability via the following usage:

                       rsh hostname [ -l username ] [ -n ] command 

               Exploitation of the vulnerability via rsh requires the
               use of rlogind, which then invokes /bin/login.
               Exploitation of this vulnerability by this method is
               addressed by this advisory. 

               CERT are not aware of any exploitation method for this
               vulnerability via the following usage:

                       rsh hostname [ -l username ] [ -n ] command 

////////////////////
