netstation.navio.comm-rte.txt

`Date: Fri, 29 Jan 1999 21:43:51 PST  
From: Ryan McRonald <[email protected]>  
To: [email protected]  
Subject: TROJAN: netstation.navio-comm.rte 1.1.0.1  
  
While configuring some IBM Network Station 300s I noticed that my /tmp  
directory had become NFS exported and world read/writeable!! I traced  
this to one of the configuration scripts that is included in AIX's  
netstation.navio-com.rte 1.1.0.1 used for the Navio NC browser.  
  
>From /usr/netstation/bin/Xnav:  
  
1) Magic number is munged ... pet peeve of mine:  
  
+1 # @(#)93 1.3 src/nav/aix/Xnav.cpp, navio, 41navio110  
+2 #!/bin/ksh  
+3 #  
...  
  
2) This part is somewhat problematic:  
  
...  
+98 grep "/tmp" /etc/exports > /dev/null 2>&1  
+99 if [ $? -ne 0 ]; then  
+100 echo "/tmp" >> /etc/exports  
+101 /usr/sbin/exportfs -a  
+102 fi  
...  
  
The fix:  
  
1) Do you have netstation.navio.comm-rte installed?  
  
# lslpp -l netstation.navio-comm-rte  
  
2) Check if /tmp is exported with:  
  
# exportfs  
  
3) If /tmp is exported run:  
  
# /usr/sbin/rmnfsexp -d /tmp -B  
  
This emphasizes the importance of running a regular "sanity" security  
audits such as satan or ISS.  
  
regards from a long-tine bugtraq lurker,  
  
Ryan  
  
`