DISA STIG SRR Still Vulnerable

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
After the issue in CVE-2009-4211 was made public, the Unix SRR script  
was removed from http://iase.disa.mil/stigs/SRR/unix.html with a note  
saying:  
  
?Due to a recently identified security issue, please do not run any  
version of the UNIX SRR scripts until further notice. The UNIX SRR  
scripts will be corrected and posted as soon as possible. Please check  
back at a later time for the updated scripts. Thanks for your  
understanding and support.?  
  
As of today, a new version dated December 7, 2009 is available for  
download. Unfortunately, although some changes were made, it is still  
vulnerable to the issue described in CVE-2009-4211.  
  
The CVE should be updated to reflect that the December, 2009 version is  
also vulnerable. The script should be re-evaluated to remove any  
invocations of untrusted programs (especially any done as root). Users  
should continue to avoid running the Unix SRR script until a fixed  
version is available.  
  
Below is a walk-through:  
  
#######################################################################  
Script started on Tue Dec 08 23:35:31 2009  
  
### Starting with a clean directory  
Don't Panic! # ls -al  
total 6  
drwxr-xr-x 2 root root 2 Dec 8 23:35 .  
drwxrwxrwt 6 root sys 7 Dec 8 23:28 ..  
  
### Untar the new SRR script  
Don't Panic! # tar xf ../UNIX_51-15Dec2009.tar  
  
Don't Panic! # cd Script.December  
  
### Verify the output directory is empty  
Don't Panic! # ls -al /var/tmp/fcs/outdir  
total 8  
drwx------ 2 root root 2 Dec 8 23:00 .  
drwxr-xr-x 4 fstuart sysadmin 47 Dec 8 21:47 ..  
  
### Verify my unprivileged, simulated malware is in place. It will  
### write a root-owned file in the /var/tmp/fcs/outdir if executed  
### by root.  
Don't Panic! # ls -dl /var/tmp/fcs/testdir/vncserver  
- -rwxr-xr-x 1 nobody nobody 174 Dec 8 23:28  
/var/tmp/fcs/testdir/vncserver  
  
### Start the SRR script  
Don't Panic! # ./Start-SRR  
[[ SRR output omitted ]]  
  
### root-owned output file is created  
Don't Panic! # ls -al /var/tmp/fcs/outdir/vncserver.out  
- -rw------- 1 root root 370 Dec 8 23:39  
/var/tmp/fcs/outdir/vncserver.out  
  
### Contents of file show how it was invoked  
Don't Panic! # cat /var/tmp/fcs/outdir/vncserver.out  
/var/tmp/fcs/testdir/vncserver -help  
24749 zsched  
23773 ksh -o vi  
3664 script /tmp/script.out  
3665 script /tmp/script.out  
3666 sh -i  
3685 /bin/sh ./Start-SRR  
27701 sh /var/tmp/SRR/Script.December/Solaris/2006-T-0013  
27719 /bin/ksh /var/tmp/fcs/testdir/vncserver -help  
27722 ptree 27719  
  
script done on Tue Dec 08 23:42:11 2009  
#######################################################################  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.3 (MingW32)  
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/  
  
iQEVAwUBSx9CiWKGA6cQSpZSAQKfrQf/TnDxgx4+4qK6XhGsoK6XMe9pTxqB+Z1v  
jl8CxMLdxGihVjSJzRSEZFjx3qTOIyv6Lt58KLKp75yGGlqSESde8vSUBwoUqcl8  
SM3PKPboXfETrxMeBCKwIL85DJKlZsQolgVEYtILlwUC5I2XCIGM/FoAskDEIjKZ  
V0Jiv2mh5mWi/DlzF/81KURipcyPRuCYmr0qfsJjOYHZ/lbHxDCQKv7oCMij4iZv  
IG3UQpO4IRMjapKdXYGAGBEaO14MfDoo928RLPBlRmlVvpPP+39gIb+SRJO/ix+o  
gafMd7P9hDvG7NPWGyv6zSh4bBJvGfG5c72zknXxrg9e+rm41bsOrw==  
=5/H4  
-----END PGP SIGNATURE-----  
`