-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
After the issue in CVE-2009-4211 was made public, the Unix SRR script was removed from http://iase.disa.mil/stigs/SRR/unix.html with a note saying:
?Due to a recently identified security issue, please do not run any version of the UNIX SRR scripts until further notice. The UNIX SRR scripts will be corrected and posted as soon as possible. Please check back at a later time for the updated scripts. Thanks for your understanding and support.?
As of today, a new version dated December 7, 2009 is available for download. Unfortunately, although some changes were made, it is still vulnerable to the issue described in CVE-2009-4211.
The CVE should be updated to reflect that the December, 2009 version is also vulnerable. The script should be re-evaluated to remove any invocations of untrusted programs (especially any done as root). Users should continue to avoid running the Unix SRR script until a fixed version is available.
Below is a walk-through:
Script started on Tue Dec 08 23:35:31 2009
Don't Panic! # ls -al total 6 drwxr-xr-x 2 root root 2 Dec 8 23:35 . drwxrwxrwt 6 root sys 7 Dec 8 23:28 ..
Don't Panic! # tar xf ../UNIX_51-15Dec2009.tar
Don't Panic! # cd Script.December
Don't Panic! # ls -al /var/tmp/fcs/outdir total 8 drwx------ 2 root root 2 Dec 8 23:00 . drwxr-xr-x 4 fstuart sysadmin 47 Dec 8 21:47 ..
Don't Panic! # ls -dl /var/tmp/fcs/testdir/vncserver - -rwxr-xr-x 1 nobody nobody 174 Dec 8 23:28 /var/tmp/fcs/testdir/vncserver
Don't Panic! # ./Start-SRR [[ SRR output omitted ]]
Don't Panic! # ls -al /var/tmp/fcs/outdir/vncserver.out - -rw------- 1 root root 370 Dec 8 23:39 /var/tmp/fcs/outdir/vncserver.out
Don't Panic! # cat /var/tmp/fcs/outdir/vncserver.out /var/tmp/fcs/testdir/vncserver -help 24749 zsched 23773 ksh -o vi 3664 script /tmp/script.out 3665 script /tmp/script.out 3666 sh -i 3685 /bin/sh ./Start-SRR 27701 sh /var/tmp/SRR/Script.December/Solaris/2006-T-0013 27719 /bin/ksh /var/tmp/fcs/testdir/vncserver -help 27722 ptree 27719
script done on Tue Dec 08 23:42:11 2009
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEVAwUBSx9CiWKGA6cQSpZSAQKfrQf/TnDxgx4+4qK6XhGsoK6XMe9pTxqB+Z1v jl8CxMLdxGihVjSJzRSEZFjx3qTOIyv6Lt58KLKp75yGGlqSESde8vSUBwoUqcl8 SM3PKPboXfETrxMeBCKwIL85DJKlZsQolgVEYtILlwUC5I2XCIGM/FoAskDEIjKZ V0Jiv2mh5mWi/DlzF/81KURipcyPRuCYmr0qfsJjOYHZ/lbHxDCQKv7oCMij4iZv IG3UQpO4IRMjapKdXYGAGBEaO14MfDoo928RLPBlRmlVvpPP+39gIb+SRJO/ix+o gafMd7P9hDvG7NPWGyv6zSh4bBJvGfG5c72zknXxrg9e+rm41bsOrw== =5/H4 -----END PGP SIGNATURE-----