----------

 CERT(sm) Advisory CA-96.13
 July 4, 1996

 Topic: ID4 virus, Alien/OS Vulnerability

 - -



 The CERT Coordination Center has received reports of
 weaknesses in  Alien/OS that can allow species with
 primitive information sciences  technology to initiate
 denial-of-service attacks against MotherShip(tm)  hosts.
 One report of exploitation of this bug has been received.

 When attempting takeover of planets inhabited by such races,
 a trojan  horse attack is possible that permits local access
 to the MotherShip host, enabling the implantation of executable
 code with full root access  to mission-critical security features
 of the operating system.

 The vulnerability exists in versions of EvilAliens' Alien/OS
 34762.12.1  or later, and all versions of Microsoft's Windows/95.
 CERT advises  against initiating further planet takeover actions
 until patches  are available from these vendors.  If planet
 takeover is absolutely  necessary, CERT advises that affected sites
 apply the workarounds as  specified below.

 As we receive additional information relating to this advisory, we
 will place it in

         ftp://info.cert.org/pub/cert_advisories/CA-96.13.README

 We encourage you to check our README files regularly for updates on
 advisories that relate to your site.



----------------------------------------------------------------------



 I.    Description

       Alien/OS contains a security vulnerability, which
       strangely enough can be exploited by a primitive race
       running Windows/95.  Although Alien/OS has been
       extensively field tested over millions of years by
       EvilAliens, Inc., the bug was only recently discovered
       during a routine invasion of a backwater planet.
       EvilAliens notes that the operating system had never
       before been tested against a race with "such a kick-ass
       president."

       The vulnerability allows the insertion of executable
       code with root access to key security features of the
       operating system.  In particular, such code can disable
       the NiftyGreenShield (tm) subsystem, allowing child
       processes to be terminated by unauthorized users.

       Additionally, Alien/OS networking protocols can provide a
       low-bandwidth covert timing channel to a determined
       attacker.


 II.   Impact

       Non-privileged primitive users can cause the total
       destruction of your entire invasion fleet and gain
       unauthorized access to files.


 III.  Solution

       EvilAliens has supplied a workaround and a patch, as
       follows:

       A. Workaround

          To prevent unauthorized insertion of executables,
          install a firewall to selectively vaporize incoming
          packets that do not contain valid aliens.  Also,
          disable the "Java" option in Netscape.

          To eliminate the covert timing channel, remove
          untrusted hosts from routing tables.  As tempting
          as it is, do not use target species' own satellites
          against them.


       B. Patch

          As root, install the "evil" package from the
          distribution tape.

          (Optionally) save a copy of the existing /usr/bin/sendmail
          and modify its permission to prevent misuse.


 
 ---------------------------------------------------------------------
 The CERT Coordination Center thanks Jeff Goldblum and Fjkxdtssss for
 providing information for this advisory.
 ---------------------------------------------------------------------

 If you believe that your system has been compromised, contact the CERT
 Coordination Center or your representative in the Forum of Incident
 Response and Security Teams (FIRST).

 We strongly urge you to encrypt any sensitive information you send
 by email. The CERT Coordination Center can support a shared DES
 key and PGP. Contact the CERT staff for more information.

 Location of CERT PGP key
          ftp://info.cert.org/pub/CERT_PGP.key

 CERT Contact Information
 - - ------------------------
 Email    cert@cert.org

 Phone    +1 412-268-7090 (24-hour hotline)
                 CERT personnel answer 8:30-5:00 p.m. EST
                 (GMT-5)/EDT(GMT-4), and are on call for
                 emergencies during other hours.

 Fax      +1 412-268-6989

 Postal address
         CERT Coordination Center
         Software Engineering Institute
         Carnegie Mellon University
         Pittsburgh PA 15213-3890
         USA

 CERT publications, information about FIRST representatives, and
 other security-related information are available for anonymous
 FTP from
         http://www.cert.org/
         ftp://info.cert.org/pub/

 CERT advisories and bulletins are also posted on the USENET
 newsgroup
         comp.security.announce

 To be added to our mailing list for CERT advisories and bulletins,
 send your email address to
         cert-advisory-request@cert.org


 Copyright 1996 Carnegie Mellon University
 This material may be reproduced and distributed without permission
 provided it  is used for noncommercial purposes and the copyright
 statement is included.

 CERT is a service mark of Carnegie Mellon University.





[here.  have a purty pixture. --aj.]


                                     ;;;;;;iiiii;;
                             i!!!!!!!!!!!!!!!~<:!!!!i
                         i!~!!))!!!!!!!!!!!!!!!!!!!!!!!!
                      i!!!<!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!i
                   i!!)!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
                '!h!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
              '!!`!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!i
               /!!!~!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
            ' ':)!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
              ~:!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
            ..!!!!!\!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
             `!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
             ~ ~!!!)!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!~
            ~'~<!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!:'~
            <-<)!!<!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!:!
            `!!!!<!~!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!':!!!
            ' <!!!<>)`!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!)!~..
            :!<!!!<!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -!!:
                ~:!4~/!!!!!!!!!!!!!!!!!!!~!!!!!!!!!!!!!!!!!!!!!!!!!!
                 :~!!~)(!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
                  ``~!!).~!!!!!!!!!!!!!<!!!!!!!!!!!!!!!!!!!!!!!!!!!!!:
                        ~  '!\!!!!!!!!!!(!!!!!!!!!!!!!!!!!!!!!!4!!!~:
                       '      '--`!!!!!!!!/:\!!<!!((!~.~!!`?~-      :
                          ``-.    `~!<!`)(>~/ \~                   :
               .                \  : `<<`. <-   .-~`              /
                .          !:       .\\?.<\   :`      .          :!
                \ :         `      -~!<:!!!\ ~     :!`         .>!
                '  ~          '    '<!!!<!!!t                 ! !!
                 '!  !.            <!!!!!!!!!              .~ <~!
                  ~!!..`~:.       <!!!!!!!!!!:          .<~ :LS<
                   `!!!!!!h:!?!!!!!!!!!!!!!(!!!!::..-~` <!!!!.
                     4!!!!!!!!!!!!!!!!!!!!!~!<!~!!!!!!!!!!!!'
                      `!!!!!!!!!!!!!!!!!!!!(~!!!!!!!!!!!!!~
                        `!!!!!!!!!!!<\``!!``(!!!!!!!!!~  .
                         `!!!!!!!!!!!!!!!!!!!!!!!!(!:
                           .!!!!!!!!!!!!!!!!!!!!!\~
                           .`!!!!!!!/`.;;~;;`~!! '
                             -~!!!!!!!!!!!!!(!!/ .
                                `!!!!!!!!!!!!!!'
                                  `\!!!!!!!!!~



+---------------------------------------+------------------------------------+
|      .:= A.j. Effin ReznoR =:.        |   "It's a violent peace            |
|                                       |      that will conquer the world"  |
| "Eagles may soar, but weasels don't   | http://www.whocares.com/~arrogance |
|       get sucked into jet engines"    |        /self.indulgant.crap.html   |
+---------------------------------------+------------------------------------+
		"We'll make some calls, we'll break some balls"