-----BEGIN PGP SIGNED MESSAGE-----

- ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---

                  =======  ============    ======       ======
                  =======  ==============  =======     =======
                    ===      ===     ====    ======   ======
                    ===      ===========     ======= =======
                    ===      ===========     === ======= ===
                    ===      ===     ====    ===  =====  ===
                  =======  ==============  =====   ===   =====
                  =======  ============    =====    =    =====

                           EMERGENCY RESPONSE SERVICE
			OUTSIDE ADVISORY REDISTRIBUTION

17 July 1996 18:00 GMT                           Number: ERS-OAR-E01-1996:004.1
===============================================================================

The IBM-ERS Outside Advisory Redistribution is designed to provide customers
of the IBM Emergency Response Service with access to the security advisories
sent out by other computer security incident response teams, vendors, and
other groups concerned about security.

IBM makes no representations and assumes no responsibility for the contents or
accuracy of the advisories themselves.

IBM-ERS is forwarding the following information from FreeBSD, Inc..  Contact
information for FreeBSD, Inc. is included in the forwarded text below; please
contact them if you have any questions or need further information.

===============================================================================

********************** FORWARDED INFORMATION STARTS HERE **********************

 =============================================================================
 FreeBSD-SA-96:17					    Security Advisory
 Revised: Tue Jul 16 21:44:54 PDT 1996				FreeBSD, Inc.

 Topic:		"Trojan Horse" vulnerability via rz program

 Category:	ports
 Module:	rzsz
 Announced:	1996-07-16
 Affects:	All FreeBSD ports collections released before 2.1.5-RELEASE
 Corrected:	ports collection as of 1996-07-06
 Source:	rzsz shareware package
 FreeBSD only:	no

 Patches:	ftp://freebsd.org/pub/CERT/patches/SA-96:17/

 =============================================================================

 I.   Background    

     All existing versions of the rz program (a program for receiving
     files over serial lines using the Z-Modem protocol) are equipped
     with a feature that allows the sender of a file to request the
     execution of arbitrary commands on the receiver's side.  The user
     using rz does not have any control over this feature.

     The workaround is to have rz never execute any command, and
     always pretend a successful execution.

     All FreeBSD users are encouraged to use the workaround provided.
     Since the intent of the Z-Modem protocol is to provide a reliable
     connection between systems of a vastly different architecture,
     the execution of local commands at request of the sending side
     cannot even be considered a useful feature at all.


 II.  Problem Description

     The Z-Modem protocol specifies a mechanism which allows the
     transmitter of a file to execute an arbitrary command string
     as part of the file transfer.  This is typically used to rename
     files or eliminate temporary files.  A malicious "trusted" sender
     could send down a command that could damage a user's environment.


 III. Impact

     The rzsz package is an optional port that made be installed on
     some FreeBSD systems.  This program is not installed by default.
     Systems without this program are not vulnerable.

     rz allows "Trojan Horse" type attacks against unsuspecting users.
     Since the rz executable does not run with special privileges,
     the vulnerability is limited to changes in the operating environment
     that the user could willingly perform.

     This vulnerability is a fundamental flaw in the Z-Modem protocol.
     Other operating systems and other implementations of the Z-Modem
     protocol may also suffer similar vulnerabilities.

 IV.  Workaround

     Disable the rz program.  If it has been installed, it would
     typically be found in /usr/local/bin.

	# chmod 000 /usr/local/bin/rz
	# ls -l /usr/local/bin/rz
	----------  1 root  wheel  23203 Mar  4 23:12 /usr/local/bin/rz


 V. Solution(s)

     This feature is a relatively unknown part of the Z-Modem protocol.
     It is not critical to file transfers in general.  The safest
     approach is to disable this feature in the receiving program.

     Any rzsz port that is obtained from the official ports collection
     after 1996-07-06 includes the following patch to disable this feature.
     This patch applies to rzsz v3.42, if you have an earlier version
     of the rzsz sources, please upgrade to the latest version first.

    *** rz.c.orig	Sat Jul  6 17:34:26 1996
    --- rz.c	Sat Jul  6 17:44:52 1996
    ***************
    *** 1020,1039 ****
    --- 1020,1045 ----
		    case ZCOMMAND:
			    cmdzack1flg = Rxhdr[ZF0];
			    if (zrdata(secbuf, 1024) == GOTCRCW) {
    + #ifdef BIG_SECURITY_HOLE
				    void exec2();

				    if (cmdzack1flg & ZCACK1)
					    stohdr(0L);
				    else
					    stohdr((long)sys2(secbuf));
    + #else
    + 				stohdr(0L);
    + #endif
				    purgeline();	/* dump impatient questions */
				    do {
					    zshhdr(4,ZCOMPL, Txhdr);
				    }
				    while (++errors<20 && zgethdr(Rxhdr) != ZFIN);
				    ackbibi();
    + #ifdef BIG_SECURITY_HOLE
				    if (cmdzack1flg & ZCACK1)
					    exec2(secbuf);
    + #endif
				    return ZCOMPL;
			    }
			    zshhdr(4,ZNAK, Txhdr); goto again;

 =============================================================================
 FreeBSD, Inc.

 Web Site:			http://www.freebsd.org/
 Confidential contacts:		security-officer@freebsd.org
 PGP Key:			ftp://freebsd.org/pub/CERT/public_key.asc
 Security notifications:	security-notifications@freebsd.org
 Security public discussion:	security@freebsd.org

 Notice: Any patches in this document may not apply cleanly due to
         modifications caused by digital signature or mailer software.
         Please reference the URL listed at the top of this document
         for original copies of all patches if necessary.
=============================================================================

*********************** FORWARDED INFORMATION ENDS HERE ***********************

===============================================================================

IBM's Internet Emergency Response Service (IBM-ERS) is a subscription-based
Internet security response service that includes computer security incident
response and management, regular electronic verification of your Internet
gateway(s), and security vulnerability alerts similar to this one that are
tailored to your specific computing environment.  By acting as an extension
of your own internal security staff, IBM-ERS's team of Internet security
experts helps you quickly detect and respond to attacks and exposures across
your Internet connection(s).

As a part of IBM's Business Recovery Services organization, the IBM Internet
Emergency Response Service is a component of IBM's SecureWay(tm) line of
security products and services.  From hardware to software to consulting,
SecureWay solutions can give you the assurance and expertise you need to
protect your valuable business resources.  To find out more about the IBM
Internet Emergency Response Service, send an electronic mail message to
ers-sales@vnet.ibm.com, or call 1-800-742-2493 (Prompt 4).

IBM-ERS maintains a site on the World Wide Web at http://www.ers.ibm.com/.
Visit the site for information about the service, copies of security alerts,
team contact information, and other items.

IBM-ERS uses Pretty Good Privacy* (PGP*) as the digital signature mechanism for
security vulnerability alerts and other distributed information.  The IBM-ERS
PGP* public key is available from http://www.ers.ibm.com/team-info/pgpkey.html.
"Pretty Good Privacy" and "PGP" are trademarks of Philip Zimmerman.

IBM-ERS is a Member Team of the Forum of Incident Response and Security Teams
(FIRST), a global organization established to foster cooperation and response
coordination among computer security teams worldwide.

The information in this document is provided as a service to customers of
the IBM Emergency Response Service.  Neither International Business Machines
Corporation, Integrated Systems Solutions Corporation, nor any of their
employees, makes any warranty, express or implied, or assumes any legal
liability or responsibility for the accuracy, completeness, or usefulness of
any information, apparatus, product, or process contained herein, or
represents that its use would not infringe any privately owned rights.
Reference herein to any specific commercial products, process, or service by
trade name, trademark, manufacturer, or otherwise, does not necessarily
constitute or imply its endorsement, recommendation or favoring by IBM or
its subsidiaries.  The views and opinions of authors expressed herein do not
necessarily state or reflect those of IBM or its subsidiaries, and may not be
used for advertising or product endorsement purposes.

- ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---

-----BEGIN PGP SIGNATURE-----
Version: 2.7.1

iQCVAwUBMe1AmvWDLGpfj4rlAQFPngQA0Ca+x6yyhmpXmXq6JatJGZmj0j4ecrtj
LA9+DFGmxIqEK6Jd91OA/99r/WIEtmlOaX2LyyfZ59Jg74b8cLYV/hMJ8Sj1PrG1
iZkLJaB3zwofPr4gl2MxXybvfIymFYoZlQGrUK0ZhrZMY+4dves/CAiU9ihmaoyK
/A9niYIEL/c=
=5a6m
-----END PGP SIGNATURE-----