|
> ========================================================================
> CERTS Advisory CA-98.42
> Jan 08, 1998
>
> Topic: o1k problems in Internet Oracularities software
>
> The text of this advisory was originally released on Jan 07, 1998,
> as OERT Advisory OE-98.01, developed by the Oracular Computer
> Emergency Response Team. Because of the seriousness of the problem, we
> are reprinting the OERT advisory here with their permission. Only
> the contact information at the end has changed: OERT contact
> information has been replaced with CERTS/CC contact information. As
> usual, we will place updated information in a README file
> (ftp://info.certs.org/pub/certs_advisories/CA-98.42.README).
>
> Note: The vulnerability described in this advisory will be actively
> exploited.
>
> ========================================================================
>
> The Oracular Computer Emergency Response Team (OERT) has received
> information that code, as found in the software used for creating
> Internet Oracularities, contains a security vulnerability. Programs
> using this code may be vulnerable to attack.
>
> OERT recommends that sites that have installed any program
> incorporating the vulnerable code apply one of the workarounds
> as described in Section 3.
>
> ------------------------------------------------------------------------
>
> 1. Description
>
> A security vulnerability has been reported in example
> Oracularities code.
>
> * Any zottings in Internet Oracularities #1000 may be redirected
> to anyone or anything, including the Oracle {him|her|it}self,
> Steve Kinzler, Socks Clinton, Lisa's jewel case, (and you don't
> have to be omniscient to predict that she'll get mad if all her
> jewelry is melted), the MIR and indiana.edu's mailserver.
>
> * Any mentioning of woodchucks in Internet Oracularities #1000
> will result in having the Temple of Oracularities filled with
> mutant zot-resistant rodents.
>
> * Any complaints of no groveling in Internet Oracularities #1000
> will result in having the incarnation haunted by mutant
> zot-resistant insurance salesmen.
>
> * Any poems or songs in Internet Oracularities #1000 will result
> in having the Temple of Oracularities filled with mutant
> zot-resistant singing Smurfs.
>
> * Any mentioning of any-coloured fighting fish in Internet
> Oracularities #1000 will result in having the Temple of
> Oracularities flooded.
>
> * Any misspelling of Kirsten's name in Internet Oracularities
> #1000 will result in severe complaints to rec.humor.oracle.d.
>
> * Any fee in Internet Oracularities #1000 will be payed _from_
> the Oracle _to_ the supplicant.
>
> * Any mentioning of Bill Gates, MicroSoft or Windows* in Internet
> Oracularities #1000 will result in forcing the incarnation to
> use MS-products 24 hours a day for the rest of {his|her|its}
> life.
>
> 2. Impact
>
> Internet Oracularities #1000 may result in a disaster.
>
> 3. Workarounds
>
> The use of certain oracular library calls (including zot(),
> complain() and fee()) in security critical code has been a
> notorious source of security vulnerabilities. Good security
> coding practice usually dictates that easily exploitable system or
> library calls should not be used.
>
> Sites planning to install or write their own oracular programs are
> encouraged to read the references in Section 4 first.
>
> 3.1. Remove Oracular programs
>
> This will of course solve the problem, but it will also
> create a new problem: The Oracle will no longer be able to
> answer questions. As a lot of people are depending on the
> Oracle to give them advice, this will result in several
> suicides (however, the number of *zot* wounds will
> decrease), a lot of over-worked psychologists and will give
> any stupid swindler a new opportunity to MAKE.MONEY.FAST.
>
> 3.2. Rewrite Oracular programs
>
> OERT recommends that sites which are currently using CGI
> programs which use shell-based library calls (such as zot())
> consider rewriting these programs to remove direct calls to
> easily compromised library functions.
>
> 3.5 Remove suid-bits from oracular programs.
> This will make it more difficult to delegate work to others,
> (unless you really want to give Zadoc the Password) but it
> will be much more secure. Alternatively, you can have a look
> at sudo, or something similar.
>
> 3.4. Take care to avoid potential dangerous answers
>
> As there is often a significant delay between submission of
> an answer and the digestion, these precautions should be
> taken to all answers that may be digested until Internet
> Oracularities #1001. (And as the priests' sense of humour
> may be a bit weird at times _all_ answers may be digested.)
>
> * Avoid Zotting. (Or if you get really mad, zot them without
> telling them what you are going to do. After all they'll
> find that out soon enough. Alternatively you can just zot
> Zadoc after finishing your answer.
> * Get that woodchuck filter up and working _now_!
> * Don't answer any questions without proper groveling before
> Oracularities #1001 is published.
> * Same with questions containing poems or references to
> fish. (You'd better send Paul and all his diciples on
> vacation to somewhere far away from any computer. Iran
> should work well.)
> * Have Kirsten change her name to something easier to spell.
> * Take care when demanding fees. For example 'You owe the
> Oracle a black eye' should work well. (Of course if that
> particular answer isn't digested, or get into another
> digest, you've got a problem.
> * Make sure Bill Gates are out of buisniess before #1000 is
> selected
>
> If you really need to break those rules, there are
> however a few tricks you can use to avoid geting selected:
>
> * Add 'http://www.hotmail.com/' at the end of your answer.
> * 3L1T3 style spelling.
> * Answer only with '*ZOT*'
>
> This is however not secure.
>
> 4. Additional measures
>
> Numerous resources relating to oracular security are available.
> The following pages provide a useful starting point. They include
> links describing general oracular security, secure orried setup
> and secure oracular programming.
>
> The Oracular Security FAQ:
> http://www.eecs.uindiana.edu/WWW/faqs/orrie-security-faq.html
>
> NSCA's "Security Concerns with the Oracle" Page:
> http://haahaa.ncsa.uiac.edu/security/oracle.html
>
> ------------------------------------------------------------------------
> OERT thanks no one, because we want to get all the honour for this
> ourselves.
> ========================================================================
>
> OERT Contact Information
> ------------------------
> If you believe that your system has been compromised, don't bother
> contacting the OERT Coordination Center or your representative in the
> Liga of Arrogant Security Teams (LAST).
>
> We strongly urge you not to encrypt any sensitive information you send
> by email. That would just give us extra work.
> The OERT Coordination Center can not support a shared DES key and PGP.
> Avoid contacting the OERT staff for more information.
>
> Location of CERTS PGP key
> ftp://localhost/dev/zero
>
> Email postmaster@langnese.nvg.unit.no
>
> Phone Don't call us - we'll call you.
>
> Postal address
> OERT Coordination Center
> Oracular Engineering Institute
> Indiana University
>
> OERT advisories and bulletins are also posted on the USENET newsgroup
> oracle.security.announce
>
> OERT is a service mark of University of Indiana.
|
![[IO]](https://kinzler.com/picons/db/domains/org/internetoracle/unknown/face.gif){kind=small}
