copyright
|
disclaimer
|
privacy
|
contact
HOME
About
AusCERT
Membership
Contact Us
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
Login »
Become a member »
Home
»
Security Bul...
» AA-96.08 -- Vulnerability in SGI systour package
AA-96.08 -- Vulnerability in SGI systour package
Date:
07 November 1996
Click here for printable version
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AA-96.08 AUSCERT Advisory Vulnerability in SGI systour package 5 November 1996 Last Revised: 7 November 1996 Added more specific SGI information Added SGI security advisory in Appendix A - --------------------------------------------------------------------------- AUSCERT has received information that there is a vulnerability in the SGI Indigo Magic System Tour package, systour, under IRIX versions 5.0.x, 5.1.x, 5.2, 5.3, 6.0.x, 6.1, 6.2 and 6.3. This product is used to demonstrate the features and functionality of the Indigo Magic User Environment. This vulnerability may allow local users to gain root privileges. Exploit details involving this vulnerability have been widely distributed. AUSCERT has been informed that no vendor patches will be released to address this vulnerability, although it will be corrected in future releases of IRIX. AUSCERT recommends that sites apply the steps outlined in Section 3 immediately. - --------------------------------------------------------------------------- 1. Description The SGI Indigo Magic System Tour package, systour, is used to demonstrate the features and functionality of the Indigo Magic User Environment under IRIX versions 5.0.x, 5.1.x, 5.2, 5.3, 6.0.x, 6.1, 6.2 and 6.3. As part of the tour, there is an option to remove the tour when the user is finished. The tour is removed with the auxiliary program: /usr/lib/tour/bin/RemoveSystemTour RemoveSystemTour uses "inst", IRIX's software management tool, to remove the system tour. As inst requires root privileges to remove the tour, RemoveSystemTour is setuid root. This allows local users to effectively execute inst with root privileges when removing the tour. As inst is a highly configurable program, local users may be able to manipulate environment variables and local configuration files to force inst, when called from RemoveSystemTour, to execute arbitrary commands with root privileges. All sites are encouraged to check their systems for the systour package and, if installed, immediately apply the actions recommended in Section 3. To determine if the vulnerable package is installed, use the command: % versions systour 2. Impact Local users may be able to execute arbitrary commands with root privileges. 3. Workarounds/Solution AUSCERT recommends that sites prevent exploitation of this vulnerability by immediately applying the workaround given in Section 3.1. If the systour package is no longer needed, it is recommended that sites remove it from their systems (Section 3.2) Silicon Graphics Inc. have released a Security Advisory addressing the vulnerability described in Section 1 and has been included in Appendix A below. Sites are encouraged to review the SGI advisory as it contains additional security information. 3.1 Remove setuid permissions Remove the setuid root permissions from the RemoveSystemTour executable. The following command should be run as root. # chmod u-s /usr/lib/tour/bin/RemoveSystemTour # ls -l /usr/lib/tour/bin/RemoveSystemTour -rwxr-xr-x 1 root sys 10024 Nov 22 1994 /usr/lib/tour/bin/RemoveSystemTour Note that the removal of the setuid bit will prevent non-privileged users removing the system tour. 3.2 Remove the package If the systour package is no longer needed, sites are encouraged to remove it completely from their systems. This can be done by running, as root, the GUI software management tool, swmgr, or the command: # versions remove systour Sites can check that the package has been removed with the command: # versions systour ........................................................................... Appendix A - ----------------------BEGIN SGI SECURITY ADVISORY-------------------------- ______________________________________________________________________________ Silicon Graphics Inc. Security Advisory Title: Possible Vulnerabilities in systour and OutOfBox Title: Subsystems for IRIX 5.x, 6.0.x, 6.1, 6.2 and 6.3 Number: 19961101-01-I Date: November 6, 1996 ______________________________________________________________________________ Silicon Graphics provides this information freely to the SGI user community for its consideration, interpretation, implementation and use. Silicon Graphics recommends that this information be acted upon as soon as possible. Silicon Graphics will not be liable for any indirect, special, or consequential damages arising from the use of, failure to use or improper use of any of the instructions or information in this Security Advisory. ______________________________________________________________________________ Recently, potential security vulnerabilities in the OutOfBox and systour subsystems have been advertised in several public forums. Additionally, the Australian Computer Emergency Response Team (AUSCERT) released an advisory (AA-96.08) on this issue. Silicon Graphics Inc. has investigated the issues and recommends the following steps for neutralizing exposure. It is HIGHLY RECOMMENDED that these measures be implemented on ALL SGI systems running IRIX versions 5.0.x, 5.1.x, 5.2, 5.3, 6.0.x, 6.1, 6.2 and 6.3. This issue will be corrected in future releases of IRIX. - - -------------- - - --- Impact --- - - -------------- The Silicon Graphics Indigo Magic System Tour and OutOfBox Experience packages are factory installed on all Silicon Graphics Indy systems. The Indigo Magic System Tour and OutOfBox Experience packages are not factory installed with any Silicon Graphics Indigo2 systems however, CDs with these packages are provided with the systems. The OutOfBox Experience subsystem is factory installed on all Silicon Graphics O2 systems. The System Tour subsystem is not part of the software provided for the O2 system. Note that either or both the Indigo Magic System Tour and OutOfBox Experience subsystems maybe be installed from CD on any Silicon Graphics system. The purpose of these two packages, systour and OutOfBox, are to demonstrate and highlight the features and capabilities of the user environment and system. Due to the disk space requirements of these subsystems, most sites will remove these subsystems for disk space reclamation as part of initial system setup. Those sites which have done this will not be vulnerable. On those systems that the subsystems are still installed on, both subsystems provide background setuid root programs to perform a subsystem removal when a user decides to remove the software. This removal is done using the standard IRIX /usr/sbin/inst program that manages IRIX software. Provided with the right environment, the inst program could be manipulated to execute arbitrary commands with root privileges. An account on the vulnerable system is required for exploit. With an account, these vulnerabilities are exploitable by both local and remote access. - - ---------------- - - --- Solution --- - - ---------------- There are no patches for these issues. However, using the information below steps can be taken to eliminate the exposure. To determine if the OutOfBox and systour subsystems are installed on a particular system, the following command can be used: % versions OutOfBox.sw systour.sw I = Installed, R = Removed Name Date Description I OutOfBox 11/05/96 OutOfBox Experience, 1.1 I OutOfBox.sw 11/05/96 OutOfBox Experience Software, 1.1 I OutOfBox.sw.complete 11/05/96 Complete OutOfBox Experience I OutOfBox.sw.intro 11/05/96 OutOfBox Intro Movies I systour 02/12/96 Indigo Magic System Tour, 5.2 I systour.sw 02/12/96 System Tour Execution Environment I systour.sw.eoe 02/12/96 System Tour Execution Environment In the above case, the subsystems of concern are installed and the steps below should be performed. If no output is returned by the command, the subsystems are not installed and no further action is required. **** IRIX 4.x **** The 4.x version of IRIX is not vulnerable as the System Tour and OutOfBox Experience subsystems are not part of available software for this IRIX version. No action is required. **** IRIX 5.x, 6.0, 6.0.1, 6.1, 6.2 **** There are no patches for this issue. The steps below can be used to remove the vulnerability by either changing the program permissions (use step 2a) or by removing the subsystems (use step 2b). 1) Become the root user on the system. % /bin/su - Password: # 2) Choose either step 2a or 2b depending on which has the desired result. 2a) Change the setuid root permissions on the programs of concern. # /bin/chmod u-s /usr/lib/tour/bin/RemoveSystemTour # /bin/chmod u-s /usr/people/tour/oob/bin/oobversions ************ *** NOTE *** ************ Removing the setuid root permissions from these tools will prevent non-root users from removing the subsystems. Removal of the subsystems will only be possible if the systour or OutOfBox user is a root user or if the inst IRIX software manager is used by root for removal. 2b) Remove the vulnerable subsystems. # /usr/sbin/versions -v remove systour OutOfBox 4) Return to previous level. # exit $ **** IRIX 6.3 **** The IRIX operating system version 6.3 does not have the System Tour subsystem but does have the OutOfBox Experience subsystem. There are no patches for this issue. The steps below can be used to remove the vulnerability by either changing the program permissions (use step 2a) or by removing the subsystems (use step 2b). 1) Become the root user on the system. % /bin/su - Password: # 2) Choose either step 2a or 2b depending on which has the desired result. 2a) Change the setuid root permissions on the program of concern. # /bin/chmod u-s /usr/people/tour/oob/bin/oobversions ************ *** NOTE *** ************ Removing the setuid root permissions from this program will prevent non-root users from removing the subsystem. Removal of the subsystem will only be possible if the OutOfBox user is a root user or if the inst IRIX software manager is used by root for removal. 2b) Remove the vulnerable subsystem. # /usr/sbin/versions -v remove OutOfBox 4) Return to previous level. # exit $ - - ------------------------ - - --- Acknowledgments --- - - ------------------------ Silicon Graphics wishes to thank AUSCERT and FIRST members worldwide for their assistance in this matter. - - ----------------------------------------- - - --- SGI Security Information/Contacts --- - - ----------------------------------------- If there are questions about this document, email can be sent to cse-security-alert@csd.sgi.com. ------oOo------ Silicon Graphics provides security information and patches for use by the entire SGI community. This information is freely available to any person needing the information and is available via anonymous FTP and the Web. The primary SGI anonymous FTP site for security information and patches is sgigate.sgi.com (204.94.209.1). Security information and patches are located under the directories ~ftp/security and ~ftp/patches, respectively. The Silicon Graphics Security Headquarters Web page is accessible at the URL http://www.sgi.com/Support/Secur/security.html. For issues with the patches on the FTP sites, email can be sent to cse-security-alert@csd.sgi.com. For assistance obtaining or working with security patches, please contact your SGI support provider. ------oOo------ Silicon Graphics provides a free security mailing list service called wiretap and encourages interested parties to self-subscribe to receive (via email) all SGI Security Advisories when they are released. Subscribing to the mailing list can be done via the Web (http://www.sgi.com/Support/Secur/wiretap.html) or by sending email to SGI as outlined below. % mail wiretap-request@sgi.com subscribe wiretap <YourEmailAddress> end ^d In the example above, <YourEmailAddress> is the email address that you wish the mailing list information sent to. The word end must be on a separate line to indicate the end of the body of the message. The control-d (^d) is used to indicate to the mail program that you are finished composing the mail message. ------oOo------ Silicon Graphics provides a comprehensive customer World Wide Web site. This site is located at http://www.sgi.com/Support/Secur/security.html. ------oOo------ For reporting *NEW* SGI security issues, email can be sent to security-alert@sgi.com or contact your SGI support provider. A support contract is not required for submitting a security report. - --------------------------END SGI SECURITY ADVISORY------------------------ ........................................................................... - --------------------------------------------------------------------------- AUSCERT thanks Silicon Graphics Inc. for their assistance in this matter. - --------------------------------------------------------------------------- The AUSCERT team have made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The appropriateness of this document for an organisation or individual system should be considered before application in conjunction with local policies and procedures. AUSCERT takes no responsibility for the consequences of applying the contents of this document. If you believe that your system has been compromised, contact AUSCERT or your representative in FIRST (Forum of Incident Response and Security Teams). AUSCERT is located at The University of Queensland within the Prentice Centre. AUSCERT is a full member of the Forum of Incident Response and Security Teams (FIRST). AUSCERT maintains an anonymous FTP service which is found on: ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT Advisories, and other computer security information. AUSCERT also maintains a World Wide Web service which is found on: http://www.auscert.org.au/. Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 4477 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AUSCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. Postal: Australian Computer Emergency Response Team c/- Prentice Centre The University of Queensland Brisbane Qld. 4072. AUSTRALIA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Revision History November 7 1996 SGI released a Security Advisory addressing the systour vulnerability and this was added to Appendix A. Note that it also addressed other vulnerabilities in the OutOfBox subsystem and contains information that is not mentioned in the AUSCERT advisory. Specific versions of the IRIX operating system were also listed. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBMoHLIih9+71yA2DNAQGoSQP/Ulv9OHgFK/6fdoqxDkl02mj5pKQ7PY/S k56FVgJtPVYK6fDooACsVpx1zhCs+xTtPTTUxz/IwUiX4P4Yd/87Qqnrctxgpbep eJN3EUSYY/Xh3v+3GkE0N26drzwSaqrMDEEKQNrt7vzqJeN07WHMNbOQA00JJvaS aKVsnVf6otw= =35hH -----END PGP SIGNATURE-----
Comments? Click here
http://www.auscert.org.au/render.html?cid=1&it=1861