Australia's Leading Computer Emergency Response Team

AA-97.16 -- SGI IRIX Scanners Vulnerability
Date: 14 May 1997
Original URL: http://www.auscert.org.au/render.html?cid=1&it=1890

Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
AA-97.16                        AUSCERT Advisory
			SGI IRIX Scanners Vulnerability
                                  14 May 1997

Last Revised: --

- ---------------------------------------------------------------------------

AUSCERT has received information that a vulnerability exists in
the scanners(1M) program which is part of the Impressario package.

The vulnerability may allow local users to gain root privileges.

Exploit information regarding this vulnerability has been made
publicly available.

AUSCERT recommends that sites take the steps outlined in Section 3
as soon as possible.

- ---------------------------------------------------------------------------

1.  Description

    AUSCERT has received information that a vulnerability exists in the
    scanners(1M) program as supplied with Impressario Server 1.2.  The
    scanners program is a graphical tool for displaying, installing and
    deleting scanning devices.

    Information from the enviroment variable SGIHELPROOT is accepted by
    the scanners program without adequate validity checks being performed.
    By carefully manipulating this environment variable, it might be
    possible to execute arbitary commands with root privileges.

    Impressario Server 1.2 is known to have shipped as an optional extra
    with IRIX 5.x.  The version of Impressario that runs under IRIX 6.2
    and later is not known to be vulnerable.
    
    Exploit information involving this vulnerability has been made publicly
    available.

    Sites can determine if they have this package installed and if the
    package is vulnerable in the following manner:

    Determine if the scanners program is installed by using the command:
	
      % ls -l /usr/sbin/scanners
      -rwsr-xr-x   1 root   sys  117752 Apr 29 05:28 /usr/sbin/scanners

    If scanners is installed, check if the version you have uses the
    SGIHELPROOT environment variable by using this command and getting
    the indicated output:

      % strings -a /usr/sbin/scanners | grep SGIHELPROOT | uniq
      SGIHELPROOT
    
    If the scanners program is installed and it uses the environment
    SGIHELPROOT variable, determine if it has already been patched to
    remove the vulnerability described herein by using the command:

      % versions patchSG0000006.impr_scan_sw.impr
      I = Installed, R = Removed

         Name                 Date      Description

      I  patchSG0000006       05/07/97  Patch SG0000006 Impressario 1.2
      I  patchSG0000006.impr_scan_sw  05/07/97  Impressario 1.2 Scanner Software
      I  patchSG0000006.impr_scan_sw.impr  05/07/97  Scanner Base Software

    
    If the scanners program is installed and it contains the string
    SGIHELPROOT and patchSG0000006 is not installed, then your site might
    be vulnerable and the workarounds given in Section 3 should be applied
    immediately.

2.  Impact

    Local users may be able to gain root privileges.

3.  Workarounds/Solution

    AUSCERT recommends that sites determine if their system is vulnerable
    and if so, immediately remove the setuid and execute permissions as
    stated in Section 3.1 to limit the exploitation of this vulnerability.
    Sites may then wish to apply the vendor patch given in Section 3.2.

3.1 Remove permissions

    To prevent the exploitation of the vulnerability described in this
    advisory, AUSCERT recommends that the setuid and execute permissions
    be removed from the scanners program immediately.

      # ls -l /usr/sbin/scanners
      -rwsr-xr-x   1 root   sys  117752 Apr 29 05:28 /usr/sbin/scanners

      # chmod 700 /usr/sbin/scanners

      # ls -l /usr/sbin/scanners
      -rwx------   1 root   sys  117752 Apr 29 05:28 /usr/sbin/scanners

    Note that all users, except root, will lose the ability to use the
    functionality of the scanners program.

3.2 Install Vendor Patch

    Silicon Graphics Inc. has released a patch that appears to address
    the vulnerability described in this advisory.  This patch is very old
    and there are some concerns about its compatibility with later software
    and patches.  It is advised that only sites that require the scanners
    program and cannot upgrade to a later version apply this patch.  This
    patch is currently only available to sites that have SurfZone membership.

    Sites that have Silicon Graphics Inc. support contracts but do not
    have SurfZone membership should contact Silicon Graphics customer
    support to obtain this patch.

    Sites with SurfZone membership can retrieve this patch from:

      http://www.surf.sgi.com/SurfZone/Support/allpatch/pinfo/i5.2.p6.html

4.  Additional measures

    Most Unix systems ship with numerous programs which have setuid or
    setgid privileges.  Often the functionality supplied by these privileged
    programs is not required by many sites.  The large number of privileged
    programs that are shipped by default are to cater for all possible
    uses of the system.

    AUSCERT encourages sites to examine all the setuid/setgid programs
    and determine the necessity of each program.  If a program does not
    absolutely require the setuid/setgid privileges to operate (for example,
    it is only run by the root user),  the setuid/setgid privileges should
    be removed.  Furthermore, if a program is not required at your site,
    then all execute permissions should be removed.

    A sample command to find all setuid/setgid programs is (run as root):

     # find / ( -perm -4000 -o -perm -2000 ) -type f -exec ls -l {} ;

    It is AUSCERT's experience that many vulnerability are being discovered
    in setuid/setgid programs which are not necessary for the correct
    operation of most systems.  Sites can increase their security by
    removing unnecessary setuid/setgid programs.

    For example, the functionality provided by the scanners program is not
    needed by many sites.  If sites had previously disabled this program,
    they would not have been susceptible to this latest vulnerability.

- ---------------------------------------------------------------------------
AUSCERT wishes to thank Silicon Graphics Inc. and Wolfgang Ley of DFN-CERT
for their assistance in this matter.
- ---------------------------------------------------------------------------

The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate.  However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual
system should be considered before application in conjunction with local
policies and procedures.  AUSCERT takes no responsibility for the
consequences of applying the contents of this document.

If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

AUSCERT is located at The University of Queensland within the Prentice
Centre.  AUSCERT is a full member of the Forum of Incident Response and
Security Teams (FIRST).

AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT and AUSCERT
Advisories, and other computer security information.

AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Facsimile:	(07) 3365 4477
Telephone:	(07) 3365 4417 (International: +61 7 3365 4417)
		AUSCERT personnel answer during Queensland business hours
		which are GMT+10:00 (AEST).
		On call after hours for emergencies.

Postal:
Australian Computer Emergency Response Team
Prentice Centre
Brisbane
Qld.  4072.
AUSTRALIA


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBM3nL5yh9+71yA2DNAQE9JgP/Q/h4jpfJwCOuQeg7x8Y2lbEqai3Pxuvj
F8TeWZ4IupQnl7swVlQJumuuvUyJD/00HeDhBTdPztTtxTGRRk7dpYsf/boWKCV9
N+nCkNBZX0IV1cP7khU0Qen0ibq8NBJ41AgSlbHdz68K8Mf9hNh/lVrIKBPAd5yM
Z3o18wSmjQ0=
=w9uc
-----END PGP SIGNATURE-----