Date: 12 Aug 1994 15:01:32 -0400 (EDT) From: Ron Tencati +1-301-441-4081 Subject: NASIRC Advisory on SGI vulnerabilities Sender: first-request@csrc.ncsl.nist.GOV To: first-teams@first.ORG Cc: TENCATI@nssdca.gsfc.nasa.GOV Reply-to: Ron Tencati +1-301-441-4081 Organization: FIRST, the Forum of Incident Response & Security Teams Sub-Organization: FIRST Secretariat X-Sequence: first-teams.0487 The following bulletin was released by NASIRC to the NASA constituency at 3am on Aug 12th. We discovered additional vulnerabilities not covered in the SGI bulletin, and noted them here. We are also working with SGI on a "hole" that was found in the current patch. We'll keep y'all posted as we reach closure with SGI. Ron Tencati NASIRC ============================================================================= NASIRC BULLETIN #94-29 August 11, 1994 Security Vulnerability in Silicon Graphics IRIX v5.1.x and v5.2 =========================================================== __ __ __ ___ ___ ____ ____ /_/\ /_/| /_/ / _/\ /_/| / __/ \ / __/\ | |\ \| || / \ \ | /\/ | || | /\ \/ | | \/ | ||\ \ || / /\ \ \ \ \ | || |_\/ /\ | | | || \ \|| / /--\ \ \ /\_\\ | || | |\ \ \ | \_/\ |_|/ \_|//_/ \_\/ \/__/ |_|/ |_| \_\/ \___\/ NASA Automated Systems Incident Response Capability =========================================================== This bulletin provides the most recent information regarding a newly- discovered vulnerability in the IRIX v5.1 and IRIX v5.2 operating systems, which allow an unprivileged user to become an active root user, thus completely breaching the machine's security. In discussions on various Usenet forums, the vulnerability has been referred to by various names, including clogin, printer manager, and SGI Help. This bulletin supercedes the NASIRC *FLASH* announcement sent out earlier today on this same subject. SYSTEMS AFFECTED: All SGI platforms running IRIX v5.1 or IRIX v5.2. While a patch has been developed for IRIX v5.2, no patch is planned for IRIX v5.1. NASIRC and the vendor recommend that sites running IRIX v5.1.x apply the workaround described below, then upgrade to IRIX v5.2 as soon as possible. THE PROBLEM: A vulnerability exists in the SGI help system and print manager under IRIX v5.1.x and v5.2 which can enable users to gain unauthorized root access. Advisories issued by SGI and other response teams state that the system is only vulnerable if the user can log into an account on the local system or gain physical access to the console. However, NASIRC further advises that the setting of a system variable which defines a different SGI host to be the Help Server, can cause that remote system to be compromised by exploiting the security vulnerability without the need of logging onto the remote machine. THE FIX: If you are running IRIX 5.2, obtain and install patch65 according to the instructions provided in section B below. If you are running cannot install the patch immediately, or you are running IRIX 5.1.x and cannot upgrade to v5.2, you should implement the following work- around in order to disable the vulnerability on your system. A. Workaround: This workaround is recommended for all v5.1 sites, and for those v5.2 sites that cannot immediately obtain and install the patch(es) described in the next section. Note that this workaround will not work on systems that run their help subsystem off the CD-ROM drive, since you cannot remove a file from the CD-ROM. To install the workaround, perform the following command as root: # versions remove sgihelp.sw.eoe This workaround will disable the vulnerable o/s module. However it will also disable the entire Help subsystem. This will affect other installed software that uses the SGI Help subsystem. Certain help functions called from within applications will return non-fatal error messages about the missing subsystem. B. Installing Patches (v5.2 only): There are three patches related to this vulnerability: patch00, patch34, and patch65. PLEASE NOTE: If you previously applied the above workaround and now wish to install the patch(es), the system needs to be returned to its initial state prior to installation of the patch. The original Help software can be found on the original software distribution CD labeled as IRIX 5.2. To return the system to its initial state, perform the following command as root IMMEDIATELY PRIOR TO THE INSTALLATION OF THE PATCH(ES): # inst -f /CDROM/dist/sgihelp.sw.eoe Inst> install sgihelp.sw.eoe Inst> go Patch34 is an update to patch00 which modifies the "inst" program to enable it to handle patch updates. At least one of patch00 or patch34 is required to be installed before installing patch65. To determine if the new "inst" program is already installed on your system, the following command can be issued: # versions patch\* (which will produce output similar to): I = Installed, R = Removed Name Date Description I patchSG0000034 08/10/94 Patch SG0000034 I patchSG0000034.eoe1_sw 08/10/94 IRIX Execution Environment Software I patchSG0000034.eoe1_sw.unix 08/10/94 IRIX Execution Environment If neither patchSG0000034 or patchSG0000000 is loaded, you need only retrieve and install patch65. Otherwise, download both patch34 and patch65. Install patch34 first, then patch65. To install patch34, uncompress and untar "patch34.tar.Z" and follow the instructions in the "README.FIRST" file. SGI has arranged for NASIRC to be a distribution site for these patches. The necessary patch files can be FTP'd from the NASIRC archive and are located in the ~ftp/toolkits/SGI_patches directory. The checksums for the patch files are as follows: Standard System V MD5 Unix Unix Digital Signature patch34.tar.Z: 11066 15627 1674 31253 2859d0debff715c5beaccd02b6bebded patch65.tar: 63059 1220 15843 2440 af8c120f86daab9df74998b31927e397 The patches are also available via anonymous FTP from ftp.sgi.com and sgigate.sgi.com in the "/security" directory. However, in order to reduce the traffic congestion on the SGI sites, NASA users are encouraged to retrieve the files from the NASIRC archive as outlined above. SGI is also making the patches available on CDROM. You do not need a service contract in order to obtain these security patches on CDROM. Contact your nearest SGI service provider for distribution. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= NASIRC ACKNOWLEDGES: Miguel Sanchez of Silicon Graphics for his hard work to get patches and information disseminated in a very short time; Tony Facca of the NASA Lewis Research Center, who first forwarded this infor- mation to us from SGI; and David Bianco, Tad Guy, and Travis Priest of the NASA Langley Research Center, for their research and help during the validating of information for this bulletin. Additionally, we would like to thank Max Hailperin of Gustavus Adolphus College for his contributions and suggestions to Bugtraq during the early phases of this problem, and the CIAC team for providing informational updates and coordination to the FIRST community. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= =============================================================== For further assistance, please contact the NASIRC Helpdesk: Phone: 1-800-7-NASIRC Fax: 1-301-441-1853 Internet Email: nasirc@nasa.gov 24 Hour/Emergency Pager: 1-800-759-7243/Pin:2023056 STU III: 1-301-982-5480 =============================================================== The NASIRC online archive system is available via the WWW. The archive can be accessed via Mosaic or FTP. The URL is: http://nasirc.nasa.gov. Once on the system, you can access the following information: ~/bulletins ! contains NASIRC bulletins ~/information ! contains various informational files ~/toolkits ! contains automated toolkit software The contents of these directories is updated on a continuous basis with relevant software and information; contact the NASIRC Helpdesk for more information or assistance. ------------------ PLEASE NOTE: Users outside of the NASA community may receive NASIRC bulletins. If you are not part of the NASA community, please contact your agency's response team to report incidents. Your agency's team will coordinate with NASIRC, who will ensure the proper internal NASA team(s) are notified. NASIRC is a member of the Forum of Incident Response and Security Teams (FIRST), a world-wide organiza- tion which provides for coordination between incident response teams in handling computer-security-related issues. You can obtain a list of FIRST member organizations and their constituencies by sending email to docserver@first.org with an empty "subject" line and a message body containing the line "send first-contacts".