_____________________________________________________
                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
            _____________________________________________________

			       ADVISORY NOTICE

		 Vulnerabilities in the SGI IRIX Help System

August 11, 1994 1700 PST                                         Number E-33
_____________________________________________________________________________ 

PROBLEM:        Vulnerabilities in the SGI Help system allows unauthorized
                access to a root shell. 
PLATFORM:       SGI IRIX 5.x.
DAMAGE:         Unauthorized users can access a root shell without logging in. 
SOLUTION:       Retrieve and install the patches, or apply the workarounds
                described below. 
_____________________________________________________________________________ 

VULNERABILITY   These vulnerabilities have been widely discussed on many
ASSESSMENT:     public forums on the Internet. Attack scripts have been
                created and distributed. Vulnerabilities can only be
                exploited by currently logged in users or by direct access to
                the console. Although no attacks using these methods have been
                confirmed as of the date of this bulletin, attacks using these
                vulnerabilities are inevitable. CIAC recommends that all
                patches be installed. 
_____________________________________________________________________________

	  Critical Information about the Help System vulnerabilities

CIAC has received information from Silicon Graphics, Inc. (SGI) concerning
vulnerabilities in the IRIX 5.x operating system that allow root access to
unauthorized users.

The vulnerabilities exist within the Help subsystem.  They have been referred
to on the Internet by various names including clogin, printer manager, and SGI
Help.  When exploited, a currently logged in user can create an active root
shell, or a person with physical access to the console can get an active root
shell without logging in.  

SGI has issued patch65 to fix these vulnerabilities.  This problem will be
corrected in a future release of IRIX.  The patch will only fix the
vulnerabilities in IRIX 5.2; no patch is scheduled for IRIX 5.1.  SGI
recommends that all IRIX 5.1 users upgrade to IRIX 5.2.  A workaround solution
exists and is effective on all versions of IRIX 5.x.  CIAC and SGI recommend
that all IRIX 5.2 users implement the workaround immediately until the IRIX
5.2 patch is obtained.


INSTALLATION OF THE WORKAROUND

To install the workaround, perform the following command as root:

   # versions remove sgihelp.sw.eoe

This workaround will neutralize this avenue of attack; however it also renders
the Help subsystem inactive.  This will affect other installed software that
use the SGI Help subsystem.  Certain help functions from within applications
will return non-fatal error messages about the missing subsystem.


INSTALLATION OF THE PATCH  (IRIX 5.2 only)

1. Determine which patch(es) you need.

To install the patch for the help vulnerabilities, you need to use the latest
SGI inst program named patch34.  To see if you already have patch34 installed
on your system, issue the following command:

   # versions patch\*

If the appropriate SGI inst program is loaded, the output will appear as
displayed below.  Another patch, patchSG0000000, is functionally equivalent to
patch34; therefore if it is present you do not need to install patch34.

   I =\ Installed, R = Removed

      Name                        Date     Description
   I  patchSG0000034              08/10/94 Patch SG0000034
   I  patchSG0000034.eoe1_sw      08/10/94 IRIX Execution Environment Software 
   I  patchSG0000034.eoe1_sw.unix 08/10/94 IRIX Execution Environment

If neither patchSG0000034 nor patchSG0000000 is loaded, you must retrieve and
load both patch34 and patch65.  Otherwise, you need only retrieve and install
patch65.

2. Retrieve the patch(es).

The patches can be retrieved in one of two methods: CD and anonymous ftp.  
SGI has made a CD available which contains the patches. To receive this CD,
contact your nearest SGI service provider and ask for a copy of it.

The patches can be retrieved via anonymous ftp from ftp.sgi.com in the
directory ~ftp/security.  CIAC is also making these patches available from
ciac.llnl.gov in the directory pub/ciac/patches/sgi.  A third location of
these patches is first.org in the directory pub/software/sgi.  Patch34 is
quite large, users are encouraged to download the patches from the closest ftp
site.  SGI is keeping a list of alternate ftp sites in the file
ftp.sgi.com:~ftp/security/ALTERNATE.SITES. 

Checksums for the patches are provided below.

Patch           Standard      System V       MD5
                Unix          Unix           Checksum
patch34.tar.Z   11066 15627   1674 31253     2859d0debff715c5beaccd02b6bebded
patch65.tar     63059 1220    15843 2440     af8c120f86daab9df74998b31927e397

3. Uninstall the workaround if it was applied to your system.

If you have applied the workaround and then wish to install the patch, the
system needs to be returned to its initial state prior to installation of the
patch.  The original Help software can be found on the original software
distribution CD labeled as IRIX 5.2. To return the system to its initial
state, perform the following command as root IMMEDIATELY PRIOR TO INSTALLATION
OF THE PATCH:

   # inst -f /CDROM/dist/sgihelp.sw.eoe
   Inst> install sgihelp.sw.eoe
   Inst> go

4. Install the patch(es).

First install patch34, after verifying the checksum.  Uncompress and untar the
files.  Inst the patch as you would any other SGI software, using the software
installation guide for additional information.

Next, install patch65 after verifying the checksum, then performing an untar
of the files.  Inst the patch as you would any other SGI software.

_____________________________________________________________________________
CIAC wishes to thank Silicon Graphics, Inc. for the information contained in
this bulletin, and Max Hailperin of Gustavus Adolphus College for his
investigation of these vulnerabilities.
_____________________________________________________________________________

For additional information or assistance, please contact CIAC:
    Voice:   510-422-8193
    FAX:     510-423-8002
    STU-III: 510-423-2604
    E-mail:  ciac@llnl.gov

Previous CIAC Bulletins and other information are available via anonymous FTP
from ciac.llnl.gov (IP address 128.115.19.53) formerly irbis.llnl.gov.

CIAC has several self-subscribing mailing lists for electronic publications:
1.  CIAC-BULLETIN for Advisories, highest priority - time critical
    information, and Bulletins, important computer security information;
2.  CIAC-NOTES for Notes, a collection of computer security articles;
3.  SPI-ANNOUNCE for official news about Security Profile Inspector (SPI)
    software updates, new features, distribution and availability;
4.  SPI-NOTES, for discussion of problems and solutions regarding the use of
    SPI products.

CIAC's mailing lists are managed by a public domain software package called
ListProcessor, which ignores E-mail header subject lines.  To subscribe (add
yourself) to one of our mailing lists, send the following request as the
E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or
SPI-NOTES for "list-name" and valid information for "LastName" "FirstName"
and "PhoneNumber" when sending

E-mail to ciac-listproc@llnl.gov:
          subscribe list-name LastName, FirstName PhoneNumber
    e.g., subscribe ciac-notes O'Hara, Scarlett 404-555-1212 x36

You will receive an acknowledgment containing address, initial PIN, and
information on how to change either of them, cancel your subscription, or get
help.
_____________________________________________________________________________

PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins.  If you are not part of these communities, please
contact your agency's response team to report incidents.  Your agency's team
will coordinate with CIAC.  The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization.  A list of FIRST member organizations
and their constituencies can be obtained by sending E-mail to
first-request@first.org with an empty subject line and a message body
containing the line: send first-contacts.

This document was prepared as an account of work sponsored by an agency of
the United States Government.  Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for
the accuracy, completeness, or usefulness of any information, product, or
process disclosed, or represents that its use would not infringe privately
owned rights.  Reference herein to any specific commercial products, process,
or service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring
by the United States Government or the University of California.  The views
and opinions of authors expressed herein do not necessarily state or reflect
those of the United States Government nor the University of California, and
shall not be used for advertising or product endorsement purposes.