TUCoPS :: SGI :: ciacf016.txt

SGI Permissions Tool

                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /   
                          \___  __|__  /   \  \___
                            INFORMATION BULLETIN
                 SGI IRIX Desktop Permissions Tool Vulnerability
March 8, 1995 1500 PST                                            Number F-16
PROBLEM:        A vulnerability exists in /usr/lib/desktop/permissions.
PLATFORM:       SGI IRIX Version 5.2, 6.0, 6.0.1
DAMAGE:         Local users can change the permissions of any file.
SOLUTION:       Change the permissions on /usr/lib/desktop/permissions
                or install the SGI security patch patchSG0000373.
VULNERABILITY   An exploitation script for this vulnerability has been widely
ASSESSMENT:     distributed on the Internet.  Affected sites should change
                permissions or install this fix as soon as possible.
             Critical Information about IRIX Permissions Tool
CIAC has received information about a vulnerability in the Silicon Graphics
IRIX operating system.  The file /usr/lib/desktop/permissions contains a
vulnerability which can allow local users to change permissions of any file
and gain root access to the system.
Following is SGI bulletin 19950301-01-P373.
                Silicon Graphics Inc. Security Advisory

        Title: IRIX 5.2, 6.0, 6.0.1 Desktop Permissions Tool
                Number:         19950301-01-P373
                Date:           March 3, 1995

Silicon Graphics provides this information freely to the SGI community
for its consideration, interpretation and implementation.   Silicon Graphics
recommends that this information be acted upon as soon as possible.

Silicon Graphics will not be liable for any consequential damages arising
from the use of, or failure to use or use properly, any of the instructions
or information in this Security Advisory.

A vulnerability has been discovered in the IRIX 5.2, 6.0, and 6.0.1 operating
systems regarding the permissions tool under the IRIX desktop environment.
Normally, this tool is used by users to modify the permissions on their files
and files they are privileged for.  Under certain conditions, a user may be
able to modify the permissions for any file.  This is identified as SGI
SCR # 265071.

SGI Engineering has investigated this issue and recommends the following
steps for neutralizing the exposure.  It is HIGHLY RECOMMENDED that these
measures be done on ALL SGI systems running IRIX 5.2, 6.0, and 6.0.1 .
This issue is corrected in 5.3 of IRIX and will be corrected in future
releases of IRIX.

- --------------------------
- --- Immediate Solution ---
- --------------------------

The most immediate solution for this issue is to remove the setuid/setgid
bits on /usr/lib/permissions, or to remove the tool entirely.  Removing the
setuid/setgid bits will limit the tool to only function on files owned by
the user using the tool.

        1) Become the root user on the system.

                % /bin/su -

        2) Change the unix permissions level on the desktop
        permissions program.

                # chmod u-s /usr/lib/desktop/permissions
                # chmod g-s /usr/lib/desktop/permissions

        3) Return to previous user.

                # exit

- --------------------------
- --- Long Term Solution ---
- --------------------------

*** IRIX 5.0.x, 5.1.x ****

The versions 5.0.x and 5.1.x of IRIX were limited hardware, specific
releases and have since been obsoleted by later versions of IRIX.  For
supportability reasons, upgrading to at least IRIX 5.2 is recommended
as a first step for all problem resolution.   IRIX 5.0.x, 5.1.x ARE
NOT subject to this vulnerability.

**** IRIX 5.2, 6.0, 6.0.1 ****


For the IRIX operating system versions 5.2, 6.0 and 6.0.1, an inst-able
patch has been generated and made available via anonymous ftp and/or your
service/support provider.  The patch is number 373 and will install on
IRIX 5.2, 6.0 and 6.0.1 .

- -NOTE- Inst-able patches require a patch-aware inst program.  The stock
5.2 inst program with the base install is not patch-aware.  The 6.0
and 6.0.1 inst programs are.  A patch-aware inst program for IRIX 5.2 is
available as patch number 0, 34, or 84.  Any one of these may be used, with
84 the latest, most recommended, and available via your service provider
or the usual SGI anonymous ftp sites.

The SGI anonymous ftp site is ftp.sgi.com (  Additionally,
the alternative SGI anonymous ftp site, sgigate.sgi.com,  can be accessed
to find the same files.  On each of these servers, patch 373 can be found
in the following directories:




                        ##### Checksums ####

The actual patch will be a tar file containing the following files:

Filename:                 patchSG0000373
Algorithm #1 (sum -r):    51249 1 patchSG0000373
Algorithm #2 (sum):       21641 1 patchSG0000373
MD5 checksum:             40A604013A05C2521152ED4B51C5D9A5

Filename:                 patchSG0000373.desktop_eoe_sw
Algorithm #1 (sum -r):    09134 88 patchSG0000373.desktop_eoe_sw
Algorithm #2 (sum):       63013 88 patchSG0000373.desktop_eoe_sw
MD5 checksum:             D74F9BDED3D51E9D28666CADF1B31945

Filename:                 patchSG0000373.idb
Algorithm #1 (sum -r):    50435 1 patchSG0000373.idb
Algorithm #2 (sum):       41363 1 patchSG0000373.idb
MD5 checksum:             790E9A47909BC32D8E9FCE14EA4077D8

- ------------------------------------
- --- Further Information/Contacts ---
- ------------------------------------

For obtaining security information, patches or assistance, please
contact your SGI support provider.

If there are questions about this document, email can be sent to
cse-security-alert@csd.sgi.com .

For reporting *NEW* SGI security issues, email can be sent to
security-alert@sgi.com .
[End of SGI Bulletin]

CIAC wishes to thank Silicon Graphics, Inc. and the Forum of Incident
Response and Security Teams (FIRST) for their quick response to this
CIAC is the computer security incident response team for the U.S.
Department of Energy.  Services are available free of charge to DOE
and DOE contractors.

    Voice:   510-422-8193
    FAX:     510-423-8002
    STU-III: 510-423-2604
    E-mail:  ciac@llnl.gov
Previous CIAC Bulletins, anti-virus software, and other information
are available via anonymous FTP from ciac.llnl.gov (IP address
CIAC has several self-subscribing mailing lists for electronic publications:
1.  CIAC-BULLETIN for Advisories, highest priority - time critical 
    information, and Bulletins, important computer security information;
2.  CIAC-NOTES for Notes, a collection of computer security articles;
3.  SPI-ANNOUNCE for official news about Security Profile Inspector (SPI)
    software updates, new features, distribution and availability;
4.  SPI-NOTES, for discussion of problems and solutions regarding the use of
    SPI products.
Our mailing lists are managed by a public domain software package called
ListProcessor, which ignores E-mail header subject lines. To subscribe (add
yourself) to one of our mailing lists, send requests of the following form:
subscribe list-name LastName, FirstName PhoneNumber
as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES,
SPI-ANNOUNCE or SPI-NOTES for "list-name" and valid information for
"LastName" "FirstName" and "PhoneNumber."  Send to: ciac-listproc@llnl.gov
not to: ciac@llnl.gov
subscribe ciac-notes O'Hara, Scarlett 404-555-1212 x36
subscribe ciac-bulletin O'Hara, Scarlett 404-555-1212 x36
You will receive an acknowledgment containing address, initial PIN, and 
information on how to change either of them, cancel your subscription, or get 
PLEASE NOTE: Many users outside of the DOE and ESnet computing communities 
receive CIAC bulletins. If you are not part of these communities, please 
contact your agency's response team to report incidents. Your agency's team 
will coordinate with CIAC. The Forum of Incident Response and Security Teams 
(FIRST) is a world-wide organization. A list of FIRST member organizations 
and their constituencies can be obtained by sending E-mail to
first-request@first.org with an empty subject line and a message body 
containing the line: send first-contacts.
This document was prepared as an account of work sponsored by an agency of 
the United States Government. Neither the United States Government nor the 
University of California nor any of their employees, makes any warranty, 
expressed or implied, or assumes any legal liability or responsibility for 
the accuracy, completeness, or usefulness of any information, product, or 
process disclosed, or represents that its use would not infringe privately 
owned rights. Reference herein to any specific commercial products, process, 
or service by trade name, trademark manufacturer, or otherwise, does not 
necessarily constitute or imply its endorsement, recommendation, or favoring 
by the United States Government or the University of California. The views 
and opinions of authors expressed herein do not necessarily state or reflect 
those of the United States Government nor the University of California, and 
shall not be used for advertising or product endorsement purposes.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH