TUCoPS :: SGI :: ciacg040.txt

SGI Admin User Prog Vulnerabilities


             __________________________________________________________

                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                   SGI admin and user Program Vulnerabilities

August 27, 1996 20:00 GMT                                          Number G-40
______________________________________________________________________________
PROBLEM:       Several security vulnerabilities have been discovered in the
               visual admin and user tool programs.
PLATFORM:      SGI systems running IRIX versions 5.2, 5.3, 6.1, 6.2.
DAMAGE:        Provided with the correct network configuration and SGI
               environment, both local and remote users may be able to become
               root on a targeted SGI system.
SOLUTION:      Apply the patches recommended in the vendor bulletin below.
______________________________________________________________________________
VULNERABILITY  This vulnerability is becoming widely known.
ASSESSMENT:
______________________________________________________________________________

[Begin SGI Bulletin]

______________________________________________________________________________
                Silicon Graphics Inc. Security Advisory

        Title:   IRIX Visual Admin/User Programs
        Number:  19960801-01-PX
        Date:    August 16, 1996
______________________________________________________________________________

Silicon Graphics provides this information freely to the SGI user community
for its consideration, interpretation, implementation and use.   Silicon
Graphics recommends that this information be acted upon as soon as possible.

Silicon Graphics  will  not  be  liable  for any  indirect, special, or
consequential damages arising from the use of, failure to use or improper
use of any of the instructions or information in this Security Advisory.
______________________________________________________________________________


Several security vulnerabilities have been discovered in the the visual
admin and user tool programs used in the IRIX operating systems versions,
5.2, 5.3, 6.1 and 6.2.  SGI has investigated these issues and recommends
the following steps for neutralizing the exposure.  It is HIGHLY RECOMMENDED
that these measures be implemented on ALL SGI systems running IRIX versions
5.2, 5.3, 6.1 and 6.2.  This issue will be corrected in future releases
of IRIX.


- --------------
- --- Impact ---
- --------------

Provided with the correct network configuration and SGI environment, both
local and remote users may be able to become root on a targeted SGI system.


- ----------------
- --- Solution ---
- ----------------

The solution for this issue is a replacement of the visual user and
administrator programs found in the IRIX operating systems versions
5.2, 5.3, 6.1 and 6.2. The following patches has been generated
for IRIX 5.2, 5.3, 6.1 and 6.2 and are freely provided to the SGI
community.

To determine if the visual admin/user software is installed on a
particular system, the following command can be used:

     % versions desktop_eoe.sw.envm sysadmdesktop.sw.clients
     I = Installed, R = Removed

        Name                 Date      Description

     I  desktop_eoe          02/12/96  IndigoMagic Desktop, 5.3
     I  desktop_eoe.sw       02/12/96  IndigoMagic Desktop, 5.3
     I  desktop_eoe.sw.envm  02/12/96  Desktop

     I  sysadmdesktop        02/12/96  Desktop System Administration, 5.3
     I  sysadmdesktop.sw     02/12/96  Desktop System Administration
                             Software, 5.3
     I  sysadmdesktop.sw.clients  02/12/96  Desktop System Administration
                             Client Software

In the above case, the software of concern is installed and the steps
below should be performed. If no output is returned by the command,
the subsystem is not installed and no further action is required.


desktop_eoe.sw.envm
sysadmdesktop.sw.clients

**** IRIX 3.x, 4.x, and 5.0.x ****

In the IRIX operating systems versions 3.x, 4.x, and 5.0.x,
the user environment and programs are different than the ones
used in later versions of IRIX.  As such versions 3.x, 4.x,
and 5.0.x of IRIX do not have the security vulnerabilities
covered by this document and no further action is required.


**** IRIX 5.1.x ****

IRIX operating system version 5.1.x was a limited release version.
For the IRIX operating system version 5.1.x, an upgrade to 5.2 or
better is required first.  When the upgrade is completed, then the
patches described in the following sections can be applied depending
on the final version of the upgrade.


**** IRIX 5.2 ****

For the IRIX operating system version 5.2, an inst-able patch has been
generated and made available via anonymous FTP and your service/support
provider.  The patch is number 1519 and will install only on IRIX 5.2.

PLEASE NOTE:  Patch 65 is also required in addition to patch 1519.

The SGI anonymous FTP site is sgigate.sgi.com (204.94.209.1) or its
mirror, ftp.sgi.com.   Patches 1519 and 65 can be found in the
following directories on the FTP server:

        ~ftp/Security

                or

        ~ftp/Patches/5.2


                        ##### Checksums ####

The actual patch will be a tar file containing the following files:


Filename:                 patchSG0000065
Algorithm #1 (sum -r):    21651 1 patchSG0000065
Algorithm #2 (sum):       22083 1 patchSG0000065
MD5 checksum:             178E667D663FC87DE606E219439433C0

Filename:                 patchSG0000065.idb
Algorithm #1 (sum -r):    48983 1 patchSG0000065.idb
Algorithm #2 (sum):       36585 1 patchSG0000065.idb
MD5 checksum:             C912C423521A261B42D11CF2E602C18B

Filename:                 patchSG0000065.sgihelp_sw
Algorithm #1 (sum -r):    10479 2415 patchSG0000065.sgihelp_sw
Algorithm #2 (sum):       17168 2415 patchSG0000065.sgihelp_sw
MD5 checksum:             449AA74F1BCEC421945C829DD06F6439

Filename:                 README.patch.1519
Algorithm #1 (sum -r):    64017 8 README.patch.1519
Algorithm #2 (sum):       52961 8 README.patch.1519
MD5 checksum:             93E89D3AC06665B98E250C0B8A809ADA

Filename:                 patchSG0001519
Algorithm #1 (sum -r):    55758 2 patchSG0001519
Algorithm #2 (sum):       57617 2 patchSG0001519
MD5 checksum:             235727BDC4FAE2DC1897FF8DDA954F6C

Filename:                 patchSG0001519.desktop_eoe_sw
Algorithm #1 (sum -r):    31206 82 patchSG0001519.desktop_eoe_sw
Algorithm #2 (sum):       65374 82 patchSG0001519.desktop_eoe_sw
MD5 checksum:             BA9708E74288AFBB004E08CE7D7A0DCC

Filename:                 patchSG0001519.idb
Algorithm #1 (sum -r):    12780 8 patchSG0001519.idb
Algorithm #2 (sum):       53831 8 patchSG0001519.idb
MD5 checksum:             5904CF1725C9844FB02B31BB3D02091C

Filename:                 patchSG0001519.sysadmdesktop_sw
Algorithm #1 (sum -r):    01731 1687 patchSG0001519.sysadmdesktop_sw
Algorithm #2 (sum):       33557 1687 patchSG0001519.sysadmdesktop_sw
MD5 checksum:             6C18E62ABB312D2EDF503926BBDFAEB3


**** IRIX 5.3 ****

For the IRIX operating system version 5.3, an inst-able patch has been
generated and made available via anonymous FTP and your service/support
provider.  The patch is number 1518 and will install only on IRIX 5.3.

The SGI anonymous FTP site is sgigate.sgi.com (204.94.209.1) or its
mirror, ftp.sgi.com.   Patch 1518 can be found in the following
directories on the FTP server:

        ~ftp/Security

                or

        ~ftp/Patches/5.3


                        ##### Checksums ####

The actual patch will be a tar file containing the following files:


Filename:                 README.patch.1518
Algorithm #1 (sum -r):    33249 9 README.patch.1518
Algorithm #2 (sum):       338 9 README.patch.1518
MD5 checksum:             36D6B612F49DD8E109025A6AD41F2DB5

Filename:                 patchSG0001518
Algorithm #1 (sum -r):    53993 3 patchSG0001518
Algorithm #2 (sum):       22622 3 patchSG0001518
MD5 checksum:             1ADB33B26E86BF5BAE1D65C5B8BB4632

Filename:                 patchSG0001518.desktop_eoe_sw
Algorithm #1 (sum -r):    21022 101 patchSG0001518.desktop_eoe_sw
Algorithm #2 (sum):       55961 101 patchSG0001518.desktop_eoe_sw
MD5 checksum:             30EF63B7BA40E144F75ECD808E3BB5C6

Filename:                 patchSG0001518.idb
Algorithm #1 (sum -r):    16394 11 patchSG0001518.idb
Algorithm #2 (sum):       25741 11 patchSG0001518.idb
MD5 checksum:             A34F1D7B24F9AECCF7AF91187F16909F

Filename:                 patchSG0001518.sysadmdesktop_sw
Algorithm #1 (sum -r):    37847 2879 patchSG0001518.sysadmdesktop_sw
Algorithm #2 (sum):       39927 2879 patchSG0001518.sysadmdesktop_sw
MD5 checksum:             0A6B5C8446748AAF9C4BD464723F22C2


**** IRIX 6.0.x ****

IRIX operating system version 6.0.x was a limited release version.
For the IRIX operating system version 6.0.x an upgrade to 6.1 or
better is required first.  When the upgrade is completed, then
the patches described in the following sections can be applied
depending on the final version of the upgrade.


**** IRIX 6.1 ****

For the IRIX operating system version 6.1, an inst-able patch has been
generated and made available via anonymous FTP and your service/support
provider.  The patch is number 1517 and will install only on IRIX 6.1.

The SGI anonymous FTP site is sgigate.sgi.com (204.94.209.1) or its
mirror, ftp.sgi.com.   Patch 1517 can be found in the following
directories on the FTP server:

        ~ftp/Security

                or

        ~ftp/Patches/6.1


                        ##### Checksums ####

The actual patch will be a tar file containing the following files:


Filename:                 README.patch.1517
Algorithm #1 (sum -r):    34233 8 README.patch.1517
Algorithm #2 (sum):       52976 8 README.patch.1517
MD5 checksum:             7207358CF3D3854F4B4964853CF9CF9B

Filename:                 patchSG0001517
Algorithm #1 (sum -r):    22553 2 patchSG0001517
Algorithm #2 (sum):       65216 2 patchSG0001517
MD5 checksum:             C1461193D43BB591F56337673A21E264

Filename:                 patchSG0001517.desktop_eoe_sw
Algorithm #1 (sum -r):    26837 101 patchSG0001517.desktop_eoe_sw
Algorithm #2 (sum):       10036 101 patchSG0001517.desktop_eoe_sw
MD5 checksum:             B277610280445E4B14EB5925B42DBA05

Filename:                 patchSG0001517.idb
Algorithm #1 (sum -r):    64386 11 patchSG0001517.idb
Algorithm #2 (sum):       25466 11 patchSG0001517.idb
MD5 checksum:             261C1DA015BB251A833E6C633FEC537C

Filename:                 patchSG0001517.sysadmdesktop_sw
Algorithm #1 (sum -r):    15159 2860 patchSG0001517.sysadmdesktop_sw
Algorithm #2 (sum):       59057 2860 patchSG0001517.sysadmdesktop_sw
MD5 checksum:             6149BFE3C6A26316BD2BD37DD89E9AD2



**** IRIX 6.2 ****

For the IRIX operating system version 6.2, an inst-able patch has been
generated and made available via anonymous FTP and your service/support
provider.  The patch is number 1516 and will install only on IRIX 6.2.

The SGI anonymous FTP site is sgigate.sgi.com (204.94.209.1) or its
mirror, ftp.sgi.com.   Patch 1516 can be found in the following
directories on the FTP server:

        ~ftp/Security

                or

        ~ftp/Patches/6.2


                        ##### Checksums ####

The actual patch will be a tar file containing the following files:


Filename:                 README.patch.1516
Algorithm #1 (sum -r):    35151 8 README.patch.1516
Algorithm #2 (sum):       52984 8 README.patch.1516
MD5 checksum:             3CDCA2674C7AB2A8EC18CDFD37C3FBC3

Filename:                 patchSG0001516
Algorithm #1 (sum -r):    35036 2 patchSG0001516
Algorithm #2 (sum):       5041 2 patchSG0001516
MD5 checksum:             2E7B95E866E6D948C0F5A061201EA28D

Filename:                 patchSG0001516.desktop_eoe_sw
Algorithm #1 (sum -r):    43836 100 patchSG0001516.desktop_eoe_sw
Algorithm #2 (sum):       17346 100 patchSG0001516.desktop_eoe_sw
MD5 checksum:             BCC29CC468C1848908A683E641CFFB38

Filename:                 patchSG0001516.idb
Algorithm #1 (sum -r):    08987 11 patchSG0001516.idb
Algorithm #2 (sum):       25696 11 patchSG0001516.idb
MD5 checksum:             93BCFCB015BA81D0E3B0FDDA7D9D69C9

Filename:                 patchSG0001516.sysadmdesktop_sw
Algorithm #1 (sum -r):    41089 2887 patchSG0001516.sysadmdesktop_sw
Algorithm #2 (sum):       30127 2887 patchSG0001516.sysadmdesktop_sw
MD5 checksum:             BB84B9065C6A678A821920BEC17D2506




- ------------------------
- --- Acknowledgments ---
- ------------------------

Silicon Graphics wishes to thank Paul Walmsley, FIRST members and
CERT organizations worldwide for their assistance in this matter.

[End SGI Bulletin]
_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of SGI for the
information contained in this bulletin.
_______________________________________________________________________________

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 510-422-8193
    FAX:      +1 510-423-8002
    STU-III:  +1 510-423-2604
    E-mail:   ciac@llnl.gov

For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://ciac.llnl.gov/
   Anonymous FTP:       ciac.llnl.gov (128.115.19.53)
   Modem access:        +1 (510) 423-4753 (28.8K baud)
                        +1 (510) 423-3331 (28.8K baud)

CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
   information and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector
   (SPI) software updates, new features, distribution and
   availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the
   use of SPI products.

Our mailing lists are managed by a public domain software package
called ListProcessor, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for list-name and
valid information for LastName FirstName and PhoneNumber when sending

E-mail to       ciac-listproc@llnl.gov:
        subscribe list-name LastName, FirstName PhoneNumber
  e.g., subscribe ciac-notes OHara, Scarlett W. 404-555-1212 x36

You will receive an acknowledgment containing address, initial PIN,
and information on how to change either of them, cancel your
subscription, or get help.

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained by sending email to
docserver@first.org with an empty subject line and a message body
containing the line: send first-contacts.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

G-30: DEC Software Security Kits 
G-31: FreeBSD Security Vulnerabilities (ppp, rdist, and rz)
G-32: HP-UX Vulnerabilities in expreserve, rpc.pcnfsd, rpc.statd
G-33: rdist vulnerability
G-34: HP-UX Vulnerabilities (netttune, SAM remote admin)
G-35: SUN Microsystems Solaris vold Vulnerability
G-36: HP-UX Vulnerabilities in elm and rdist Programs
G-37: Vulnerability in Adobe FrameMaker (fm_fls)
G-38: Linux Vulnerabilities in mount and umount Programs
G-39: Vulnerability in expreserve

RECENT CIAC NOTES ISSUED (Previous Notes available from CIAC)

Notes 07 - 3/29/95     A comprehensive review of SATAN

Notes 08 - 4/4/95      A Courtney update

Notes 09 - 4/24/95     More on the "Good Times" virus urban legend

Notes 10 - 6/16/95     PKZ300B Trojan, Logdaemon/FreeBSD, vulnerability
                       in S/Key, EBOLA Virus Hoax, and Caibua Virus

Notes 11 - 7/31/95     Virus Update, Hats Off to Administrators,
                       America On-Line Virus Scare, SPI 3.2.2 Released,
                       The Die_Hard Virus

Notes 12 - 9/12/95     Securely configuring Public Telnet Services, X
                       Windows, beta release of Merlin, Microsoft Word
                       Macro Viruses, Allegations of Inappropriate Data
                       Collection in Win95

Notes 96-01 - 3/18/96  Java and JavaScript Vulnerabilities, FIRST
                       Conference Announcement, Security and Web Search
                       Engines, Microsoft Word Macro Virus Update

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH