-----BEGIN PGP SIGNED MESSAGE-----
__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
Vulnerability in IRIX csetup
January 9, 1997 18:00 GMT Number H-20
______________________________________________________________________________
PROBLEM: A vulnerability in the csetup program.
PLATFORM: IRIX 5.x, 6.0, 6.01, 6.1, and 6.2
DAMAGE: May allow local users to gain root privileges.
SOLUTION: Until patches are available, sites are recommended to take the
action suggested in Section III.
______________________________________________________________________________
VULNERABILITY Exploit details involving this vulnerability have been made
ASSESSMENT: publicly available.
______________________________________________________________________________
[ Start CERT Advisory ]
=============================================================================
CERT(sm) Advisory CA-97.03
Original issue date: January 8, 1997
Last revised: --
Topic: Vulnerability in IRIX csetup
- - -----------------------------------------------------------------------------
The CERT Coordination Center has received information about a vulnerability in
the csetup program under IRIX versions 5.x, 6.0, 6.0.1, 6.1, and 6.2. csetup is
not available under IRIX 6.3 and 6.4.
By exploiting this vulnerability, local users can create or overwrite
arbitrary files on the system. With this leverage, they can ultimately gain
root privileges.
Exploitation information involving this vulnerability has been made publicly
available.
We recommend applying a vendor patch when possible. In the meantime, we urge
sites to apply the workaround described in Section III.
We will update this advisory as we receive additional information.
Please check advisory files regularly for updates that relate to your site.
Note: Development of this advisory was a joint effort of the CERT Coordination
Center and AUSCERT.
- - -----------------------------------------------------------------------------
I. Description
There is a vulnerability in the csetup program under IRIX versions
5.x, 6.0, 6.0.1, 6.1, and 6.2. csetup is not available under IRIX 6.3
and 6.4.
csetup is part of the Desktop System Administration subsystem. The
program provides a graphical interface allowing privileged users,
as flagged in the objectserver (cpeople (1M)), or root to modify
system and network configuration parameters. The csetup program is
setuid root to allow those who are flagged as privileged users to
modify system critical files.
It is possible to configure csetup to run in DEBUG mode, creating a
logfile in a publicly writable directory. This file is created in an
insecure manner; and because csetup is running with root privileges at
the time the logfile is created, it is possible for local users to
create or overwrite arbitrary files on the system.
Exploit information involving this vulnerability has been made
publicly available.
II. Impact
Anyone with access to an account on the system can create or overwrite
arbitrary files on the system. With this leverage, they can ultimately
gain root privileges.
III. Solution
Currently there are no vendor patches available that address this
vulnerability. We recommend installing official vendor patches
when they are made available.
If the /usr/Cadmin/bin/csetup file is installed setuid root at your
site, the following workaround is recommended until vendor patches
are available.
Sites can prevent the exploitation of this vulnerability by
immediately removing the setuid privileges on csetup.
# /bin/chmod 0700 /usr/Cadmin/bin/csetup
# /bin/ls -l /usr/Cadmin/bin/csetup
-rwx------ 1 root sys 363360 Aug 20 12:10 /usr/Cadmin/bin/csetup
Next, the file /var/tmp/csetupLog should be created with permissions
0600. The sticky bit should also be set on /var/tmp/ (this is a good
security practice in general).
# /bin/chmod 1777 /var/tmp
# /bin/touch /var/tmp/csetupLog
# /bin/chmod 0600 /var/tmp/csetupLog
(Note that the /var/tmp directory is not cleared at boot time.)
Before executing the csetup program, the root user should confirm
the existence, ownership, and the access permissions of
/var/tmp/csetupLog. Ensure that csetupLog is not linked to any
other file.
The impact of this workaround is that only the root user will be
able to use this program for its intended purpose. Privileged users
previously established using the /usr/Cadmin/bin/cpeople program
will no longer be able to do the system administration tasks
they were previously able perform using the csetup program.
- - -----------------------------------------------------------------------------
This advisory is a collaborative effort between AUSCERT and the CERT
Coordination Center.
The CERT Coordination Center acknowledges Yuri Volobuev for reporting the
original problem, and Silicon Graphics, Inc. for their strong support in the
development of the advisory.
- - -----------------------------------------------------------------------------
[ End CERT Advisory ]
_______________________________________________________________________________
CIAC wishes to acknowledge the contributions of AUSCERT & CERT for the
information contained in this bulletin.
_______________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 510-422-8193
FAX: +1 510-423-8002
STU-III: +1 510-423-2604
E-mail: ciac@llnl.gov
For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://ciac.llnl.gov/
Anonymous FTP: ciac.llnl.gov (128.115.19.53)
Modem access: +1 (510) 423-4753 (28.8K baud)
+1 (510) 423-3331 (28.8K baud)
CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
information and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector
(SPI) software updates, new features, distribution and
availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the
use of SPI products.
Our mailing lists are managed by a public domain software package
called ListProcessor, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for list-name and
valid information for LastName FirstName and PhoneNumber when sending
E-mail to ciac-listproc@llnl.gov:
subscribe list-name LastName, FirstName PhoneNumber
e.g., subscribe ciac-notes OHara, Scarlett W. 404-555-1212 x36
You will receive an acknowledgment containing address, initial PIN,
and information on how to change either of them, cancel your
subscription, or get help.
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
H-11: sendmail Group Permissions Vulnerability
H-12: IBM AIX(r) 'SYN Flood' and 'Ping o' Death' Vulnerabilities
H-13: IBM AIX(r) Security Vulnerabilities (gethostbyname, lquerypv)
H-14: SGI IRIX Vulnerabilities (systour, OutOfBox, cdplayer, datman)
H-15: Korn Shell (ksh) suid_exec Vulnerability
H-16: HP-UX Security Vulnerabilities (chfn, Remote Watch)
H-06a: Sun libc/libnsl vulnerabilities (Sun Bulletin #00137a)
H-17: cron/crontab Buffer Overrun Vulnerabilities
H-18: Denial-of-Service Attack via ping
H-19: HP Software Installation Programs Vulnerability
RECENT CIAC NOTES ISSUED (Previous Notes available from CIAC)
Notes 07 - 3/29/95 A comprehensive review of SATAN
Notes 08 - 4/4/95 A Courtney update
Notes 09 - 4/24/95 More on the "Good Times" virus urban legend
Notes 10 - 6/16/95 PKZ300B Trojan, Logdaemon/FreeBSD, vulnerability
in S/Key, EBOLA Virus Hoax, and Caibua Virus
Notes 11 - 7/31/95 Virus Update, Hats Off to Administrators,
America On-Line Virus Scare, SPI 3.2.2 Released,
The Die_Hard Virus
Notes 12 - 9/12/95 Securely configuring Public Telnet Services, X
Windows, beta release of Merlin, Microsoft Word
Macro Viruses, Allegations of Inappropriate Data
Collection in Win95
Notes 96-01 - 3/18/96 Java and JavaScript Vulnerabilities, FIRST
Conference Announcement, Security and Web Search
Engines, Microsoft Word Macro Virus Update
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMxtcVLnzJzdsy3QZAQHIJAP/X1GGiURZeiBAgK24BFBsiWvRB9I9zA7Y
8zSY2ACbBsqleMpXNAYVFbvkvSh963JHZR16zkcKZvnvMfj4B1+ahbeCF+TRA4aF
vG+P2yszkX7dkBY5f6h9aEbHiRqfoGVMogMtJQTP0CTYdW60JoMZxJBX7YF+Ohk5
4dGxbPmkVJ0=
=k+MH
-----END PGP SIGNATURE-----
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
