TUCoPS :: SGI :: ciach020.txt

Irix Csetup Vulenrability



                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___

                             INFORMATION BULLETIN

                          Vulnerability in IRIX csetup

January 9, 1997 18:00 GMT                                          Number H-20
PROBLEM:       A vulnerability in the csetup program. 
PLATFORM:      IRIX 5.x, 6.0, 6.01, 6.1, and 6.2 
DAMAGE:        May allow local users to gain root privileges. 
SOLUTION:      Until patches are available, sites are recommended to take the 
               action suggested in Section III. 
VULNERABILITY  Exploit details involving this vulnerability have been made 
ASSESSMENT:    publicly available. 

[ Start CERT Advisory ]

CERT(sm) Advisory CA-97.03
Original issue date: January 8, 1997
Last revised: --

Topic: Vulnerability in IRIX csetup
- - -----------------------------------------------------------------------------

The CERT Coordination Center has received information about a vulnerability in
the csetup program under IRIX versions 5.x, 6.0, 6.0.1, 6.1, and 6.2. csetup is
not available under IRIX 6.3 and 6.4.

By exploiting this vulnerability, local users can create or overwrite
arbitrary files on the system. With this leverage, they can ultimately gain
root privileges.

Exploitation information involving this vulnerability has been made publicly

We recommend applying a vendor patch when possible. In the meantime, we urge
sites to apply the workaround described in Section III.

We will update this advisory as we receive additional information.
Please check advisory files regularly for updates that relate to your site.

Note: Development of this advisory was a joint effort of the CERT Coordination
      Center and AUSCERT.
- - -----------------------------------------------------------------------------

I.   Description

        There is a vulnerability in the csetup program under IRIX versions
        5.x, 6.0, 6.0.1, 6.1, and 6.2. csetup is not available under IRIX 6.3
        and 6.4.

        csetup is part of the Desktop System Administration subsystem. The
        program provides a graphical interface allowing privileged users,
        as flagged in the objectserver (cpeople (1M)), or root to modify
        system and network configuration parameters. The csetup program is
        setuid root to allow those who are flagged as privileged users to
        modify system critical files.

        It is possible to configure csetup to run in DEBUG mode, creating a
        logfile in a publicly writable directory. This file is created in an
        insecure manner; and because csetup is running with root privileges at
        the time the logfile is created, it is possible for local users to
        create or overwrite arbitrary files on the system.

        Exploit information involving this vulnerability has been made
        publicly available.

II.  Impact

        Anyone with access to an account on the system can create or overwrite
        arbitrary files on the system. With this leverage, they can ultimately
        gain root privileges.

III. Solution

        Currently there are no vendor patches available that address this
        vulnerability. We recommend installing official vendor patches
        when they are made available.

        If the /usr/Cadmin/bin/csetup file is installed setuid root at your
        site, the following workaround is recommended until vendor patches
        are available.

        Sites can prevent the exploitation of this vulnerability by
        immediately removing the setuid privileges on csetup.

        # /bin/chmod 0700 /usr/Cadmin/bin/csetup
        # /bin/ls -l /usr/Cadmin/bin/csetup
        -rwx------    1 root  sys 363360 Aug 20 12:10 /usr/Cadmin/bin/csetup

        Next, the file /var/tmp/csetupLog should be created with permissions
        0600. The sticky bit should also be set on /var/tmp/ (this is a good
        security practice in general).

        # /bin/chmod 1777 /var/tmp
        # /bin/touch /var/tmp/csetupLog
        # /bin/chmod 0600 /var/tmp/csetupLog

        (Note that the /var/tmp directory is not cleared at boot time.)

        Before executing the csetup program, the root user should confirm
        the existence, ownership, and the access permissions of
        /var/tmp/csetupLog. Ensure that csetupLog is not linked to any
        other file.

        The impact of this workaround is that only the root user will be
        able to use this program for its intended purpose. Privileged users
        previously established using the /usr/Cadmin/bin/cpeople program
        will no longer be able to do the system administration tasks
        they were previously able perform using the csetup program.

- - -----------------------------------------------------------------------------
This advisory is a collaborative effort between AUSCERT and the CERT
Coordination Center.

The CERT Coordination Center acknowledges Yuri Volobuev for reporting the
original problem, and Silicon Graphics, Inc. for their strong support in the
development of the advisory.
- - -----------------------------------------------------------------------------

[ End CERT Advisory ]

CIAC wishes to acknowledge the contributions of AUSCERT & CERT for the 
information contained in this bulletin.

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 510-422-8193
    FAX:      +1 510-423-8002
    STU-III:  +1 510-423-2604
    E-mail:   ciac@llnl.gov

For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://ciac.llnl.gov/
   Anonymous FTP:       ciac.llnl.gov (
   Modem access:        +1 (510) 423-4753 (28.8K baud)
                        +1 (510) 423-3331 (28.8K baud)

CIAC has several self-subscribing mailing lists for electronic
1. CIAC-BULLETIN for Advisories, highest priority - time critical
   information and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector
   (SPI) software updates, new features, distribution and
4. SPI-NOTES, for discussion of problems and solutions regarding the
   use of SPI products.

Our mailing lists are managed by a public domain software package
called ListProcessor, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
valid information for LastName FirstName and PhoneNumber when sending

E-mail to       ciac-listproc@llnl.gov:
        subscribe list-name LastName, FirstName PhoneNumber
  e.g., subscribe ciac-notes OHara, Scarlett W. 404-555-1212 x36

You will receive an acknowledgment containing address, initial PIN,
and information on how to change either of them, cancel your
subscription, or get help.

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

H-11: sendmail Group Permissions Vulnerability
H-12: IBM AIX(r) 'SYN Flood' and 'Ping o' Death' Vulnerabilities
H-13: IBM AIX(r) Security Vulnerabilities (gethostbyname, lquerypv)
H-14: SGI IRIX Vulnerabilities (systour, OutOfBox, cdplayer, datman)
H-15: Korn Shell (ksh) suid_exec Vulnerability
H-16: HP-UX Security Vulnerabilities (chfn, Remote Watch)
H-06a: Sun libc/libnsl vulnerabilities (Sun Bulletin #00137a)
H-17: cron/crontab Buffer Overrun Vulnerabilities
H-18: Denial-of-Service Attack via ping
H-19: HP Software Installation Programs Vulnerability

RECENT CIAC NOTES ISSUED (Previous Notes available from CIAC)

Notes 07 - 3/29/95     A comprehensive review of SATAN

Notes 08 - 4/4/95      A Courtney update

Notes 09 - 4/24/95     More on the "Good Times" virus urban legend

Notes 10 - 6/16/95     PKZ300B Trojan, Logdaemon/FreeBSD, vulnerability
                       in S/Key, EBOLA Virus Hoax, and Caibua Virus

Notes 11 - 7/31/95     Virus Update, Hats Off to Administrators,
                       America On-Line Virus Scare, SPI 3.2.2 Released, 
                       The Die_Hard Virus

Notes 12 - 9/12/95     Securely configuring Public Telnet Services, X
                       Windows, beta release of Merlin, Microsoft Word
                       Macro Viruses, Allegations of Inappropriate Data
                       Collection in Win95

Notes 96-01 - 3/18/96  Java and JavaScript Vulnerabilities, FIRST
                       Conference Announcement, Security and Web Search
                       Engines, Microsoft Word Macro Virus Update

Version: 2.6.2


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH