TUCoPS :: SGI :: ciach039.txt

SGI Irix Fsdump

-----BEGIN PGP SIGNED MESSAGE-----





             __________________________________________________________

                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                         SGI IRIX fsdump Vulnerability

March 11, 1997 19:00 GMT                                           Number H-39
______________________________________________________________________________
PROBLEM:       A vulnerability exists in the fsdump program used in the rfind
               Server Utilities.
PLATFORM:      All SGI systems running IRIX 5.x and 6.x
DAMAGE:        This vulnerability may allow local users to gain root
               privileges.
SOLUTION:      Until patches are available, follow the solution outlined
               below.
______________________________________________________________________________
VULNERABILITY  Exploit details involving this vulnerability have been made
ASSESSMENT:    publicly available.
______________________________________________________________________________

[ Start SGI Advisory ]

______________________________________________________________________________
                Silicon Graphics Inc. Security Advisory

        Title:   IRIX 5.x and 6.x fsdump Security
        Number:  19970301-01-P
        Date:    March 10, 1997
______________________________________________________________________________

Silicon Graphics provides this information freely to the SGI user community
for its consideration, interpretation, implementation and use.   Silicon
Graphics recommends that this information be acted upon as soon as possible.

Silicon Graphics provides the information in this Security Advisory on
an "AS-IS" basis only, and disclaims all warranties with respect thereto,
express, implied or otherwise, including, without limitation, any warranty
of merchantability or fitness for a particular purpose.  In no event shall
SGI be liable for any loss of profits, loss of business, loss of data or
for any indirect, special, exemplary, incidental or consequential damages
of any kind arising from your use of, failure to use or improper use of
any of the instructions or information in this Security Advisory.
______________________________________________________________________________

- --------------------
- ---- Description ---
- --------------------

A security vulnerability has been found with the fsdump program
used in the rfind Server Utilities, in the optionally installed
subsystem eoe.sw.rfindd (IRIX 6.2) or eoe2.sw.rfindd (IRIX
releases prior to 6.2).

Silicon Graphics Inc. has investigated the issue and recommends the
following steps for neutralizing the exposure.  It is HIGHLY RECOMMENDED
that these measures be implemented on ALL vulnerable SGI systems running
IRIX versions 5.x, 6.0.x, 6.1, and 6.2.  This issue has been corrected in
more recent releases of IRIX and will be corrected in future releases
of IRIX.



- ---------------
- ---- Impact ---
- ---------------

The fsdump program is found in the eoe.sw.rfindd and eoe2.sw.rfindd
subsystems which are not installed by default.   As optional subsystems,
these packages must be explicitly installed for use.   Only systems with
the fsdump program present are vulnerable.

Root permissions can be obtained on any system which has the
/var/rfindd/fsdump program installed with setuid permissions.

Exploitation of this vulnerability requires access to an established
account on the system.

Provided with an established account, the vulnerability can be exploited
locally or remotely.

This issue has been publically disclosed in several public forums
including the BUGTRAQ mailing list.


- -----------------
- ---- Solution ---
- -----------------

The solution to this problem is to remove the setuid bit on the
fsdump program or to remove the rfindd subsystem.

To determine if the subsystem containing the fsdump program is installed
on a particular system, the following command can be used:

   % versions -Inv | grep rfindd

   I  eoe.sw.rfindd        1233007732  rfind Server Utilities


In the above case, the optional subsystem containing the fsdump software is
installed and the steps in the section titled "**** IRIX 5.x, 6.0, 6.0.1,
6.1, 6.2 ****" should be performed.  If no output is returned then the
subsystem is not installed but existence of the program should be
double checked with the following command:

   % ls -al /var/rfindd/fsdump /usr/rfindd/fsdump
   Cannot access /var/rfindd/fsdump: No such file or directory
   Cannot access /usr/rfindd/fsdump: No such file or directory


In the above case, the fsdump program is not found and no further action
is required.   If a file listing is returned, then the fsdump program is
present and the steps below should be performed.




**** IRIX 5.x, 6.0, 6.0.1, 6.1, 6.2 ****

There are no patches for this issue.

The steps below can be used to remove the vulnerability.  There
are two possible solutions to this issue.  Solution A in which
the fsdump program permissions are corrected or Solution B in
which the rfindd subsystem is removed.  Either solution can be
used depending on site requirements.





Solution A - Change program permissions.


     1) Become the root user on the system.

                % /bin/su -
                Password:
                #


     2) Move fsdump's cron task from the rfindd crontab file
        (/var/spool/cron/crontabs/rfindd) to the crontab file
        for root (/var/spool/cron/crontabs/root) by concatenating
        the rfind crontab file to the root crontab file.  Then
        move the rfindd crontab file out of the way so it will not
        be used.

                # cd /var/spool/cron/crontabs
                # cat rfindd >> root
                # mv rfindd rfindd.old.insecure


     3) Edit the root crontab file and change the newly added line to
        execute in the rfindd directory.

                # vi  /var/spool/cron/crontabs/root

        {Find the newly added fsdump line}

            3 0-3,5-23 * * * /etc/chkconfig rfindd && exec ./runfsdump

        {Add the cd operation to the fsdump line}

          New entry ----+
                        |
                        V
                   |-------------|
  3 0-3,5-23 * * * cd /var/rfindd; /etc/chkconfig rfindd && exec ./runfsdump

        {Save the file and exit}



     4) Remove the setuid bit from the shipped fsdump program

            # chmod -s /var/rfindd/fsdump


     5) Return to previous level.

                # exit
                $



Solution B - Removal of the software.


     1) Become the root user on the system.

                % /bin/su -
                Password:
                #


     2) Remove the vulnerable subsystems.

                # /usr/sbin/versions -v remove eoe.sw.rfindd eoe2.sw.rfindd


     3) Determine what patches are install on the system.

                # versions -b | grep patch | cut -c4-20


     4) From the patches found in step 3, remove any occurances of
        the following patches:


                 patchSG0000159
                 patchSG0000415
                 patchSG0000528
                 patchSG0000739
                 patchSG0000852
                 patchSG0000159
                 patchSG0001122

        To remove a patch, use the versions command.  For example,
        to remove the patch patchSG0000528:


                # /usr/sbin/versions -v remove patchSG0000528


     5) Return to previous level.

                # exit
                $





**** IRIX 6.3 and 6.4 ****


The IRIX operating system versions 6.3 and 6.4 do not have this
vulnerability and no further action is required.



[ End SGI Advisory ]


______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Silicon Graphics Inc. for the
information contained in this bulletin.
______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 510-422-8193
    FAX:      +1 510-423-8002
    STU-III:  +1 510-423-2604
    E-mail:   ciac@llnl.gov

For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 510-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://ciac.llnl.gov/
   Anonymous FTP:       ciac.llnl.gov (128.115.19.53)
   Modem access:        +1 (510) 423-4753 (28.8K baud)
                        +1 (510) 423-3331 (28.8K baud)

CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
   information and Bulletins, important computer security information;
2. CIAC-NOTES for Notes, a collection of computer security articles;
3. SPI-ANNOUNCE for official news about Security Profile Inspector
   (SPI) software updates, new features, distribution and
   availability;
4. SPI-NOTES, for discussion of problems and solutions regarding the
   use of SPI products.

Our mailing lists are managed by a public domain software package
called ListProcessor, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for list-name and
valid information for LastName FirstName and PhoneNumber when sending

E-mail to       ciac-listproc@llnl.gov:
        subscribe list-name LastName, FirstName PhoneNumber
  e.g., subscribe ciac-notes OHara, Scarlett W. 404-555-1212 x36

You will receive an acknowledgment containing address, initial PIN,
and information on how to change either of them, cancel your
subscription, or get help.

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

H-29: HP-UX sendmail Patches Vulnerability
H-30: Solaris ffbconfig Buffer Overrun Vulnerability
H-31: HP-UX ppl executable Vulnerability
H-32: HP-UX ppl Core Dump Vulnerability
H-33: HP-UX ftpd/kftpd Vulnerability
H-34: Vulnerability in innd
H-35: HP-UX vgdisplay command Vulnerability
H-36: Solaris 2.x CDE sdtcm_convert Vulnerability
H-37: Solaris 2.x passwd buffer Overrun Vulnerability
H-38a: Internet Explorer 3.x Vulnerabilities



-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMyXftLnzJzdsy3QZAQHbPgP/RBDKGX8/1lzXlYI/Nkrs5oDPAgGVlSbk
NDBFgrw3f5tdLDw8CNmaGTDwYVI2I8bel8LnPNT3DDWpPrnMbk+uYR9RRFIKo3Ai
bdXf9dfykDXUvbiWb4q9sWPS5XfcLjnXcPLJrHIzkoNNettUPZNO7rSAbkcn1B9p
9pCVOy+sj5I=
=IET0
-----END PGP SIGNATURE-----

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH