Date: Wed, 8 Apr 1998 18:48:55 -0400
From: Fabrice Planchon <fabrice@MATH.PRINCETON.EDU>
To: BUGTRAQ@NETSPACE.ORG
Subject: SGI O2 ipx security issue

Hi all,
SGI O2 running Irix 6.3 come with support for the IPX protocol from
Novell. This stuff is installed by default, and live in
/usr/etc/netware/
among other things, there are 2 suid binaries, ipxchk and ipxlink. None
of them are documented anywhere, and they allow root access in the most
simple way (think IFS=/). So, if you don't use ipx, I recommend to just
chmod u-s both of them. (see below if you have a support contract)

Now, the full story: I reported this bug to SGI in june 97, providing a
clear explanation on how and why it appeared to be a *really* bad idea
to have the 2 binaries suid. They weren't resetting the environment,
were calling other programs via system, messing with temp files, in
short everything which shouldn't be done. I was assured by SGI that a
security fix would be released within 2 months, and by the end of the
summer, I asked via the support line what was the status, and was
answered that the patch was soon to be officially released, and that
they could give it to me if I wanted to. I therefore dowloaded the
patch, which was patchSG0001693, intended to be released as a
security-fix patch (and therefore, freely available). 5 minutes after
installing the patch, I was root again. The patch (sorry, for some
reason I erased it inadvertantly) was doing 2 things: changing the
permissions to rws--x--x, and hardcoding IFS and the path of various
binaries called. In short, they did a very poor job, even if I had taken
extra steps to explain everything to them after being asked to be more
specific after the initial bug report. Anyway, I immediatly reported
that the problem was not fixed at all, and they didn't release the patch
publically. Since then I never heard from SGI again. I want to take the
opportunity to thank AUSCERT for being responsive on that subject,
ac1
 and
for trying to help. A couple of weeks ago, I was looking for other
patches and noticed Patch_SG0002869. From the release notes:

   This patch contains fixes for the following bugs in IRIX 6.3
       O2 R10K.  Bug numbers from Silicon Graphics bug tracking
       system are included for reference.

          o 498565 - ipxchk and ipxlink have security issues

It should be noted that
-this patch is *not* a security patch (it contains other fixes)
-it is not even a freely available patch, you need a valid support
contract to get it, and it's not in the recommended set of patches
anyway.
-the way the bug is fixed is by removing ipxchk and having ipxlink no
longer suid. (I asked why it was suid in the first place, but never got
an answer)

So, anyway, I just thought I would share my experience. It was said that
SGI has improved on security issues, and it is true so far that they
have taken steps to fix things like buffer overflows lately, but it
looks like this little story tells us that we cannot trust any vendor on
the subject of security. To think that in a modern OS released in 96 you
find something exploitable with tricks from the 80's is scary.

                             F.


--
#!/usr/local/bin/perl --    -export-a-crypto-system-sig -RSA-3-lines-PERL
print pack"C*",split/\D+/,`echo "16iII*o\U@{$/=$z;[(pop,pop,unpack"H*",<>
)]}\EsMsKsN0[lN*1lK[d2%Sa2/d0<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<J]dsJxp"|dc`