TUCoPS :: Unix :: Various Flavours :: misc4882.htm

Cray Unicos NQSD format string vulnerability
28th Nov 2001 [SBWID-4882]

	Cray Unicos NQSD format string vulnerability


	All versions


	In Mickey Mouse Hacking Squadron Advisory #1 :

	The NQS, or  Network  Queueing  System,  is  a  popular  batch  software
	processor which is  used  to  perform  job  control  and  leveraging  in
	supercomputing  environments  which  require   heavy   symmetric   multi
	processing. The controlling daemon, which looks like it appears below

	   37152 ?     0:00 nqsdaemon

	   57415 ?     0:00 nqsdaemon


	runs as root  in  order  to  properly  schedule  and  timeslice  batched
	process. The Mickey Mouse Hacking Squadron has discovered a  format  bug
	vulnerbility by which any unprivileged user on a system running NQS  can
	gain root access. This involves  creating  a  batch  with  a  name  that
	contains special formatting characters, which is processed by an  unsafe
	function taking a variable argument  list.  In  order  to  exploit  this
	vulnerability, the user must be able to submit  the  job  with  qsub  in
	such a way that it triggers this vulnerability.



	      The qsub command submits a file that contains a shell script as       

	      a batch request to the Network Queuing System (NQS).  For an

	      introduction to the use of NQS, see the Network Queuing System

	     (NQS)User\'s Guide, publication SG-2105.


	This vulnerability has been exploited successfully  by  the  MMHS  in  a
	RISC environment, using ALPHA processors,  in  a  way  similar  to  bugs
	exploited successfully on Digital UNIX by SeungHyun Seo, also posted  to
	the Bugtraq mailing list. The  exploitation  on  vectorized  processors,
	such as  the  Y-MP  series,  has  proved  to  be  much  more  difficult,
	especially due to large 64 bit addressing and a  large  number  of  NULL
	bytes in the process address space.  This  should  also  prove  easy  to
	exploit on PowerPC and SPARC environments.


	These products have been retired, and SGI will not be providing a  patch
	for these vulnerabilities. SGI\'s recommendation  is  to  uninstall  the

	To determine if the product is installed, run the following command:

	   # versions -b | grep NQE


	If the output returned by the command looks similar to this:

	   I  NQE33015_Client_only 10/28/1999  N Q E Client only

	   I  NQE33015_Components_and_Client  10/28/1999  N Q E Components


	...then NQE is installed and the system is vulnerable.

	To uninstall the product, run the following command:

	   # versions remove NQE*


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH