IRIX midikeys setuid permissions allow local root compromise. Exploit description and vendor recommended temporary solution included.
29ae2ff4845e65a827c57fd2c78ac6cac0a775cd014310a4523f453aa54f9db3
Date: Wed, 19 May 1999 11:25:59 -0400
From: Larry W. Cashdollar <lwcashd@BIW.COM>
To: BUGTRAQ@netspace.org
Subject: IRIX midikeys root exploit.
Aleph1,
Please forgive me if this has already been on this list. I searched
geek-girl with no luck. I have been auditing our IRIX boxes and found what I
believe to be a new vulnerability.
On IRIX 6.5 systems (IRIX Release 6.5 IP28 )
# uname -a
IRIX64 devel 6.5 05190004
The setuid root binary midikeys can be used to read any file on the
system using its gui interface. It can also be used to edit anyfile on the
system. I was able to get from guest account access to root access using the
following procedure.
1) Choose an unpassworded account and telnet in. I like guest or lp.
devel 25% id
uid=998 gid=998(guest)
2) Execute the midikeys application with display set to your host.
devel 26% ./midikeys
devel 27% Xlib: extension "GLX" missing on display "grinch:0.0".
Xlib: extension "GLX" missing on display "grinch:0.0".
3) under the midikeys window click sounds and then midi songs. This will
open a file manager type interface.
4) You can enter the path and filename of files you which to read.
including root owned with group/world read/write permissions unset.
5) If you select a file like "/usr/share/data/music/README" it will
appear in a text editor. Use the text editor to open /etc/passwd and
make modifications at will. Save and enjoy.
So I removed the '*' from sysadm...
$ su sysadm
# id
uid=0(root) gid=0(sys)
devel 28% ls -l /usr/sbin/midikeys
-rwsr-xr-x 1 root root 218712 Jan 10 17:19 /usr/sbin/midikeys
I have tested this on 2 IRIX 6.5 hosts with success. A patch exists for
startmidi and stopmidi buffer overflows.
More info on previous patch:
ftp://sgigate.sgi.com/security/19980301-01-PX).
However, I didnt find any for midikeys.
-- Larry W. Cashdollar
UNIX/Security Operations.
Computer Sciences Corporation.
---------------------------------------------------------------------------------
Date: Thu, 20 May 1999 11:49:11 +0200
From: Erik Mouw <J.A.K.Mouw@ITS.TUDELFT.NL>
To: BUGTRAQ@netspace.org
Subject: Re: IRIX midikeys root exploit.
Larry W. Cashdollar wrote:
> Please forgive me if this has already been on this list. I searched
> geek-girl with no luck. I have been auditing our IRIX boxes and found what I
> believe to be a new vulnerability.
>
> On IRIX 6.5 systems (IRIX Release 6.5 IP28 )
> # uname -a
> IRIX64 devel 6.5 05190004
>
> The setuid root binary midikeys can be used to read any file on the
> system using its gui interface. It can also be used to edit anyfile on the
> system. I was able to get from guest account access to root access using the
> following procedure.
>
>
> 1) Choose an unpassworded account and telnet in. I like guest or lp.
>
> devel 25% id
> uid=998 gid=998(guest)
Unpassworded account? That's a known (and documented) feature on IRIX
systems. First thing you do when you unpack an IRIX box: set a root
password and disable the open accounts (EZsetup, OutOfBox, lp, guest,
4Dgifts, sgiweb). There's even an entry in the "System manager" to do it.
You just need an account to gain root priviliges; it's not limited to the
unpassworded accounts, any normal user could use this exploit.
> 2) Execute the midikeys application with display set to your host.
>
> devel 26% ./midikeys
> devel 27% Xlib: extension "GLX" missing on display "grinch:0.0".
> Xlib: extension "GLX" missing on display "grinch:0.0".
>
>
> 3) under the midikeys window click sounds and then midi songs. This will
> open a file manager type interface.
>
> 4) You can enter the path and filename of files you which to read.
> including root owned with group/world read/write permissions unset.
>
> 5) If you select a file like "/usr/share/data/music/README" it will
> appear in a text editor. Use the text editor to open /etc/passwd and
> make modifications at will. Save and enjoy.
>
> So I removed the '*' from sysadm...
>
> $ su sysadm
> # id
> uid=0(root) gid=0(sys)
>
> devel 28% ls -l /usr/sbin/midikeys
> -rwsr-xr-x 1 root root 218712 Jan 10 17:19 /usr/sbin/midikeys
>
>
> I have tested this on 2 IRIX 6.5 hosts with success. A patch exists for
> startmidi and stopmidi buffer overflows.
Verified to work on an O2 running IRIX 6.3:
uname -aR
IRIX o2 6.3 O2 R10000 12161207 IP32
And on an Octane running IRIX 6.5.3:
uname -aR
IRIX64 octane 6.5 6.5.3m 01221553 IP30
Editor was XEmacs, but that doesn't really matter.
Erik
(strictly speaking for myself)
--
J.A.K. (Erik) Mouw, Information and Communication Theory Group, Department
of Electrical Engineering, Faculty of Information Technology and Systems,
Delft University of Technology, PO BOX 5031, 2600 GA Delft, The Netherlands
Phone: +31-15-2785859 Fax: +31-15-2781843 Email J.A.K.Mouw@its.tudelft.nl
WWW: http://www-ict.its.tudelft.nl/~erik/
---------------------------------------------------------------------------
Date: Fri, 21 May 1999 10:56:33 -0400
From: Larry W. Cashdollar <lwcashd@BIW.COM>
To: BUGTRAQ@netspace.org
Subject: IRIX midikeys vulnerability list.
I am attempting to compile a list of vulnerable systems for this exploit. I would like
to provide as much information to SGI as possible. Here is what I have found so
far.
Erik Mouw Email J.A.K.Mouw@its.tudelft.nl |
---------------------------------------------|
Verified to work on an O2 running IRIX 6.3: |
uname -aR
IRIX o2 6.3 O2 R10000 12161207 IP32
And on an Octane running IRIX 6.5.3:
uname -aR
IRIX64 octane 6.5 6.5.3m 01221553 IP30
Larry W. Cashdollar lwcashd@biw.com |
----------------------------------------------|
Verified on an ONYX/2 running IRIX 6.5.
uname -aR
IRIX64 onyx 6.5 05190003 IP27
Verified on an Indigo running IRIX 6.5.
uname -aR
IRIX64 flier 6.5 05190004 IP28
I was unable to test this on our IRIX 6.2 box.
/usr/sbin/midikeys does exist and it is setuid
root however.
Anthony C . Zboralski acz@hert.org |
----------------------------------------------|
It works on latest 6.5.4 maintenance release: |
IRIX ra 6.5 04151556 IP32 mips
Larry W. Cashdollar
Unix Administrator
Computer Security Operations
---------------------------------------------------------------------------
Date: Thu, 20 May 1999 19:08:44 -0600
From: Philipp Schott <philipp@SMAUG.MATHEMATIK.UNI-FREIBURG.DE>
To: BUGTRAQ@netspace.org
Subject: Re: IRIX midikeys root exploit.
On May 20, 11:49am, Erik Mouw wrote:
> Subject: Re: IRIX midikeys root exploit.
>
> Verified to work on an O2 running IRIX 6.3:
> uname -aR
> IRIX o2 6.3 O2 R10000 12161207 IP32
>
> And on an Octane running IRIX 6.5.3:
> uname -aR
> IRIX64 octane 6.5 6.5.3m 01221553 IP30
>
> Erik
> (strictly speaking for myself)
>
how's the package called, that includes "midikeys"??
on all boxes (5.3, 6.3, 6.4, 6.5.2) i've checked there is no such program.
but there is start-/stopmidi.
philipp
--
===============================================================
Philipp M. W. Schott
Institute for Applied Mathematics Fon: +49 (0)761/203-5626
Hermann-Herder-Str. 10 Fax: +49 (0)761/203-5632
Freiburg University smtp: pmws@pmws.de
D-79104 Freiburg http: www.pmws.de
===============================================================
---------------------------------------------------------------------------
Date: Fri, 21 May 1999 08:55:01 +0200
From: "[ISO-8859-1] Björn Torkelsson" <torkel@HPC2N.UMU.SE>
To: BUGTRAQ@netspace.org
Subject: Re: IRIX midikeys root exploit.
Erik Mouw <J.A.K.Mouw@ITS.TUDELFT.NL> writes:
> > I have tested this on 2 IRIX 6.5 hosts with success. A patch exists for
> > startmidi and stopmidi buffer overflows.
>
> Verified to work on an O2 running IRIX 6.3:
> uname -aR
> IRIX o2 6.3 O2 R10000 12161207 IP32
>
> And on an Octane running IRIX 6.5.3:
> uname -aR
> IRIX64 octane 6.5 6.5.3m 01221553 IP30
Verified to work on an O2 running IRIX 6.5.3.
After a chmod u-s midikeys, midikeys still works, at least after a very
quick test. Does anybody know why midikeys is setuid root?
Is this reported to SGI?
/torkel
---------------------------------------------------------------------------
Date: Fri, 21 May 1999 09:04:47 -0700
From: Steve Allen <allen@DOOBIE.ITDL.DS.BOEING.COM>
To: BUGTRAQ@netspace.org
Subject: Re: IRIX midikeys root exploit.
On May 20, 7:08pm, Philipp Schott wrote:
>how's the package called, that includes "midikeys"??
>on all boxes (5.3, 6.3, 6.4, 6.5.2) i've checked there is no such program.
>but there is start-/stopmidi.
dmedia_eoe.sw.synth
teve
--
Steven R. Allen - steve.allen@boeing.com -- SGI Admin Weenie
http://www.eskimo.com/~wormey/ ICQ# 6709819
Contrary to popular belief, Unix is user friendly.
It just happens to be selective about who it makes friends with.
---------------------------------------------------------------------------
Date: Fri, 21 May 1999 21:26:22 GMT
From: SGI Security Coordinator <agent99@BOYTOY.CSD.SGI.COM>
Reply-To: agent99@sgi.com
To: BUGTRAQ@netspace.org
Subject: IRIX midikeys Vulnerability
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
SGI Security Advisory
Title: IRIX midikeys Vulnerability
Number: 19990501-01-A
Date: May 21, 1999
______________________________________________________________________________
SGI provides this information freely to the SGI user community for its
consideration, interpretation, implementation and use. SGI recommends
that this information be acted upon as soon as possible.
SGI provides the information in this Security Advisory on an "AS-IS" basis
only, and disclaims all warranties with respect thereto, express, implied
or otherwise, including, without limitation, any warranty of merchantability
or fitness for a particular purpose. In no event shall SGI be liable for
any loss of profits, loss of business, loss of data or for any indirect,
special, exemplary, incidental or consequential damages of any kind arising
>from your use of, failure to use or improper use of any of the instructions
or information in this Security Advisory.
______________________________________________________________________________
SGI acknowledges the publicly reported IRIX midikeys vulnerability and is
currently investigating.
For the protection of all our customers, SGI does not disclose, discuss
or confirm vulnerabilities until a full investigation has occurred and
any necessary patch(es) or release streams are available for all vulnerable
and supported Unicos and IRIX operating systems.
Until SGI has more definitive information to provide, customers
are encouraged to assume all security vulnerabilities as exploitable and take
appropriate steps according to local site security policies and requirements.
Steps to remove setuid on the IRIX midikeys program are found in the
Temporary Solution section below. No further information is available at
this time.
As further information becomes available, additional advisories will be
issued via the normal SGI security information distribution methods
including the wiretap mailing list.
- ----------------------------
- ----- Temporary Solution ---
- ----------------------------
The steps below can be used to remove setuid from the IRIX midikeys(1)
program.
================
**** NOTE ****
================
Removal of the setuid permission disables functionality that
is not implemented or utilized at this time.
1) Verify midikeys(1) is installed on the system.
It is installed by default on IRIX 6.2 and higher.
Note that the program size may vary depending on IRIX release.
% ls -la /usr/sbin/midikeys
-rwsr-xr-x 1 root sys 218712 Mar 8 14:57 /usr/sbin/midikeys
2) Become the root user on the system.
% /bin/su -
Password:
#
3) Change the permissions on the program.
# /bin/chmod 555 /usr/sbin/midikeys
4) Verify the new permissions on the program.
# ls -la /usr/sbin/midikeys
-r-xr-xr-x 1 root sys 218712 May 20 13:57 /usr/sbin/midikeys
4) Return to previous level.
# exit
%
- -----------------------------------------
- --- SGI Security Information/Contacts ---
- -----------------------------------------
If there are questions about this document, email can be sent to
cse-security-alert@sgi.com.
------oOo------
SGI provides security information and patches for use by the entire
SGI community. This information is freely available to any person
needing the information and is available via anonymous FTP and the Web.
The primary SGI anonymous FTP site for security information and patches
is sgigate.sgi.com (204.94.209.1). Security information and patches
are located under the directories ~ftp/security and ~ftp/patches,
respectively. The SGI Security Headquarters Web page is accessible at
the URL http://www.sgi.com/Support/security/security.html .
For issues with the patches on the FTP sites, email can be sent to
cse-security-alert@sgi.com.
For assistance obtaining or working with security patches, please
contact your SGI support provider.
------oOo------
SGI provides a free security mailing list service called wiretap and
encourages interested parties to self-subscribe to receive (via email) all
SGI Security Advisories when they are released. Subscribing to the mailing
list can be done via the Web (http://www.sgi.com/Support/security/wiretap.html)
or by sending email to SGI as outlined below.
% mail wiretap-request@sgi.com
subscribe wiretap <YourEmailAddress>
end
^d
In the example above, <YourEmailAddress> is the email address that you
wish the mailing list information sent to. The word end must be on a
separate line to indicate the end of the body of the message. The
control-d (^d) is used to indicate to the mail program that you are
finished composing the mail message.
------oOo------
SGI provides a comprehensive customer World Wide Web site. This site is
located at http://www.sgi.com/Support/security/security.html .
------oOo------
For reporting *NEW* SGI security issues, email can be sent to
security-alert@sgi.com or contact your SGI support provider. A
support contract is not required for submitting a security report.
______________________________________________________________________________
This information is provided freely to all interested parties and
may be redistributed provided that it is not altered in any way,
SGI is appropriately credited and the document retains and includes
its valid PGP signature.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBN0XOZ7Q4cFApAP75AQFAXQP/XPq9JyXVm8xiPDjxF327yZ8QAF3u1OF6
27Z+wIW01G6XKo0Hfu1mPVV0DNQnuKA8NQHST6iQ8F3CnwMI8Ue2RxMMDursQ19Q
X9FkoIJCHveDWlJwExwR99Gek/rG/pRT4ZizqvaT87ac4yLqK/4IGzo/WUJXxJT1
zhD9saxG/Z8=
=QQ8H
-----END PGP SIGNATURE-----
---------------------------------------------------------------------------
Date: Fri, 21 May 1999 16:39:18 -0700
From: Aleph One <aleph1@UNDERGROUND.ORG>
To: BUGTRAQ@netspace.org
Subject: Re: IRIX midikeys vulnerability list.
This is a summary of some of the responses to this thread. It seems
that whether or not you use a vi or some other editor makes a difference.
Would the people that reported it as not working please repeat their
test using a different editor? Thank you.
>From Jean-Francois Malouin <Jean-Francois.Malouin@bic.mni.mcgill.ca>:
dmedia_eoe.sw.synth ( at least on IRIX 6.5.3m).
Following the aforementionned recipe, I tried to modify some system files
on an Octane IP30 running 6.5.3m but to no avail. hmmmm, I see that same
system as being reported vulnerable...
# uname -Ra
# IRIX64 6.5 6.5.3m 01221553 IP30
>From Jeremy Hinegardner <jeremy@meru.cecs.missouri.edu>:
I have tested the exploit on a couple of Octanes, and
it seems to be fixed in the IRIX 6.5.3 feature stream.
Our machines using 6.5.3f were not vulnerable.
Both the filemanager and the editor ran as the user
no root.
Verified to work on Octane running IRIX 6.4
uname -aR
IRIX64 octane 6.4 S2MP+OCTANE 02121744 IP30
Verified to NOT work on Octane running IRIX 6.5.3f
uname -aR
IRIX64 octane 6.5 6.5.3f 01221643 IP30
The IRIX 6.5.4 streams is available for download,
anyone try them?
>From J.A. Gutierrez <spd@gtc1.cps.unizar.es>:
* verified:
IRIX64 IRIX 6.5.3f
(editor (jot) runs as root)
|-+------- 1147467 root midikeys
| \-+----- 1150492 root dirview /usr/share/data/music
| \----- 1152654 root fmserv sgonyx.ita.es:1.0
* Didn't work at first
IRIX 6.2 where midikeys is from dmedia_eoe.sw.synth
(editor (vi) runs as user)
But if you open an X11 editor (gvim), it will run as root,
and you will be able to edit anything, again...
>From eLement <eLement@nirvanet.net>:
The vulnerability is verified to work on
uname -aR
IRIX eLement 6.3 O2 R10000 12161207 IP32
>From Klaus <klaus@imprint.uwaterloo.ca>
The machine on my desk:
IRIX grimlock 6.5 6.5.2m 11051733 IP32
didn't seem to be vulnerable, but I don't have nedit installed; vi didn't
preserve my setuid from midikeys.
However, on a machine -with- nedit,
IRIX jazz 6.5 6.5.2m 11051733 IP32
I was able to replicate it. I was also able to replicate the exploit using
jot (another window based text editor).
So the exploit seems to revolve around the use of an editor that doesn't
require a terminal device; opening a tty to run the editor (although I'm
not 100% on how gvim works in that respect) seems to reset the effective
UID.
--
Aleph One / aleph1@underground.org
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
---------------------------------------------------------------------------
Date: Thu, 27 May 1999 14:20:50 -0400
From: Pawel K. Peczak <pkpecza@ERENJ.COM>
To: BUGTRAQ@netspace.org
Subject: Re: IRIX midikeys Vulnerability
As a comment on Aleph's recent summary of the responses to the IRIX
midikeys vulnerability (http://www.geek-girl.com/bugtraq/1999_2/0518.html)
let me add my own observation.
It turns out that one does not need any particular text editor
to exploit the vulnerability. That's because of a nice "feature" of
the desktop environment variable WINEDITOR that can be set to any system
command, e.g., "/bin/chmod 4755 /tmp/bsh" (where /tmp/bsh is just
a root-owned copy of Bourne shell).
This can be done on both irix 6.2 (e.g., using toolchest -> Desktop
-> Customize ->Desktop ->Default Editor: Other...) and on
irix 6.5 (toolchest -> Desktop -> Customize -> Utilities -> Text Editor:
Other...). After setting WINEDITOR (which can be verified by inspecting
~/.desktop-hostname/desktopenv) the exploit follows the well-known path
by running midikeys, opening a file manager, etc.
Using this method I was able to gain root access (via a local account)
on two systems running irix 6.2 and 6.5.3m. I suspect that any system
running irix 6.2 or higher with suid midikeys program may be vulnerable.
To remove the vulnerability one should immediately remove suid from
the IRIX midikeys program, as suggested in the recent SGI Security
Advisory 19990501-01-A.
Pawel Peczak pkpecza@erenj.com