exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

SGI Tempo Database Password Disclosure

SGI Tempo Database Password Disclosure
Posted Dec 10, 2014
Authored by John Fitzpatrick

SGI Tempo systems expose a database password in the world readable /etc/odapw file.

tags | exploit, info disclosure
advisories | CVE-2014-7301
SHA-256 | 33068bfa9903902198ab1a1def7493a5b1147e1e5e632e0bac53597bf97cf900

SGI Tempo Database Password Disclosure

Change Mirror Download
[SGI Tempo System Database Password Exposure]

Software: SGI Tempo (SGI ICE-X Supercomputers)
Affected Versions: Unknown
CVE Reference: CVE-2014-7301
Author: John Fitzpatrick, MWR Labs
Severity: Medium Risk
Vendor: Silicon Graphics International Corp (SGI)
Vendor Response: Uncooperative


[Description]

It is possible for users to gain read+write access to the Tempo system (configuration) database on SGI ICE-X supercomputers due to insecurely set file permissions on the /etc/odapw file.


[Impact]

SGI describe the system database as “critical to the operation of your SGI ICE X system”. It is believed that this level of access could be used to cause significant disruption to the operation of the supercomputer. However, this has not been fully explored.


[Cause]

Insecure (world readable) file permissions are set on the /etc/odapw file which contains the password for this database.


[Solution]

SGI have chosen not to issue a fix. However, a workaround is trivial: Modify file permissions of the /etc/odapw file:

# chmod 600 /etc/odapw


[Technical Details]

SGI Tempo cluster management software, deployed on SGI ICE supercomputers, makes use of a system database (SDB, sometimes referred to as the Oscar database). This database (MySQL) contains system configuration information required for the operation of the cluster which, if altered, could cause severe disruption to the systems operation. In addition some information would be considered sensitive, particularly in more recent Tempo versions that have been found to store root password hashes as attributes within this database.

If root password hashes are held within the database they will be displayed as the result of running the following command:

# cattr list passwd_root

By default an anonymous account is available to query the SDB with read only permissions. An article on the SGI Supportfolio describes this issue and how to disable anonymous access:

https://support.sgi.com/kb_request/solution/display?KB_NODEUUID=62590135-708d-47d7-934e-b3fac09b7603&MODE=multiple (Registration required)

Disabling anonymous access will prevent non root users from running the c* commands (e.g. cattr, cnodes, etc.). Whilst providing read-only access does present its risks, the risk posed by providing read+write access is far more substantial as it can also be utilised to alter the system configuration and cause the system to fail to operate.

The default username for the database is “oscar”. The password for this is held in the /etc/odapw file which is present on service nodes and readable by all users of the system. The password follows a common structure shown below:

regexp: oscar(\.[0-9]{3}){4}
example: oscar.324.519.262.397

The following MySQL command will establish a connection to the database and prompt for the password within the /etc/odapw file:

$ mysql -u oscar -h admin –p


[Workaround]

MWR recommend altering the permissions of the /etc/odapw file to prevent non root users from reading the password. This will prevent non root users from being able to make use of the c* commands:

# chmod 600 /etc/odapw

SGI have chosen not to co-operate with MWR in the co-ordinated disclosure of this and other SGI related security issues. MWR are therefore unable to provide specific version information and other details. Whilst every effort has been made to ensure the accuracy and usefulness of this advisory it is recommended that SGI are contacted directly if further information is required.


[Detailed Timeline]

2014-02-11: Contact with SGI established
2014-02-20: Full vulnerability details provided to SGI
2014-04-14: Vulnerabilities acknowledged and response provided
2014-05-23: Update requested by MWR (not provided)
2014-07-23: Update requested by MWR (not provided)
2014-11-20: Contact with SGI re-attempted
2014-12-02: Advisory published

https://labs.mwrinfosecurity.com/advisories/2014/12/02/sgi-tempo-system-database-password-exposure/
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close