-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===============================================================================
>>                                                      CERT-NL, 01-Mar-2000 <<
>> All CERT-NL information has been moved to http://cert.surfnet.nl.  Links  <<
>> to CERT-NL information contained in this advisory are therefore outdated. <<
>>                                                                           <<
>> CERT-NL also has stopped the CERT-CC-Mirror service.  Due to this the     <<
>> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the  <<
>> complete CERT-CC advisory texts:                     http://www.cert.org  <<
===============================================================================
===============================================================================
Security Advisory                                                       CERT-NL
===============================================================================
Author/Source : CERT-NL (Teun Nijssen )                     Index  :    S-94-19
Distribution  : World                                       Page   :          1
Classification: External                                    Version:      Final
Subject       : SGI IRIX Help Vulnerability                 Date   :  12-aug-94
===============================================================================
 
CERT-NL received the following advisory from CERT-CC:

============================================================================
CA-94:13                         CERT Advisory
                                 August 11, 1994
                            SGI IRIX Help Vulnerability
- -----------------------------------------------------------------------------

The CERT Coordination Center has received information about a vulnerability in
the Silicon Graphics, Inc. IRIX operating system, versions 5.1.x and 5.2.
This vulnerability enables users to gain unauthorized root access. To
exploit the vulnerability, a person must log into an account on the system
or have physical access to the system console.

SGI has developed a patch for the vulnerability. Because the vulnerability has
been widely discussed in public forums on the Internet, we recommend that you
install the patch as soon as possible. Section III below contains
instructions for obtaining the patch, along with a workaround you can use
until you install it.

As we receive additional information relating to this advisory, we will place
it, along with any clarifications, in a CA-94:13.README file. CERT advisories
and their associated README files are available by anonymous FTP from
info.cert.org. We encourage you to check the README files regularly for
updates on advisories that relate to your site.

- -----------------------------------------------------------------------------

I.   Description

A vulnerability exists in the SGI help system and print manager, enabling
users to get unauthorized root access if they can log into an account on the
system or get physical access to the system console. The vulnerability is
present in the SGI IRIX operating system, versions 5.1.x and 5.2. SGI reports
that the problem will be permanently corrected in a future release of IRIX.

In public discussions, the vulnerability has been referred to by various
names, including clogin, printer manager, and SGI Help.

II.  Impact

Individuals with accounts on the system or physical access to the system
console can obtain root access.

III. Solutions

     A.  For IRIX 5.2
         
         If you are running IRIX 5.2, obtain and install patch65 according
         to the instructions provided. These instructions can be found in the
         "relnotes.patchSG0000065" file in the patch65.tar file (see below).

         To install this patch successfully, you need to have the latest SGI
         "inst" program installed (this is available as patch00 or patch34).

         SGI has provided instructions for determining if the new install
         program is on your system. We have placed these in an appendix
         at the end of this advisory.

         These patches are available by anonymous FTP from ftp.sgi.com and
         from sgigate.sgi.com in the "/security" directory.
        
         Filename           patch65.tar
         Standard Unix Sum  63059 1220
         System V Sum       15843 2440 
         MD5                af8c120f86daab9df74998b31927e397


         Filename           patch34.tar.Z
         Standard Unix Sum  11066 15627
         System V Sum       1674 31253
         MD5                2859d0debff715c5beaccd02b6bebded

         Patches are available on CD. Contact your nearest SGI service
         provider for distribution.

     B.  For IRIX 5.1.x

         If you are running versions 5.1.x, SGI recommends that you upgrade to
         version 5.2, if possible, and then follow the instructions in Section
         III.A. above. If you cannot upgrade to 5.2, see the workaround
         instructions in III.C.

     C.  Workaround 

         If you cannot install the patches or are delayed in obtaining them,
         SGI recommends removing the help subsystem using the following
         command (as root):

                # versions remove sgihelp.sw.eoe

         PLEASE NOTE:  Removal of this subsystem will affect other
         installed software that use the SGI Help system. After
         the removal, certain help functions from within applications
         will return non-fatal error messages about the missing subsystem.

         At a later date, when the patch can be installed on the system, 
         you will need to re-install the previously removed SGI Help software
         prior to installing patch65. This can be found on your original
         software distribution (CD labeled as IRIX 5.2). As root, use the
         command:

                # inst -f /CDROM/dist/sgihelp
                Inst> install sgihelp.sw.eoe
                Inst> go

         The installation documentation provides further information.

- ---------------------------------------------------------------------------
The CERT Coordination Center wishes to thank Silicon Graphics, Inc., for their
cooperation in responding to this problem and members of the AUSCERT and CIAC
response teams for their contributions to this advisory.
- ---------------------------------------------------------------------------

CA-94:13.README
Issue Date:     August 11, 1994
Revision Date:  August 11, 1994


There are three patches related to this issue - patch00, patch34, and patch65.

Patch34 is an update to patch00 which modifies the "inst" program to
be able to handle patch updates.  At least one of patch00 or patch34
is required to be installed before installing patch65.  To determine
if the new inst program is already installed on your system,
the following command can be issued:

        # versions patch\*
        I = Installed, R = Removed

           Name                 Date      Description

        I  patchSG0000034       08/10/94  Patch SG0000034
        I  patchSG0000034.eoe1_sw 08/10/94 IRIX Execution Environment Software
        I  patchSG0000034.eoe1_sw.unix 08/10/94 IRIX Execution Environment


If patchSG0000000 or patchSG0000034 (as seen above) is loaded,
then it is only necessary to download patch65 as described in the advisory.
This is important since patch34 is rather large (16MB).

Otherwise, download both patch34 and patch65.  Install patch34 first,
then patch65.  To install patch34, uncompress and untar "patch34.tar.Z"
and follow the instructions in the "README.FIRST" file.

These patches are available by anonymous FTP from ftp.sgi.com
in the "security" directory:

                Standard      System V       MD5
                Unix          Unix           Digital Signature
patch34.tar.Z:  11066 15627   1674 31253     2859d0debff715c5beaccd02b6bebded
patch65.tar:    63059 1220    15843 2440     af8c120f86daab9df74998b31927e397

================= END of CERT-CC text ========================================

CERT-NL thanks CERT-CC and SGI and advises relevant system-managers to
apply and obtain the patches from
ftp//ftp.nic.surfnet.nl/surfnet/net-security/cert-nl/patches/misc

==============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet
is the Dutch network for educational, research and related institutes. CERT-NL
is a member of the Forum of Incident Response and Security Teams (FIRST).

All CERT-NL material is available under:
  http://cert.surfnet.nl/

In case of computer or network security problems please contact your local
CERT/security-team or CERT-NL  (if your institute is NOT a SURFnet customer
please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).

   Email:     cert-nl@surfnet.nl     ATTENDED REGULARLY ALL DAYS
   Phone:     +31 302 305 305        BUSINESS HOURS ONLY
   Fax:       +31 302 305 329        BUSINESS HOURS ONLY
   Snailmail: SURFnet bv
              Attn. CERT-NL
              P.O. Box 19035
              NL - 3501 DA  UTRECHT
              The Netherlands

NOODGEVALLEN:    06 22 92 35 64      ALTIJD BEREIKBAAR
EMERGENCIES : +31 6 22 92 35 64      ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED*
PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT
TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU.
===============================================================================

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i

iQA/AwUBOL6WGDSYjBqwfc9jEQLIYACgmICrtRuPipVkxhNmI49T9BVZ+9UAnA9X
fc3V7YF4vLFIRJJNR45fcIkf
=CpRn
-----END PGP SIGNATURE-----