exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

S-98-46.asc

S-98-46.asc
Posted Jan 10, 2000

Subject SGI IRIX 6.3 & 6.4 mailcap vulnerability Date 21-Jul-98

systems | irix
SHA-256 | eff8f0142080611ad0e9e0b9309af3d41d7b79851870816c2446edc8f19d3085

S-98-46.asc

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===============================================================================
>> CERT-NL, 01-Mar-2000 <<
>> All CERT-NL information has been moved to http://cert.surfnet.nl. Links <<
>> to CERT-NL information contained in this advisory are therefore outdated. <<
>> <<
>> CERT-NL also has stopped the CERT-CC-Mirror service. Due to this the <<
>> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the <<
>> complete CERT-CC advisory texts: http://www.cert.org <<
===============================================================================
===============================================================================
Security Advisory CERT-NL
===============================================================================
Author/Source : Teun Nijssen Index : S-98-46
Distribution : World Page : 1
Classification: External Version: 1
Subject : SGI IRIX 6.3 & 6.4 mailcap vulnerability Date : 21-Jul-98
===============================================================================

By courtesy of Silicon Graphics Inc. we received information on
a vulnerability in mailcap.

==============================================================================

Silicon Graphics Inc. Security Advisory

Title: IRIX 6.3 & 6.4 mailcap vulnerability
Number: 19980403-02-PX
Date: July 20, 1998
______________________________________________________________________________

---------------
---- Update ---
---------------

As part of on going security efforts, Silicon Graphics has replaced
patch 2336 with patch 3068. Patch 2336 had an incorrect patch range.
The original text from SGI Security Advisory 19980403-01-PX has been updated to
reflect this change.


-----------------------
--- Issue Specifics ---
-----------------------

The System Manager sysmgr(1M) provides a web-browser-like GUI interface to
tasks that help you administer an SGI workstation. sysmgr(1M) uses multiple
tools to manage its GUI interface, two of them being runtask(1M) and
runexec(1M).

By mimicking the descriptor files of runtask(1M) or runexec(1M), an SGI user
browsing web pages or reading email can inadvertently download a "trojan horse"
runtask(1M) or runexec(1M) descriptor file. The "trojan horse" descriptor file
will execute a local System Manager Task with the privileges of the user web
browsing and can lead to a local root compromise.

Silicon Graphics Inc. has investigated the issue and recommends the
following steps for neutralizing the exposure. It is HIGHLY RECOMMENDED
that these measures be implemented on ALL vulnerable SGI systems. This
issue will be corrected in future releases of IRIX.


--------------
--- Impact ---
--------------

All IRIX 6.3/6.4 users that have Mailcap entries for x-sgi-task
and x-sgi-exec have this vulnerability. On IRIX 6.3/6.4, these vulnerable
Mailcap entries are installed by default in /usr/local/lib/netscape/mailcap .
Users can add their own Mailcap entries in their home directories
($HOME/.mailcap) and these need to be inspected for the vulnerable x-sgi-task and
x-sgi-exec entries.

By default, this vulnerability requires an IRIX 6.3/6.4 user to use
Netscape Navigator to web browse or read email from a malicious site
and download a "trojan horse" System Manager Task which will execute
locally with the privileges of the user web browsing. If the user is a
privileged or root user, the "trojan horse" System Manger Task will execute
with root privileges and can lead to a root compromise.


--------------------------
--- Temporary Solution ---
--------------------------

Although patches are available for this issue, it is realized that
there may be situations where installing the patches immediately may
not be possible.


1) Become the root user on the system.

% /bin/su -
Password:
#

2) Edit the default Mailcap file.

# vi /usr/local/lib/netscape/mailcap

3) Remove the following vulnerable mailcap entries:

application/x-sgi-task; /usr/sysadm/bin/runtask %s; \
description="System Administration Task"

application/x-sgi-exec; /usr/sysadm/bin/runexec %s; \
description="System Administration Executable"

4) Find any additional mailcap files and remove any vulnerable entries.

You will need to run the find(1) command on each system you
maintain because the command examines files on local disks only.

Note that this is one long command, though we have separated it
onto three lines using backslashes.

# find / -local -type f \( -name 'mailcap' -o \
-name '.mailcap' \) -exec egrep 'runexec|runtask' {} \
/dev/null \;

This command will find all files on a system that:
are only in the local file system (/ -local)
are regular files (-type f)
have the name "mailcap" (-name 'mailcap') or the name ".mailcap"

Once found, those files will be searched for the string "runexec" or
"runtask" (-exec egrep 'runexec|runtask' {}) and have their path names
printed .

The addition of /dev/null as an argument causes egrep to list the
full pathname of any file containing the string, rather than just the
basename.

Edit the files that have the pathnames printed and remove any
vulnerable runtask/runexec mailcap entries.

5) Return to previous level.

# exit
%


----------------
--- Solution ---
----------------

OS Version Vulnerable? Patch # Other Actions
---------- ----------- ------- -------------

IRIX 3.x no
IRIX 4.x no
IRIX 5.0.x no
IRIX 5.1.x no
IRIX 5.2 no
IRIX 5.3 no
IRIX 6.0.x no
IRIX 6.1 no
IRIX 6.2 no
IRIX 6.3 yes 3068
IRIX 6.4 yes 2339
IRIX 6.5 no

Patches are available via anonymous FTP and your service/support provider.

The SGI anonymous FTP site is sgigate.sgi.com (204.94.209.1) or its
mirror, ftp.sgi.com. Security information and patches can be found
in the ~ftp/security and ~ftp/patches directories, respectfully.



##### Patch File Checksums ####

The actual patch will be a tar file containing the following files:

Filename: README.patch.3068
Algorithm #1 (sum -r): 54529 8 README.patch.3068
Algorithm #2 (sum): 33465 8 README.patch.3068
MD5 checksum: E91EB7C7124D8A40DD81DD1CB8CC9DA2

Filename: patchSG0003068
Algorithm #1 (sum -r): 54264 2 patchSG0003068
Algorithm #2 (sum): 7687 2 patchSG0003068
MD5 checksum: 6EE55314047752A8B7BFA96EB551DE9F

Filename: patchSG0003068.idb
Algorithm #1 (sum -r): 31861 2 patchSG0003068.idb
Algorithm #2 (sum): 13383 2 patchSG0003068.idb
MD5 checksum: 5ACBB5E60F27283E8099C0F310E3BBC9

Filename: patchSG0003068.netscape_gold_sw
Algorithm #1 (sum -r): 07593 20 patchSG0003068.netscape_gold_sw
Algorithm #2 (sum): 3826 20 patchSG0003068.netscape_gold_sw
MD5 checksum: 893D690FA20C0AC4E6E4B7E67465B0E2

Filename: patchSG0003068.netscape_sw
Algorithm #1 (sum -r): 04774 6 patchSG0003068.netscape_sw
Algorithm #2 (sum): 24847 6 patchSG0003068.netscape_sw
MD5 checksum: B6FD69352794F52288D536320CBB4A77


Filename: README.patch.2339
Algorithm #1 (sum -r): 11695 8 README.patch.2339
Algorithm #2 (sum): 21823 8 README.patch.2339
MD5 checksum: 114563D0D67F80E371C71EF3E6262900

Filename: patchSG0002339
Algorithm #1 (sum -r): 37814 2 patchSG0002339
Algorithm #2 (sum): 40753 2 patchSG0002339
MD5 checksum: E0B519F8ECD83396E29DFE07DF23517E

Filename: patchSG0002339.idb
Algorithm #1 (sum -r): 59311 2 patchSG0002339.idb
Algorithm #2 (sum): 54667 2 patchSG0002339.idb
MD5 checksum: 8E39530FD44C9087F0C07B1F75043764

Filename: patchSG0002339.netscape_gold_sw
Algorithm #1 (sum -r): 39233 20 patchSG0002339.netscape_gold_sw
Algorithm #2 (sum): 53498 20 patchSG0002339.netscape_gold_sw
MD5 checksum: 7FF56E22472B0797499920BAAB8CA9C5


-------------------------
---- Acknowledgments ---
-------------------------

Silicon Graphics wishes to thank the CERT Coordination Center, and
AUSCERT for their assistance in this matter.

==============================================================================
CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet
is the Dutch network for educational, research and related institutes. CERT-NL
is a member of the Forum of Incident Response and Security Teams (FIRST).

All CERT-NL material is available under:
http://cert.surfnet.nl/

In case of computer or network security problems please contact your local
CERT/security-team or CERT-NL (if your institute is NOT a SURFnet customer
please address the appropriate (local) CERT/security-team).

CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).

Email: cert-nl@surfnet.nl ATTENDED REGULARLY ALL DAYS
Phone: +31 302 305 305 BUSINESS HOURS ONLY
Fax: +31 302 305 329 BUSINESS HOURS ONLY
Snailmail: SURFnet bv
Attn. CERT-NL
P.O. Box 19035
NL - 3501 DA UTRECHT
The Netherlands

NOODGEVALLEN: 06 22 92 35 64 ALTIJD BEREIKBAAR
EMERGENCIES : +31 6 22 92 35 64 ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED*
PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT
TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU.
===============================================================================

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1i

iQA/AwUBOL6IjTSYjBqwfc9jEQK9MQCfS72Mp2YglpdQEje3teklUXzwuZkAnRsD
Ob6YwUSUP9wgtem+AczGb+2H
=rG8n
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close