=============================================================================
AA-94.04a      AUSCERT Advisory
         12-Aug-1994
          SGI IRIX 5.x sgihelp vulnerability
-----------------------------------------------------------------------------

    *** This Advisory contains updated information ***

The Australian Computer Emergency Response Team has received information
that a vulnerability exists within the sgihelp subsystem of all SGI IRIX
5.x systems.  The previous version of this Advisory indicated that the
status of earlier versions of IRIX was unknown.

1.  Description

        A vulnerability exists with all Silicon Graphics IRIX 5.x systems
        that allows exploitation of the sgihelp system to gain privileged
        access.  The user must either log into an account on the system, or
        have physical access to the console to exploit this vulnerability.

  Information on how to exploit this vulnerability has recently been
  made available to the firewalls list.
  
  Silicon Graphics have released patches for this vulnerability.
  They can be obtained from either:

  ftp://ftp.sgi.com/~ftp/security/patch34.tar.Z
  ftp://ftp.sgi.com/~ftp/security/patch65.tar

  or
  
  ftp://ftp.sert.edu.au/security/sgi/patch/patch34.tar.Z
  ftp://ftp.sert.edu.au/security/sgi/patch/patch65.tar

****  Australian users are advised to obtain these patches from the
****  ftp.sert.edu.au site, as these patch files are approximately 17Mb
****  in size.  These patches will be available shortly.
  
        Silicon Graphics recently issued a Security Advisory that indicated
        a workaround for this vulnerability by removing the ViewerHelp
  books.  This workaround was only partially effective, and should
  not be used as a total solution.  See Section 3 for more details.

  An sgihelp wrapper program was recently sent to the bugtraq list. 
  This wrapper only partially addresses the problem.  It will still
  allow one non-privileged user to become another non-privileged
  user.

  Exploitation of this vulnerability is not easily detected. Standard
  intrusion detection techniques such as Tripwire, Cops, and good
  system administration skills will assist in the detection of any
  intrusion.
  
2.  Impact

  Non-privileged users may gain privileged access.
  Non-logged in users may gain privileged access if they have
  physical access to the console.

3.  Solutions

        Two solutions are provided.  The first is an emergency solution
        that resolves the vulnerability, and may be used if there is a
        reason why the patches cannot be installed.  The second solution is
        only available for IRIX 5.2.

3.1  Remove the Help facility.

        By removing the help facility, the vulnerability cannot be
        exploited.  This solution is implemented by issuing the following
        command as root:

  # /bin/mv /usr/sbin/sgihelp /usr/sbin/sgihelp.disabled

        The sgihelp facility can be reenabled by renaming the
        sgihelp.disabled file back to sgihelp after the patches detailed
  below have been applied.
  
        Another method that is functionally equivalent to renaming the
        sgihelp binary is to remove it by issuing the following commands as
        root:

  # versions remove sgihelp.sw.eoe

  To reinstall the software after the patches detailed below have
  been applied, the following commands can be used:

  # inst -f /CDROM/dist/sgihelp
  Inst> install sgihelp.sw.eoe
  Inst> go

        The impact of this solution is that the "Help" facilities within
        the IRIX system will not function for any user.

        This solution removes the vulnerability.

****  Note:  This is the only solution available for versions of IRIX
****  other than 5.2.  The supplied patches will operate only for
****  IRIX

3.2  Install the Silicon Graphics supplied patches

****  Note:  This solution will only operate for IRIX version 5.2.
****  Earlier versions must either use solution 3.1, or upgrade to
****  IRIX 5.2 and apply either of solutions 3.1 or 3.2.

  If you are running IRIX 5.2, obtain and install patch65 according
  to the instructions provided. These instructions can be found in the
  "relnotes.patchSG0000065" file in the patch65.tar file (see below).

  To install this patch successfully, you need to have the latest SGI
  "inst" program installed (this is available as patch00 or patch34).

  SGI has provided instructions for determining if the new install
  program is on your system. We have placed these in an appendix
  at the end of this advisory.

  Filename           patch65.tar
  Standard Unix Sum  63059 1220
  System V Sum       15843 2440
  MD5                af8c120f86daab9df74998b31927e397


  Filename           patch34.tar.Z
  Standard Unix Sum  11066 15627
  System V Sum       1674 31253
  MD5                2859d0debff715c5beaccd02b6bebded

  Patches are available on CD. Contact your nearest SGI service
        provider for distribution.  SGI advise that customers do not
        require a service support agreement to receive the security
        patches.


----------------------------------------------------------------------------
The AUSCERT team wishes to thank Max Hailperin of Gustavus Adolphus
College, Douglas Ray of Melbourne University, Jeffrey Olds of Silicon
Graphics, and members of the CIAC and CERT teams for their advice and
cooperation in this matter.
----------------------------------------------------------------------------

If you believe that your system has been compromised, contact AUSCERT or your
representative in FIRST (Forum of Incident Response and Security Teams).

Internet Email:  auscert@auscert.org.au
Facsimile:  (07) 365 4477
AUSCERT Hotline:(07) 365 4417
  AUSCERT personnel answer during business hours (AEST GMT+10:00).
  (On call after hours for emergencies).

Australian Computer Emergency Response Team
c/- Prentice Centre
The University of Queensland
Qld.  4072.
Australia.


-------------------------------------8<--------------------------------------

Appendix to AA-94.04

There are three patches related to this Advisory - patch00, patch34, and patch65.

Patch34 is an update to patch00 which modifies the "inst" program to
be able to handle patch updates.  At least one of patch00 or patch34
is required to be installed before installing patch65.  To determine
if the new inst program is already installed on your system,
the following command can be issued:

  # versions patch\*
  I = Installed, R = Removed

     Name                 Date      Description

  I  patchSG0000034       08/10/94  Patch SG0000034
  I  patchSG0000034.eoe1_sw 08/10/94 IRIX Execution Environment Software
  I  patchSG0000034.eoe1_sw.unix 08/10/94 IRIX Execution Environment


If patchSG0000000 or patchSG0000034 (as seen above) is loaded,
then it is only necessary to download patch65 as described in the advisory.
This is important since patch34 is rather large (16MB).

Otherwise, download both patch34 and patch65.  Install patch34 first,
then patch65.  To install patch34, uncompress and untar "patch34.tar.Z"
and follow the instructions in the "README.FIRST" file.