94-04a
0ee8d1cead4fdc2b077e834f3e7bc922f26ef140d212ee368beff1c77b0d4309
=============================================================================
AA-94.04a AUSCERT Advisory
12-Aug-1994
SGI IRIX 5.x sgihelp vulnerability
-----------------------------------------------------------------------------
*** This Advisory contains updated information ***
The Australian Computer Emergency Response Team has received information
that a vulnerability exists within the sgihelp subsystem of all SGI IRIX
5.x systems. The previous version of this Advisory indicated that the
status of earlier versions of IRIX was unknown.
1. Description
A vulnerability exists with all Silicon Graphics IRIX 5.x systems
that allows exploitation of the sgihelp system to gain privileged
access. The user must either log into an account on the system, or
have physical access to the console to exploit this vulnerability.
Information on how to exploit this vulnerability has recently been
made available to the firewalls list.
Silicon Graphics have released patches for this vulnerability.
They can be obtained from either:
ftp://ftp.sgi.com/~ftp/security/patch34.tar.Z
ftp://ftp.sgi.com/~ftp/security/patch65.tar
or
ftp://ftp.sert.edu.au/security/sgi/patch/patch34.tar.Z
ftp://ftp.sert.edu.au/security/sgi/patch/patch65.tar
**** Australian users are advised to obtain these patches from the
**** ftp.sert.edu.au site, as these patch files are approximately 17Mb
**** in size. These patches will be available shortly.
Silicon Graphics recently issued a Security Advisory that indicated
a workaround for this vulnerability by removing the ViewerHelp
books. This workaround was only partially effective, and should
not be used as a total solution. See Section 3 for more details.
An sgihelp wrapper program was recently sent to the bugtraq list.
This wrapper only partially addresses the problem. It will still
allow one non-privileged user to become another non-privileged
user.
Exploitation of this vulnerability is not easily detected. Standard
intrusion detection techniques such as Tripwire, Cops, and good
system administration skills will assist in the detection of any
intrusion.
2. Impact
Non-privileged users may gain privileged access.
Non-logged in users may gain privileged access if they have
physical access to the console.
3. Solutions
Two solutions are provided. The first is an emergency solution
that resolves the vulnerability, and may be used if there is a
reason why the patches cannot be installed. The second solution is
only available for IRIX 5.2.
3.1 Remove the Help facility.
By removing the help facility, the vulnerability cannot be
exploited. This solution is implemented by issuing the following
command as root:
# /bin/mv /usr/sbin/sgihelp /usr/sbin/sgihelp.disabled
The sgihelp facility can be reenabled by renaming the
sgihelp.disabled file back to sgihelp after the patches detailed
below have been applied.
Another method that is functionally equivalent to renaming the
sgihelp binary is to remove it by issuing the following commands as
root:
# versions remove sgihelp.sw.eoe
To reinstall the software after the patches detailed below have
been applied, the following commands can be used:
# inst -f /CDROM/dist/sgihelp
Inst> install sgihelp.sw.eoe
Inst> go
The impact of this solution is that the "Help" facilities within
the IRIX system will not function for any user.
This solution removes the vulnerability.
**** Note: This is the only solution available for versions of IRIX
**** other than 5.2. The supplied patches will operate only for
**** IRIX
3.2 Install the Silicon Graphics supplied patches
**** Note: This solution will only operate for IRIX version 5.2.
**** Earlier versions must either use solution 3.1, or upgrade to
**** IRIX 5.2 and apply either of solutions 3.1 or 3.2.
If you are running IRIX 5.2, obtain and install patch65 according
to the instructions provided. These instructions can be found in the
"relnotes.patchSG0000065" file in the patch65.tar file (see below).
To install this patch successfully, you need to have the latest SGI
"inst" program installed (this is available as patch00 or patch34).
SGI has provided instructions for determining if the new install
program is on your system. We have placed these in an appendix
at the end of this advisory.
Filename patch65.tar
Standard Unix Sum 63059 1220
System V Sum 15843 2440
MD5 af8c120f86daab9df74998b31927e397
Filename patch34.tar.Z
Standard Unix Sum 11066 15627
System V Sum 1674 31253
MD5 2859d0debff715c5beaccd02b6bebded
Patches are available on CD. Contact your nearest SGI service
provider for distribution. SGI advise that customers do not
require a service support agreement to receive the security
patches.
----------------------------------------------------------------------------
The AUSCERT team wishes to thank Max Hailperin of Gustavus Adolphus
College, Douglas Ray of Melbourne University, Jeffrey Olds of Silicon
Graphics, and members of the CIAC and CERT teams for their advice and
cooperation in this matter.
----------------------------------------------------------------------------
If you believe that your system has been compromised, contact AUSCERT or your
representative in FIRST (Forum of Incident Response and Security Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 365 4477
AUSCERT Hotline:(07) 365 4417
AUSCERT personnel answer during business hours (AEST GMT+10:00).
(On call after hours for emergencies).
Australian Computer Emergency Response Team
c/- Prentice Centre
The University of Queensland
Qld. 4072.
Australia.
-------------------------------------8<--------------------------------------
Appendix to AA-94.04
There are three patches related to this Advisory - patch00, patch34, and patch65.
Patch34 is an update to patch00 which modifies the "inst" program to
be able to handle patch updates. At least one of patch00 or patch34
is required to be installed before installing patch65. To determine
if the new inst program is already installed on your system,
the following command can be issued:
# versions patch\*
I = Installed, R = Removed
Name Date Description
I patchSG0000034 08/10/94 Patch SG0000034
I patchSG0000034.eoe1_sw 08/10/94 IRIX Execution Environment Software
I patchSG0000034.eoe1_sw.unix 08/10/94 IRIX Execution Environment
If patchSG0000000 or patchSG0000034 (as seen above) is loaded,
then it is only necessary to download patch65 as described in the advisory.
This is important since patch34 is rather large (16MB).
Otherwise, download both patch34 and patch65. Install patch34 first,
then patch65. To install patch34, uncompress and untar "patch34.tar.Z"
and follow the instructions in the "README.FIRST" file.