AA-96.08.SGI.systour.vul
d6db5b8f33fea071a13bea593e7305e460c8dfdae29cb41036f963f88ddd09ba-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AA-96.08 AUSCERT Advisory
Vulnerability in SGI systour package
5 November 1996
Last Revised: 7 November 1996
Added more specific SGI information
Added SGI security advisory in Appendix A
- ---------------------------------------------------------------------------
AUSCERT has received information that there is a vulnerability in the SGI
Indigo Magic System Tour package, systour, under IRIX versions 5.0.x,
5.1.x, 5.2, 5.3, 6.0.x, 6.1, 6.2 and 6.3. This product is used to
demonstrate the features and functionality of the Indigo Magic User
Environment.
This vulnerability may allow local users to gain root privileges.
Exploit details involving this vulnerability have been widely distributed.
AUSCERT has been informed that no vendor patches will be released to
address this vulnerability, although it will be corrected in future
releases of IRIX. AUSCERT recommends that sites apply the steps
outlined in Section 3 immediately.
- ---------------------------------------------------------------------------
1. Description
The SGI Indigo Magic System Tour package, systour, is used to
demonstrate the features and functionality of the Indigo Magic User
Environment under IRIX versions 5.0.x, 5.1.x, 5.2, 5.3, 6.0.x, 6.1,
6.2 and 6.3. As part of the tour, there is an option to remove the
tour when the user is finished. The tour is removed with the auxiliary
program:
/usr/lib/tour/bin/RemoveSystemTour
RemoveSystemTour uses "inst", IRIX's software management tool, to
remove the system tour. As inst requires root privileges to remove
the tour, RemoveSystemTour is setuid root. This allows local users
to effectively execute inst with root privileges when removing the
tour. As inst is a highly configurable program, local users may be
able to manipulate environment variables and local configuration files
to force inst, when called from RemoveSystemTour, to execute arbitrary
commands with root privileges.
All sites are encouraged to check their systems for the systour package
and, if installed, immediately apply the actions recommended in
Section 3. To determine if the vulnerable package is installed, use
the command:
% versions systour
2. Impact
Local users may be able to execute arbitrary commands with root
privileges.
3. Workarounds/Solution
AUSCERT recommends that sites prevent exploitation of this
vulnerability by immediately applying the workaround given in
Section 3.1. If the systour package is no longer needed, it is
recommended that sites remove it from their systems (Section 3.2)
Silicon Graphics Inc. have released a Security Advisory addressing
the vulnerability described in Section 1 and has been included in
Appendix A below. Sites are encouraged to review the SGI advisory as
it contains additional security information.
3.1 Remove setuid permissions
Remove the setuid root permissions from the RemoveSystemTour
executable. The following command should be run as root.
# chmod u-s /usr/lib/tour/bin/RemoveSystemTour
# ls -l /usr/lib/tour/bin/RemoveSystemTour
-rwxr-xr-x 1 root sys 10024 Nov 22 1994
/usr/lib/tour/bin/RemoveSystemTour
Note that the removal of the setuid bit will prevent non-privileged
users removing the system tour.
3.2 Remove the package
If the systour package is no longer needed, sites are encouraged to
remove it completely from their systems. This can be done by running,
as root, the GUI software management tool, swmgr, or the command:
# versions remove systour
Sites can check that the package has been removed with the command:
# versions systour
...........................................................................
Appendix A
- ----------------------BEGIN SGI SECURITY ADVISORY--------------------------
______________________________________________________________________________
Silicon Graphics Inc. Security Advisory
Title: Possible Vulnerabilities in systour and OutOfBox
Title: Subsystems for IRIX 5.x, 6.0.x, 6.1, 6.2 and 6.3
Number: 19961101-01-I
Date: November 6, 1996
______________________________________________________________________________
Silicon Graphics provides this information freely to the SGI user community
for its consideration, interpretation, implementation and use. Silicon
Graphics recommends that this information be acted upon as soon as possible.
Silicon Graphics will not be liable for any indirect, special, or
consequential damages arising from the use of, failure to use or improper
use of any of the instructions or information in this Security Advisory.
______________________________________________________________________________
Recently, potential security vulnerabilities in the OutOfBox and systour
subsystems have been advertised in several public forums. Additionally,
the Australian Computer Emergency Response Team (AUSCERT) released an
advisory (AA-96.08) on this issue.
Silicon Graphics Inc. has investigated the issues and recommends the
following steps for neutralizing exposure. It is HIGHLY RECOMMENDED
that these measures be implemented on ALL SGI systems running IRIX versions
5.0.x, 5.1.x, 5.2, 5.3, 6.0.x, 6.1, 6.2 and 6.3. This issue will be
corrected in future releases of IRIX.
- - --------------
- - --- Impact ---
- - --------------
The Silicon Graphics Indigo Magic System Tour and OutOfBox Experience
packages are factory installed on all Silicon Graphics Indy systems.
The Indigo Magic System Tour and OutOfBox Experience packages are not
factory installed with any Silicon Graphics Indigo2 systems however, CDs
with these packages are provided with the systems.
The OutOfBox Experience subsystem is factory installed on all Silicon
Graphics O2 systems. The System Tour subsystem is not part of the
software provided for the O2 system.
Note that either or both the Indigo Magic System Tour and OutOfBox
Experience subsystems maybe be installed from CD on any Silicon Graphics
system.
The purpose of these two packages, systour and OutOfBox, are to demonstrate
and highlight the features and capabilities of the user environment and
system.
Due to the disk space requirements of these subsystems, most sites will
remove these subsystems for disk space reclamation as part of initial
system setup. Those sites which have done this will not be vulnerable.
On those systems that the subsystems are still installed on, both
subsystems provide background setuid root programs to perform a subsystem
removal when a user decides to remove the software. This removal is done
using the standard IRIX /usr/sbin/inst program that manages IRIX software.
Provided with the right environment, the inst program could be manipulated
to execute arbitrary commands with root privileges.
An account on the vulnerable system is required for exploit. With an
account, these vulnerabilities are exploitable by both local and remote
access.
- - ----------------
- - --- Solution ---
- - ----------------
There are no patches for these issues. However, using the
information below steps can be taken to eliminate the exposure.
To determine if the OutOfBox and systour subsystems are installed
on a particular system, the following command can be used:
% versions OutOfBox.sw systour.sw
I = Installed, R = Removed
Name Date Description
I OutOfBox 11/05/96 OutOfBox Experience, 1.1
I OutOfBox.sw 11/05/96 OutOfBox Experience Software, 1.1
I OutOfBox.sw.complete 11/05/96 Complete OutOfBox Experience
I OutOfBox.sw.intro 11/05/96 OutOfBox Intro Movies
I systour 02/12/96 Indigo Magic System Tour, 5.2
I systour.sw 02/12/96 System Tour Execution Environment
I systour.sw.eoe 02/12/96 System Tour Execution Environment
In the above case, the subsystems of concern are installed and the steps
below should be performed. If no output is returned by the command,
the subsystems are not installed and no further action is required.
**** IRIX 4.x ****
The 4.x version of IRIX is not vulnerable as the System Tour and
OutOfBox Experience subsystems are not part of available software
for this IRIX version. No action is required.
**** IRIX 5.x, 6.0, 6.0.1, 6.1, 6.2 ****
There are no patches for this issue.
The steps below can be used to remove the vulnerability by either
changing the program permissions (use step 2a) or by removing the
subsystems (use step 2b).
1) Become the root user on the system.
% /bin/su -
Password:
#
2) Choose either step 2a or 2b depending on which
has the desired result.
2a) Change the setuid root permissions on the programs
of concern.
# /bin/chmod u-s /usr/lib/tour/bin/RemoveSystemTour
# /bin/chmod u-s /usr/people/tour/oob/bin/oobversions
************
*** NOTE ***
************
Removing the setuid root permissions from these tools
will prevent non-root users from removing the subsystems.
Removal of the subsystems will only be possible if the
systour or OutOfBox user is a root user or if the inst
IRIX software manager is used by root for removal.
2b) Remove the vulnerable subsystems.
# /usr/sbin/versions -v remove systour OutOfBox
4) Return to previous level.
# exit
$
**** IRIX 6.3 ****
The IRIX operating system version 6.3 does not have the System
Tour subsystem but does have the OutOfBox Experience subsystem.
There are no patches for this issue.
The steps below can be used to remove the vulnerability by either
changing the program permissions (use step 2a) or by removing the
subsystems (use step 2b).
1) Become the root user on the system.
% /bin/su -
Password:
#
2) Choose either step 2a or 2b depending on which
has the desired result.
2a) Change the setuid root permissions on the program
of concern.
# /bin/chmod u-s /usr/people/tour/oob/bin/oobversions
************
*** NOTE ***
************
Removing the setuid root permissions from this program
will prevent non-root users from removing the subsystem.
Removal of the subsystem will only be possible if the
OutOfBox user is a root user or if the inst IRIX software
manager is used by root for removal.
2b) Remove the vulnerable subsystem.
# /usr/sbin/versions -v remove OutOfBox
4) Return to previous level.
# exit
$
- - ------------------------
- - --- Acknowledgments ---
- - ------------------------
Silicon Graphics wishes to thank AUSCERT and FIRST members worldwide for
their assistance in this matter.
- - -----------------------------------------
- - --- SGI Security Information/Contacts ---
- - -----------------------------------------
If there are questions about this document, email can be sent to
cse-security-alert@csd.sgi.com.
------oOo------
Silicon Graphics provides security information and patches for
use by the entire SGI community. This information is freely
available to any person needing the information and is available
via anonymous FTP and the Web.
The primary SGI anonymous FTP site for security information and patches
is sgigate.sgi.com (204.94.209.1). Security information and patches
are located under the directories ~ftp/security and ~ftp/patches,
respectively. The Silicon Graphics Security Headquarters Web page is
accessible at the URL http://www.sgi.com/Support/Secur/security.html.
For issues with the patches on the FTP sites, email can be sent to
cse-security-alert@csd.sgi.com.
For assistance obtaining or working with security patches, please
contact your SGI support provider.
------oOo------
Silicon Graphics provides a free security mailing list service
called wiretap and encourages interested parties to self-subscribe
to receive (via email) all SGI Security Advisories when they are
released. Subscribing to the mailing list can be done via the Web
(http://www.sgi.com/Support/Secur/wiretap.html) or by sending email
to SGI as outlined below.
% mail wiretap-request@sgi.com
subscribe wiretap <YourEmailAddress>
end
^d
In the example above, <YourEmailAddress> is the email address that you
wish the mailing list information sent to. The word end must be on a
separate line to indicate the end of the body of the message. The
control-d (^d) is used to indicate to the mail program that you are
finished composing the mail message.
------oOo------
Silicon Graphics provides a comprehensive customer World Wide Web site.
This site is located at http://www.sgi.com/Support/Secur/security.html.
------oOo------
For reporting *NEW* SGI security issues, email can be sent to
security-alert@sgi.com or contact your SGI support provider. A
support contract is not required for submitting a security report.
- --------------------------END SGI SECURITY ADVISORY------------------------
...........................................................................
- ---------------------------------------------------------------------------
AUSCERT thanks Silicon Graphics Inc. for their assistance in this matter.
- ---------------------------------------------------------------------------
The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate. However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual
system should be considered before application in conjunction with local
policies and procedures. AUSCERT takes no responsibility for the
consequences of applying the contents of this document.
If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AUSCERT is located at The University of Queensland within the Prentice
Centre. AUSCERT is a full member of the Forum of Incident Response and
Security Teams (FIRST).
AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT
Advisories, and other computer security information.
AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 4477
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
c/- Prentice Centre
The University of Queensland
Brisbane
Qld. 4072.
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
November 7 1996 SGI released a Security Advisory addressing the systour
vulnerability and this was added to Appendix A. Note that
it also addressed other vulnerabilities in the OutOfBox
subsystem and contains information that is not mentioned
in the AUSCERT advisory.
Specific versions of the IRIX operating system were
also listed.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBMoHLIih9+71yA2DNAQGoSQP/Ulv9OHgFK/6fdoqxDkl02mj5pKQ7PY/S
k56FVgJtPVYK6fDooACsVpx1zhCs+xTtPTTUxz/IwUiX4P4Yd/87Qqnrctxgpbep
eJN3EUSYY/Xh3v+3GkE0N26drzwSaqrMDEEKQNrt7vzqJeN07WHMNbOQA00JJvaS
aKVsnVf6otw=
=35hH
-----END PGP SIGNATURE-----
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed