-----BEGIN PGP SIGNED MESSAGE-----

===========================================================================
AA-97.22                        AUSCERT Advisory
                   SGI IRIX login/scheme Buffer Overrun Vulnerability
                                 28 May 1997

Last Revised: 16 September 1997

              Added vendor patch and bulletin information to Section 3.

              A complete revision history is at the end of this file.

- ---------------------------------------------------------------------------

AUSCERT has received information that a vulnerability exists in login(1),
distributed under IRIX 6.2.  Other versions (including IRIX 5.x) may also
be vulnerable.

This vulnerability may allow local users to gain root privileges.

Exploit information involving this vulnerability has been made publicly
available.

Vendor patches have been released addressing this vulnerability.

AUSCERT recommends that sites take the steps outlined in section 3 as soon
as possible.

This advisory will be updated as more information becomes available.

- ---------------------------------------------------------------------------

1.  Description

    login(1) is a program used at the beginning of each terminal session
    that allows users to identify themselves to the session.  Under current
    versions of IRIX this functionality is supplied by the program
    /usr/lib/iaf/scheme.  The login program is a symbolic link to
    /usr/lib/iaf/scheme.

    Due to insufficient bounds checking on arguments which are supplied
    by users, it is possible to overwrite the internal stack space of the
    scheme program while it is executing.  By supplying a carefully designed
    argument to the scheme program, intruders may be able to force scheme to
    execute arbitrary commands.  As scheme is setuid root, this may allow
    intruders to run arbitrary commands with root privileges.

    The login program is installed in /usr/bin/login.  Under default
    configurations this is a symbolic link to /usr/lib/iaf/scheme.

  % ls -l /usr/bin/login
        lrwxr-xr-x    1 root     sys     17 Nov 22  1994 /usr/bin/login ->
        ../lib/iaf/scheme

  % ls -l /usr/lib/iaf/scheme
  -rwsr-xr-x    1 root     sys  65832 Nov 22  1994 /usr/lib/iaf/scheme

    Exploit information involving this vulnerability has been made publicly
    available.

    Although AUSCERT has only verified this vulnerability under IRIX 6.2,
    this vulnerability is believed to affect other versions of IRIX,
    including IRIX 5.x.

2.  Impact

    This vulnerability may allow local users to gain root privileges.

3.  Workarounds/Solution

    Official vendor patches have been released by Silicon Graphics which
    address this vulnerability (Section 3.3).

    If the patches recommended by Silicon Graphics cannot be applied,
    AUSCERT recommends that sites prevent the exploitation of this
    vulnerability by immediately applying the workaround given in Section
    3.1.  To maintain the functionality of login/scheme, AUSCERT recommends
    applying the workaround given in Section 3.2.

3.1 Remove setuid and non-root execute permissions

    To prevent the exploitation of the vulnerability described in this
    advisory, AUSCERT recommends that the setuid permissions be removed
    from the scheme program immediately.

  # ls -l /usr/lib/iaf/scheme
  -rwsr-xr-x    1 root  sys    58324 Nov 28  1996 /usr/lib/iaf/scheme

  # chmod 500 /usr/lib/iaf/scheme
  # ls -l /usr/lib/iaf/scheme
  -r-x------    1 root  sys    58324 Nov 28  1996 /usr/lib/iaf/scheme

3.2 Install scheme wrapper

    AUSCERT has developed a wrapper to help prevent programs from being
    exploited using the vulnerability described in this advisory.  Sites
    which have a C compiler can obtain the source, compile and install
    the wrapper.  Please contact AUSCERT directly if pre-compiled wrapper
    binaries are required.

    The source for the wrapper, including installation instructions, can
    be found at:

        ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper/
                                               overflow_wrapper.c

    This wrapper replaces the scheme program and checks the length of the
    command line arguments which are passed to it.  If an argument exceeds
    a certain predefined value (MAXARGLEN), the wrapper exits without
    executing the scheme command.  The wrapper program can also be configured
    to syslog any failed attempts to execute scheme with arguments exceeding
    MAXARGLEN.  For further instructions on using this wrapper, please
    read the comments at the top of overflow_wrapper.c.

    When compiling overflow_wrapper.c for use with scheme, AUSCERT recommends
    defining MAXARGLEN to be 32.

    The MD5 checksum for the current version of overflow_wrapper.c can be
    retrieved from:

        ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper/CHECKSUM

    The CHECKSUM file has been digitally signed using the AUSCERT PGP key.

3.3 Install vendor patches

    Silicon Graphics has released security bulletin 19970508-02-PX "IRIX
    LOCKOUT and login/scheme Buffer Overrun" which addresses the
    vulnerability described in this advisory, including patch information.
    AUSCERT recommends that sites apply these patches as soon as possible.

    This SGI security advisory is available from:

        ftp://sgigate.sgi.com/security/19970508-02-PX

- ---------------------------------------------------------------------------
AUSCERT thanks Ian Farquhar for his assistance in the production of
this advisory.  Thanks also to the Prentice Centre, University of
Queensland, for providing test equipment.
- ---------------------------------------------------------------------------

The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate.  However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual
system should be considered before application in conjunction with local
policies and procedures.  AUSCERT takes no responsibility for the
consequences of applying the contents of this document.

If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).

AUSCERT is located at The University of Queensland within the Prentice
Centre.  AUSCERT is a full member of the Forum of Incident Response and
Security Teams (FIRST).

AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/.  This archive contains past SERT and AUSCERT
Advisories, and other computer security information.

AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.

Internet Email: auscert@auscert.org.au
Facsimile:  (07) 3365 4477
Telephone:  (07) 3365 4417 (International: +61 7 3365 4417)
    AUSCERT personnel answer during Queensland business hours
    which are GMT+10:00 (AEST).
    On call after hours for emergencies.

Postal:
Australian Computer Emergency Response Team
Prentice Centre
Brisbane
Qld.  4072.
AUSTRALIA

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History

16 Sep 1997     Silicon Graphics has released a security bulletin,
                addressing the vulnerability described in this advisory.
                Section 3 has been modified to include this information.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key

iQCVAwUBNB6kSih9+71yA2DNAQF3gwP/W7jn4a6V/f4T5crR49/TSL7278bc02oR
buXAhkLQhtagOn1cvOoOA4JRrEl/8gOJ58tFw6DvxnJzx4oLL53H2UJV3T6NlGcU
Qdd2ir/WrNPww1Ok6QK7+72DwgBcQpDeW6fyPhwcRyGu/j+whQ3cDg5X46J/eZQh
pk4Z7HxYFMU=
=Tm2C
-----END PGP SIGNATURE-----