AA-97.16.IRIX.scanners.environ.vul
3d072649a45ed2c98cdc465c7c15973897f7cc595e7de3446f02a6089b9d099d-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AA-97.16 AUSCERT Advisory
SGI IRIX Scanners Vulnerability
14 May 1997
Last Revised: --
- ---------------------------------------------------------------------------
AUSCERT has received information that a vulnerability exists in
the scanners(1M) program which is part of the Impressario package.
The vulnerability may allow local users to gain root privileges.
Exploit information regarding this vulnerability has been made
publicly available.
AUSCERT recommends that sites take the steps outlined in Section 3
as soon as possible.
- ---------------------------------------------------------------------------
1. Description
AUSCERT has received information that a vulnerability exists in the
scanners(1M) program as supplied with Impressario Server 1.2. The
scanners program is a graphical tool for displaying, installing and
deleting scanning devices.
Information from the enviroment variable SGIHELPROOT is accepted by
the scanners program without adequate validity checks being performed.
By carefully manipulating this environment variable, it might be
possible to execute arbitary commands with root privileges.
Impressario Server 1.2 is known to have shipped as an optional extra
with IRIX 5.x. The version of Impressario that runs under IRIX 6.2
and later is not known to be vulnerable.
Exploit information involving this vulnerability has been made publicly
available.
Sites can determine if they have this package installed and if the
package is vulnerable in the following manner:
Determine if the scanners program is installed by using the command:
% ls -l /usr/sbin/scanners
-rwsr-xr-x 1 root sys 117752 Apr 29 05:28 /usr/sbin/scanners
If scanners is installed, check if the version you have uses the
SGIHELPROOT environment variable by using this command and getting
the indicated output:
% strings -a /usr/sbin/scanners | grep SGIHELPROOT | uniq
SGIHELPROOT
If the scanners program is installed and it uses the environment
SGIHELPROOT variable, determine if it has already been patched to
remove the vulnerability described herein by using the command:
% versions patchSG0000006.impr_scan_sw.impr
I = Installed, R = Removed
Name Date Description
I patchSG0000006 05/07/97 Patch SG0000006 Impressario 1.2
I patchSG0000006.impr_scan_sw 05/07/97 Impressario 1.2 Scanner Software
I patchSG0000006.impr_scan_sw.impr 05/07/97 Scanner Base Software
If the scanners program is installed and it contains the string
SGIHELPROOT and patchSG0000006 is not installed, then your site might
be vulnerable and the workarounds given in Section 3 should be applied
immediately.
2. Impact
Local users may be able to gain root privileges.
3. Workarounds/Solution
AUSCERT recommends that sites determine if their system is vulnerable
and if so, immediately remove the setuid and execute permissions as
stated in Section 3.1 to limit the exploitation of this vulnerability.
Sites may then wish to apply the vendor patch given in Section 3.2.
3.1 Remove permissions
To prevent the exploitation of the vulnerability described in this
advisory, AUSCERT recommends that the setuid and execute permissions
be removed from the scanners program immediately.
# ls -l /usr/sbin/scanners
-rwsr-xr-x 1 root sys 117752 Apr 29 05:28 /usr/sbin/scanners
# chmod 700 /usr/sbin/scanners
# ls -l /usr/sbin/scanners
-rwx------ 1 root sys 117752 Apr 29 05:28 /usr/sbin/scanners
Note that all users, except root, will lose the ability to use the
functionality of the scanners program.
3.2 Install Vendor Patch
Silicon Graphics Inc. has released a patch that appears to address
the vulnerability described in this advisory. This patch is very old
and there are some concerns about its compatibility with later software
and patches. It is advised that only sites that require the scanners
program and cannot upgrade to a later version apply this patch. This
patch is currently only available to sites that have SurfZone membership.
Sites that have Silicon Graphics Inc. support contracts but do not
have SurfZone membership should contact Silicon Graphics customer
support to obtain this patch.
Sites with SurfZone membership can retrieve this patch from:
http://www.surf.sgi.com/SurfZone/Support/allpatch/pinfo/i5.2.p6.html
4. Additional measures
Most Unix systems ship with numerous programs which have setuid or
setgid privileges. Often the functionality supplied by these privileged
programs is not required by many sites. The large number of privileged
programs that are shipped by default are to cater for all possible
uses of the system.
AUSCERT encourages sites to examine all the setuid/setgid programs
and determine the necessity of each program. If a program does not
absolutely require the setuid/setgid privileges to operate (for example,
it is only run by the root user), the setuid/setgid privileges should
be removed. Furthermore, if a program is not required at your site,
then all execute permissions should be removed.
A sample command to find all setuid/setgid programs is (run as root):
# find / \( -perm -4000 -o -perm -2000 \) -type f -exec ls -l {} \;
It is AUSCERT's experience that many vulnerability are being discovered
in setuid/setgid programs which are not necessary for the correct
operation of most systems. Sites can increase their security by
removing unnecessary setuid/setgid programs.
For example, the functionality provided by the scanners program is not
needed by many sites. If sites had previously disabled this program,
they would not have been susceptible to this latest vulnerability.
- ---------------------------------------------------------------------------
AUSCERT wishes to thank Silicon Graphics Inc. and Wolfgang Ley of DFN-CERT
for their assistance in this matter.
- ---------------------------------------------------------------------------
The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate. However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual
system should be considered before application in conjunction with local
policies and procedures. AUSCERT takes no responsibility for the
consequences of applying the contents of this document.
If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AUSCERT is located at The University of Queensland within the Prentice
Centre. AUSCERT is a full member of the Forum of Incident Response and
Security Teams (FIRST).
AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT
Advisories, and other computer security information.
AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 4477
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
Prentice Centre
Brisbane
Qld. 4072.
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBM3nL5yh9+71yA2DNAQE9JgP/Q/h4jpfJwCOuQeg7x8Y2lbEqai3Pxuvj
F8TeWZ4IupQnl7swVlQJumuuvUyJD/00HeDhBTdPztTtxTGRRk7dpYsf/boWKCV9
N+nCkNBZX0IV1cP7khU0Qen0ibq8NBJ41AgSlbHdz68K8Mf9hNh/lVrIKBPAd5yM
Z3o18wSmjQ0=
=w9uc
-----END PGP SIGNATURE-----
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed