DISTRIBUTION RESTRICTIONS:  PUBLIC DISTRIBUTION
  __________________________________________________
              The Computer Incident Advisory Capability
                          ___  __ __    _     ___
                         /       |     / \   /
                         \___  __|__  /___\  \___
         _____________________________________________________
                         Information Bulletin
 
      SGI 3.3.X Pseudo-tty Vulnerability
 
March 6, 1992 1000 PST                                       Number C-20
_________________________________________________________________________

PROBLEM: Non-root users have the ability to see the output of other
        users terminal activity. 
PLATFORM: Silicon Graphics systems running IRIX 3.3.X (3.3.1, 3.3.2 and 3.3.3L)
DAMAGE: Potential disclosure of user sensitive data including passwords.
SOLUTION: SGI MIPS based machines should upgrade to 4.0.1 or to Trusted 
  Irix.
__________________________________________________________________________
       Critical Facts about SGI 3.3.X Pseudo tty Vulnerability

CIAC has become aware of a possible security problem with Silicon
Graphics systems running IRIX 3.3.X (3.3.1, 3.3.2 and 3.3.3L).  This
problem has been fixed under 4.0.1.
 
The IRIX psuedo-ttys (pttys) are protected mode 0666, which permits
non-root users to read unprotected terminals.  This might permit non-
authorized users to see confidential information, including passwords.

SGI and CIAC recommend that you upgrade your 3.3.X system either to
4.0.1 or to Trusted Irix immediately.  Contact your SGI
representative, or SGI Express (1-800-800-SGI1).  SGI customers under
support may call 1-800-800-4744 (1-800-800-4SGI)

Note, if you suspect that another user is reading from your terminal,
you may use the command: fuser -u `tty`.  This shows what processes
are connected to your tty, see fuser(8).  You should be able to
account for each of them using the ps(1) command.

For additional information or assistance, please contact CIAC:

  David Brown
  (510) 423-9878/(FTS) 543-9878
  dsbrown@llnl.gov

Call CIAC at (510) 422-8193/(FTS) 532-8193 or send e-mail to
ciac@llnl.gov.  FAX messages to: (510) 423-8002/(FTS) 543-8002.

Previous CIAC bulletins and other information is available via
anonymous ftp from irbis.llnl.gov (ip address 128.115.19.60).  

PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents.  Some of the other teams include the NASA NSI response
team, DARPA's CERT/CC, NAVCIRT, and the Air Force response team.  Your
agency's team will coordinate with CIAC.

CIAC would like to thank Lisa Amedeo of Fermi National Laboratory, and
Debby Derby of Silicon Graphics Inc. for their assistance with this
bulletin.

Neither the United States Government nor the University of California
nor any of their employees, makes any warranty, expressed or implied,
or assumes any legal liability or responsibility for the accuracy,
completeness, or usefulness of any information, product, or process
disclosed, or represents that its use would not infringe privately
owned rights.  Reference herein to any specific commercial products,
process, or service by trade name, trademark manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation, or favoring by the United States Government or the
University of California.  The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government nor the University of California, and shall not be used for
advertising or product endorsement purposes.