_____________________________________________________
           US Department of Energy
                 Computer Incident Advisory Capability
                          ___  __ __    _     ___
                         /       |     / \   /
                         \___  __|__  /___\  \___
          _____________________________________________________

       INFORMATION BULLETIN

    Vulnerabilities in SGI IRIX Default Configuration

October 25, 1993 1330 PDT                                    Number E-02
__________________________________________________________________________
PROBLEM:  The default configuration of SGI IRIX software introduces
          vulnerabilities.
PLATFORM: SGI IRIX, all versions including 4.x and 5.x.
DAMAGE:   Accounts without passwords and default xhost configuration
          can lead to system compromise.
SOLUTION: Add passwords, lock accounts, change xhost configuration
          per this bulletin.
__________________________________________________________________________

      Critical Information about SGI IRIX Default Configuration

CIAC has learned that SGI IRIX systems configured with operating
system defaults are vulnerable to attack.  The auto-installation
procedure leaves some default accounts vulnerable to compromise, some
files are left world readable, and the default configuration for xhost
is vulnerable.  CIAC recommends that IRIX system administrators check
the configuration of their systems as outlined below.


OPEN ACCOUNTS

Eight accounts are left open, without a password, at the end of the
installation procedure.  Three of these accounts--root, lp, and
nuucp--are administrative accounts with system privileges.  The other
five accounts are demos, tutor, guest, 4Dgifts, and tour.

CIAC recommends that these accounts be assigned valid passwords,
deleted, or disabled to ensure account security.  Give an account a
password by executing the following command as root:

# passwd account_name

To disable ("lock") an account, use the passwd command with the -l
option, as below:

# passwd -l account_name

To delete an account, edit the /etc/passwd account directly as SGI's
utility "sysadm" will not edit these specific accounts.  SGI
recommends account deletion be done with care, since the execution of
some system functions requires an account to be present.


LOGIN.OPTIONS VULNERABILITY

The file /etc/config/login.options (renamed /etc/default/login on 5.x)
contains some parameters for the system's login process.  By default,
this file is world readable.  CIAC recommends that if a system is
logging rsh and ftp activity, these permissions be removed by
executing the following command as root:

# chmod 640 /etc/config/login.options

Note: the options "SYSLOG=ALL" or "SYSLOG=FAIL", set within
login.options will not log any login attempts made through the
SGI-supplied graphical login process Pandora.  In addition, the file
where login attempts are kept, /usr/adm/SYSLOG, should also not be
world readable.


NIS ALTERNATE PASSWORD FILE

If using NIS, an alternate password file can be created with any name
and placed anywhere.  This password file should be set up to contain
only accounts of users that log in remotely. No administrative
accounts should be contained in this alternative password file since
all NIS users can easily see this file.  Use of this file will make
the information in /etc/passwd useless to anyone who might break into
the system and try to crack passwords.

To define the password file, open or create the file
/etc/config/ypmaster.options, and create a line with the text:

PWFILE=/path/newpasswdfile.name

NOTE: this feature is available because shadow password files are
incompatible with NIS.


XHOST DEFAULTS

The system default configuration for xhost is "xhost +", which allows
any host on the same network to use X protocols to access the machine.
X has well known vulnerabilities and there are automated programs that
can remotely gain unauthorized access using X.  CIAC recommends that
you either deny all access to all hosts through X or authorize only
specific known, trustworthy machines.

To deny or restrict X access to selected hosts follow these three
steps:

a. Create or edit the file "/etc/Xn.hosts" where 'n' is the display
   number of the server on the local host, normally 0, as in
   "/etc/X0.hosts".

   To deny all X access to your system, the file /etc/X0.hosts will
   contain a single character, "-".

   To grant access to hosts "newhost.gov" and "secondhost.gov" and no
   other hosts the file /etc/X0.hosts will consist of:

   -
   +newhost.gov
   +secondhost.gov

b. Search through all files in the directory /usr/lib/X11/xdm for
   occurances of the command "xhost +" or "/usr/bin/X11/xhost +".
   Remove or comment out all such lines.  For SGI IRIS these files are
   by default:

   /usr/lib/X11/xdm/xsession
   /usr/lib/X11/xdm/xsession-remote
   /usr/lib/X11/xdm/xsession.0

c. Inform users that any xhost commands should be removed or commented
   out of user startup scripts, such as .cshrc, .login, .profile, etc.

To add an additional level of security to the X environment, CIAC
recommends the use of xauthority for host access control.  To set up
xauthority, edit the file /usr/lib/X11/xdm/xdm-config and replace the
"off" with "on" in the following line:

DisplayManager*authorize:off

After all changes are made, SGI recommends that the system be rebooted
to ensure that all changes take effect and all passwords be modified
for all users' accounts that may have been compromised.

To ensure that X has been turned off for non-registered hosts, perform
the following test commands from an invalid machine:

setenv DISPLAY yourhostname:0
/usr/bin/X11/xterm

If a message appears which refuses the connection, then the system has
been configured correctly.


Much of the information in this bulletin has been extracted from the
chapter on system security in the SGI IRIX administrator's guide,
Chapter 8 for version 4.x and Chapter 9 for version 5.x.  CIAC would
like to thank Donna Yobs of SGI and Fred W. Allen of LLNL for their
technical contributions to this bulletin, and to the ASSIST team for
alerting us to this vulnerability.

For additional information or assistance, please contact CIAC at (510)
422-8193 or send E-mail to ciac@llnl.gov. FAX messages to (510)
423-8002.

Previous CIAC Bulletins and other information are available via anonymous
FTP from irbis.llnl.gov (IP address 128.115.19.60).

PLEASE NOTE: Many users outside of the DOE and ESnet computing communities
receive CIAC bulletins.  If you are not part of these communities, please
contact your agency's response team to report incidents.  Your agency's team
will coordinate with CIAC.  The Forum of Incident Response and Security Teams
(FIRST) is a world-wide organization.  A list of FIRST member organizations
and their constituencies can be obtained by sending email to
docserver@first.org with an empty subject line and a message body containing
the line: send first-contacts.

This document was prepared as an account of work sponsored by an agency of
the United States Government.  Neither the United States Government nor the
University of California nor any of their employees, makes any warranty,
expressed or implied, or assumes any legal liability or responsibility for
the accuracy, completeness, or usefulness of any information, product, or
process disclosed, or represents that its use would not infringe privately
owned rights.  Reference herein to any specific commercial products, process,
or service by trade name, trademark manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation, or favoring
by the United States Government or the University of California.  The views
and opinions of authors expressed herein do not necessarily state or reflect
those of the United States Government nor the University of California, and
shall not be used for advertising or product endorsement purposes.