-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =============================================================================== >> CERT-NL, 01-Mar-2000 << >> All CERT-NL information has been moved to http://cert.surfnet.nl. Links << >> to CERT-NL information contained in this advisory are therefore outdated. << >> << >> CERT-NL also has stopped the CERT-CC-Mirror service. Due to this the << >> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the << >> complete CERT-CC advisory texts: http://www.cert.org << =============================================================================== =============================================================================== Security Advisory CERT-NL =============================================================================== Author/Source : Teun Nijssen Index : S-98-46 Distribution : World Page : 1 Classification: External Version: 1 Subject : SGI IRIX 6.3 & 6.4 mailcap vulnerability Date : 21-Jul-98 =============================================================================== By courtesy of Silicon Graphics Inc. we received information on a vulnerability in mailcap. ============================================================================== Silicon Graphics Inc. Security Advisory Title: IRIX 6.3 & 6.4 mailcap vulnerability Number: 19980403-02-PX Date: July 20, 1998 ______________________________________________________________________________ --------------- ---- Update --- --------------- As part of on going security efforts, Silicon Graphics has replaced patch 2336 with patch 3068. Patch 2336 had an incorrect patch range. The original text from SGI Security Advisory 19980403-01-PX has been updated to reflect this change. ----------------------- --- Issue Specifics --- ----------------------- The System Manager sysmgr(1M) provides a web-browser-like GUI interface to tasks that help you administer an SGI workstation. sysmgr(1M) uses multiple tools to manage its GUI interface, two of them being runtask(1M) and runexec(1M). By mimicking the descriptor files of runtask(1M) or runexec(1M), an SGI user browsing web pages or reading email can inadvertently download a "trojan horse" runtask(1M) or runexec(1M) descriptor file. The "trojan horse" descriptor file will execute a local System Manager Task with the privileges of the user web browsing and can lead to a local root compromise. Silicon Graphics Inc. has investigated the issue and recommends the following steps for neutralizing the exposure. It is HIGHLY RECOMMENDED that these measures be implemented on ALL vulnerable SGI systems. This issue will be corrected in future releases of IRIX. -------------- --- Impact --- -------------- All IRIX 6.3/6.4 users that have Mailcap entries for x-sgi-task and x-sgi-exec have this vulnerability. On IRIX 6.3/6.4, these vulnerable Mailcap entries are installed by default in /usr/local/lib/netscape/mailcap . Users can add their own Mailcap entries in their home directories ($HOME/.mailcap) and these need to be inspected for the vulnerable x-sgi-task and x-sgi-exec entries. By default, this vulnerability requires an IRIX 6.3/6.4 user to use Netscape Navigator to web browse or read email from a malicious site and download a "trojan horse" System Manager Task which will execute locally with the privileges of the user web browsing. If the user is a privileged or root user, the "trojan horse" System Manger Task will execute with root privileges and can lead to a root compromise. -------------------------- --- Temporary Solution --- -------------------------- Although patches are available for this issue, it is realized that there may be situations where installing the patches immediately may not be possible. 1) Become the root user on the system. % /bin/su - Password: # 2) Edit the default Mailcap file. # vi /usr/local/lib/netscape/mailcap 3) Remove the following vulnerable mailcap entries: application/x-sgi-task; /usr/sysadm/bin/runtask %s; \ description="System Administration Task" application/x-sgi-exec; /usr/sysadm/bin/runexec %s; \ description="System Administration Executable" 4) Find any additional mailcap files and remove any vulnerable entries. You will need to run the find(1) command on each system you maintain because the command examines files on local disks only. Note that this is one long command, though we have separated it onto three lines using backslashes. # find / -local -type f \( -name 'mailcap' -o \ -name '.mailcap' \) -exec egrep 'runexec|runtask' {} \ /dev/null \; This command will find all files on a system that: are only in the local file system (/ -local) are regular files (-type f) have the name "mailcap" (-name 'mailcap') or the name ".mailcap" Once found, those files will be searched for the string "runexec" or "runtask" (-exec egrep 'runexec|runtask' {}) and have their path names printed . The addition of /dev/null as an argument causes egrep to list the full pathname of any file containing the string, rather than just the basename. Edit the files that have the pathnames printed and remove any vulnerable runtask/runexec mailcap entries. 5) Return to previous level. # exit % ---------------- --- Solution --- ---------------- OS Version Vulnerable? Patch # Other Actions ---------- ----------- ------- ------------- IRIX 3.x no IRIX 4.x no IRIX 5.0.x no IRIX 5.1.x no IRIX 5.2 no IRIX 5.3 no IRIX 6.0.x no IRIX 6.1 no IRIX 6.2 no IRIX 6.3 yes 3068 IRIX 6.4 yes 2339 IRIX 6.5 no Patches are available via anonymous FTP and your service/support provider. The SGI anonymous FTP site is sgigate.sgi.com (204.94.209.1) or its mirror, ftp.sgi.com. Security information and patches can be found in the ~ftp/security and ~ftp/patches directories, respectfully. ##### Patch File Checksums #### The actual patch will be a tar file containing the following files: Filename: README.patch.3068 Algorithm #1 (sum -r): 54529 8 README.patch.3068 Algorithm #2 (sum): 33465 8 README.patch.3068 MD5 checksum: E91EB7C7124D8A40DD81DD1CB8CC9DA2 Filename: patchSG0003068 Algorithm #1 (sum -r): 54264 2 patchSG0003068 Algorithm #2 (sum): 7687 2 patchSG0003068 MD5 checksum: 6EE55314047752A8B7BFA96EB551DE9F Filename: patchSG0003068.idb Algorithm #1 (sum -r): 31861 2 patchSG0003068.idb Algorithm #2 (sum): 13383 2 patchSG0003068.idb MD5 checksum: 5ACBB5E60F27283E8099C0F310E3BBC9 Filename: patchSG0003068.netscape_gold_sw Algorithm #1 (sum -r): 07593 20 patchSG0003068.netscape_gold_sw Algorithm #2 (sum): 3826 20 patchSG0003068.netscape_gold_sw MD5 checksum: 893D690FA20C0AC4E6E4B7E67465B0E2 Filename: patchSG0003068.netscape_sw Algorithm #1 (sum -r): 04774 6 patchSG0003068.netscape_sw Algorithm #2 (sum): 24847 6 patchSG0003068.netscape_sw MD5 checksum: B6FD69352794F52288D536320CBB4A77 Filename: README.patch.2339 Algorithm #1 (sum -r): 11695 8 README.patch.2339 Algorithm #2 (sum): 21823 8 README.patch.2339 MD5 checksum: 114563D0D67F80E371C71EF3E6262900 Filename: patchSG0002339 Algorithm #1 (sum -r): 37814 2 patchSG0002339 Algorithm #2 (sum): 40753 2 patchSG0002339 MD5 checksum: E0B519F8ECD83396E29DFE07DF23517E Filename: patchSG0002339.idb Algorithm #1 (sum -r): 59311 2 patchSG0002339.idb Algorithm #2 (sum): 54667 2 patchSG0002339.idb MD5 checksum: 8E39530FD44C9087F0C07B1F75043764 Filename: patchSG0002339.netscape_gold_sw Algorithm #1 (sum -r): 39233 20 patchSG0002339.netscape_gold_sw Algorithm #2 (sum): 53498 20 patchSG0002339.netscape_gold_sw MD5 checksum: 7FF56E22472B0797499920BAAB8CA9C5 ------------------------- ---- Acknowledgments --- ------------------------- Silicon Graphics wishes to thank the CERT Coordination Center, and AUSCERT for their assistance in this matter. ============================================================================== CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet is the Dutch network for educational, research and related institutes. CERT-NL is a member of the Forum of Incident Response and Security Teams (FIRST). All CERT-NL material is available under: http://cert.surfnet.nl/ In case of computer or network security problems please contact your local CERT/security-team or CERT-NL (if your institute is NOT a SURFnet customer please address the appropriate (local) CERT/security-team). CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer, i.e. UTC+0100 in winter and UTC+0200 in summer (DST). Email: cert-nl@surfnet.nl ATTENDED REGULARLY ALL DAYS Phone: +31 302 305 305 BUSINESS HOURS ONLY Fax: +31 302 305 329 BUSINESS HOURS ONLY Snailmail: SURFnet bv Attn. CERT-NL P.O. Box 19035 NL - 3501 DA UTRECHT The Netherlands NOODGEVALLEN: 06 22 92 35 64 ALTIJD BEREIKBAAR EMERGENCIES : +31 6 22 92 35 64 ATTENDED AT ALL TIMES CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES: THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED* PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU. =============================================================================== -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1i iQA/AwUBOL6IjTSYjBqwfc9jEQK9MQCfS72Mp2YglpdQEje3teklUXzwuZkAnRsD Ob6YwUSUP9wgtem+AczGb+2H =rG8n -----END PGP SIGNATURE-----