-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =============================================================================== >> CERT-NL, 01-Mar-2000 << >> All CERT-NL information has been moved to http://cert.surfnet.nl. Links << >> to CERT-NL information contained in this advisory are therefore outdated. << >> << >> CERT-NL also has stopped the CERT-CC-Mirror service. Due to this the << >> links to the CERT-CC mirror are obsolete. Visit the CERT-CC site for the << >> complete CERT-CC advisory texts: http://www.cert.org << =============================================================================== =============================================================================== Security Advisory CERT-NL =============================================================================== Author/Source : Don Stikvoort Index : S-95-09 Distribution : World Page : 1 Classification: External Version: 1 Subject: SGI permissions tool & colorview vulnerabilities Date : 10-Mar-95 =============================================================================== By courtesy of SGI and CERT/CC we received the following information about two separate vulnerabilities: - - - - - desktop permissions tool vulnerability (IRIX 5.2 6.0); - - - - - colorview vulnerability (IRIX 5.1 5.2 6.0): ============================================================================== =========== PERMISSIONS TOOL VULNERABILITY ==== IRIX 5.2 6.0 ============= ============================================================================== ________________________________________________________________________________ Silicon Graphics Inc. Security Advisory Title: IRIX 5.2, 6.0, 6.0.1 Desktop Permissions Tool Number: 19950301-01-P373 Date: March 3, 1995 ________________________________________________________________________________ Silicon Graphics provides this information freely to the SGI community for its consideration, interpretation and implementation. Silicon Graphics recommends that this information be acted upon as soon as possible. Silicon Graphics will not be liable for any consequential damages arising from the use of, or failure to use or use properly, any of the instructions or information in this Security Advisory. ________________________________________________________________________________ A vulnerability has been discovered in the IRIX 5.2, 6.0, and 6.0.1 operating systems regarding the permissions tool under the IRIX desktop environment. Normally, this tool is used by users to modify the permissions on their files and files they are privileged for. Under certain conditions, a user may be able to modify the permissions for any file. This is identified as SGI SCR # 265071. SGI Engineering has investigated this issue and recommends the following steps for neutralizing the exposure. It is HIGHLY RECOMMENDED that these measures be done on ALL SGI systems running IRIX 5.2, 6.0, and 6.0.1 . This issue is corrected in 5.3 of IRIX and will be corrected in future releases of IRIX. - - - - - -------------------------- - - - - - --- Immediate Solution --- - - - - - -------------------------- The most immediate solution for this issue is to remove the setuid/setgid bits on /usr/lib/permissions, or to remove the tool entirely. Removing the setuid/setgid bits will limit the tool to only function on files owned by the user using the tool. 1) Become the root user on the system. % /bin/su - Password: # 2) Change the unix permissions level on the desktop permissions program. # chmod u-s /usr/lib/desktop/permissions # chmod g-s /usr/lib/desktop/permissions 3) Return to previous user. # exit % - - - - - -------------------------- - - - - - --- Long Term Solution --- - - - - - -------------------------- *** IRIX 5.0.x, 5.1.x **** The versions 5.0.x and 5.1.x of IRIX were limited hardware, specific releases and have since been obsoleted by later versions of IRIX. For supportability reasons, upgrading to atleast IRIX 5.2 is recommended as a first step for all problem resolution. IRIX 5.0.x, 5.1.x ARE NOT subject to this vulernability. **** IRIX 5.2, 6.0, 6.0.1 **** >>>> IRIX 5.3 IS NOT SUBJECT TO THIS VULNERABILITY. <<<< For the IRIX operating system versions 5.2, 6.0 and 6.0.1, an inst-able patch has been generated and made available via anonymous ftp and/or your service/support provider. The patch is number 373 and will install on IRIX 5.2, 6.0 and 6.0.1 . - - - - - -NOTE- Inst-able patches require a patch-aware inst program. The stock 5.2 inst program with the base install is not patch-aware. The 6.0 and 6.0.1 inst programs are. A patch-aware inst program for IRIX 5.2 is available as patch number 0, 34, or 84. Any one of these may be used, with 84 the latest, most recommended, and available via your service provider or the usual SGI anonymous ftp sites. The SGI anonymous ftp site is ftp.sgi.com (192.48.153.1). Additionally, the alternative SGI anonymous ftp site, sgigate.sgi.com, can be accessed to find the same files. On each of these servers, patch 373 can be found in the following directories: ~ftp/Security or ~ftp/Patches/5.2 ~ftp/Patches/6.0 ~ftp/Patches/6.0.1 ##### Checksums #### The actual patch will be a tar file containing the following files: Filename: patchSG0000373 Algorithm #1 (sum -r): 51249 1 patchSG0000373 Algorithm #2 (sum): 21641 1 patchSG0000373 MD5 checksum: 40A604013A05C2521152ED4B51C5D9A5 Filename: patchSG0000373.desktop_eoe_sw Algorithm #1 (sum -r): 09134 88 patchSG0000373.desktop_eoe_sw Algorithm #2 (sum): 63013 88 patchSG0000373.desktop_eoe_sw MD5 checksum: D74F9BDED3D51E9D28666CADF1B31945 Filename: patchSG0000373.idb Algorithm #1 (sum -r): 50435 1 patchSG0000373.idb Algorithm #2 (sum): 41363 1 patchSG0000373.idb MD5 checksum: 790E9A47909BC32D8E9FCE14EA4077D8 - - - - - ------------------------------------ - - - - - --- Further Information/Contacts --- - - - - - ------------------------------------ For obtaining security information, patches or assistance, please contact your SGI support provider. If there are questions about this document, email can be sent to cse-security-alert@csd.sgi.com . For reporting *NEW* SGI security issues, email can be sent to security-alert@sgi.com . ============================================================================== ======== COLORVIEW VULNERABILITY ==== IRIX 5.1 5.2 6.0 ================== ============================================================================== ________________________________________________________________________________ Silicon Graphics Inc. Security Advisory Title: colorview program allows reading of any file Number: 19950209-00-P Date: February, 9, 1995 ________________________________________________________________________________ Silicon Graphics provides this information freely to the SGI community for its consideration, interpretation and implementation. Silicon Graphics recommends that this information be acted upon as soon as possible. Silicon Graphics will not be liable for any consequential damages arising from the use of, or failure to use or use properly, any of the instructions or information in this Security Advisory. ________________________________________________________________________________ A vulnerability has been discovered in the IRIX 5.1.x, 5.2, 6.0 and 6.0.1 operating systems which would allow the colorview program to be used to view any file on the system. SGI Engineering has investigated this issue and recommends the following steps for neutralizing the exposure. It is HIGHLY RECOMMENDED that these measures be done on ALL SGI systems running IRIX 5.1.x, 5.2, 6.0 and 6.0.1 . The issue will be permanently corrected in future releases of IRIX. - - - - - -------------------------- - - - - - --- Immediate Solution --- - - - - - -------------------------- To correct this issue, it is recommended to remove the setuid bit on the colorview program. The following steps are provided to do this. 1) Become the root user on the system. % /bin/su Password: # 2) Change the permissions on the colorview program to remove the setuid permission. # chmod u-s /usr/sbin/colorview 3) Verify the permissions and ownership to be as follows after step 2. # cd /usr/sbin # ls -al colorview -rwxr-xr-x 1 root sys 396376 Jan 18 18:40 colorview - - - - - -------------------------- - - - - - --- Long Term Solution --- - - - - - -------------------------- There is no patch for this issue. For 5.1.x and 5.2 versions, this has been corrected in IRIX 5.3. - - - - - ------------------------------------ - - - - - --- Further Information/Contacts --- - - - - - ------------------------------------ For obtaining security information, patches or assistance, please contact your SGI support provider. For reporting new SGI security issues, email can be sent to security-alert@sgi.com . ============================================================================== CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet is the Dutch network for educational, research and related institutes. CERT-NL is a member of the Forum of Incident Response and Security Teams (FIRST). All CERT-NL material is available under: http://cert.surfnet.nl/ In case of computer or network security problems please contact your local CERT/security-team or CERT-NL (if your institute is NOT a SURFnet customer please address the appropriate (local) CERT/security-team). CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer, i.e. UTC+0100 in winter and UTC+0200 in summer (DST). Email: cert-nl@surfnet.nl ATTENDED REGULARLY ALL DAYS Phone: +31 302 305 305 BUSINESS HOURS ONLY Fax: +31 302 305 329 BUSINESS HOURS ONLY Snailmail: SURFnet bv Attn. CERT-NL P.O. Box 19035 NL - 3501 DA UTRECHT The Netherlands NOODGEVALLEN: 06 22 92 35 64 ALTIJD BEREIKBAAR EMERGENCIES : +31 6 22 92 35 64 ATTENDED AT ALL TIMES CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES: THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED* PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU. =============================================================================== -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1i iQA/AwUBOL6IETSYjBqwfc9jEQI+AACeN11Are3GO8pZgIwqN0NW9mpX3B4AoKr5 D2GcCvc+14LYxTSuCPrrscPS =FhOz -----END PGP SIGNATURE-----