Bugtraq mailing list archives

Repost: Security bug in SGI VideoFramer [SDN-2-sgi-videoframer]

From: hhui () stardot net (Hui-Hui Hu)
Date: Tue, 14 May 1996 23:24:10 -0400


This is a repost from a few months ago. It apparently got lost in the
shuffle.

===

Stardot Networks / Security vulnerability [SDN-2-sgi-videoframer]

The VideoFramer development package on Silicon Graphics systems is subject
to several security holes. This package is installed as vfr.sw.vfr.
Though most SGIs I found did not have the installation, nevertheless the
package was available for exploitation from a NFS mounted partition that
contained the complete IRIX distribution.

A VideoFramer/VLAN board is not required for program exploitation. The
specific problem which I describe below involves the program sb_encode,
which allows off-line frame encoding in VideoFramer format. The result of
poor IRIX security checking is that any user can overwrite-to-destroy an
arbitrary file. It appears that many files in the installation were
improperly permissioned as setuid.

PROGRAM.  sb_encode (from vfr.sw.vfr)
AFFECTS.  at least SGI IRIX 5.x
REQUIRED. Account on server
RISK.     denial of service
AUTHOR.   Tung-Hui Hu <hhui () stardot net>

---

PROBLEM. sb_encode is installed setuid in /usr/video/vfr/bin and does not
check for permissions/ownership. sb_encode takes an IRIS RGB-format image
file and spits out a VideoFramer format file (.vfr).

REPEAT BY: /usr/video/vfr/bin/sb_encode -o [file-to-overwrite] [iris-image]

---

PROBLEM. Many setuid scripts exist in /usr/video/vfr/bin. Though setuid
scripts are turned off by default, they may pose a potential security
risk.

---

TEMPORARY FIX.

# chmod -s /usr/video/vfr/*

---

DISCUSSION. I assume it is practically impossible to "meaningfully
exploit" a VideoFramer-encoded format. The videoframer setup utility also
exploded when I tried to create a peculiarly-named device (e.g. ;id). Then
again, setup exploded while doing most things ;) Can the preferences
.vfr_setup be exploited somehow? I haven't done more than a cursory check.

===

Tung-Hui Hu                  Comparative literature, princeton university
hhui () stardot net                             http://www.stardot.net/~hhui

Current thread:

Repost: Security bug in SGI VideoFramer [SDN-2-sgi-videoframer] Hui-Hui Hu (May 14)
- Re: Repost: Security bug in SGI VideoFramer martinh () mailhost emap co uk (May 23)