Bugtraq mailing list archives
Repost: Security bug in SGI VideoFramer [SDN-2-sgi-videoframer]
From: hhui () stardot net (Hui-Hui Hu)
Date: Tue, 14 May 1996 23:24:10 -0400
This is a repost from a few months ago. It apparently got lost in the shuffle. === Stardot Networks / Security vulnerability [SDN-2-sgi-videoframer] The VideoFramer development package on Silicon Graphics systems is subject to several security holes. This package is installed as vfr.sw.vfr. Though most SGIs I found did not have the installation, nevertheless the package was available for exploitation from a NFS mounted partition that contained the complete IRIX distribution. A VideoFramer/VLAN board is not required for program exploitation. The specific problem which I describe below involves the program sb_encode, which allows off-line frame encoding in VideoFramer format. The result of poor IRIX security checking is that any user can overwrite-to-destroy an arbitrary file. It appears that many files in the installation were improperly permissioned as setuid. PROGRAM. sb_encode (from vfr.sw.vfr) AFFECTS. at least SGI IRIX 5.x REQUIRED. Account on server RISK. denial of service AUTHOR. Tung-Hui Hu <hhui () stardot net> --- PROBLEM. sb_encode is installed setuid in /usr/video/vfr/bin and does not check for permissions/ownership. sb_encode takes an IRIS RGB-format image file and spits out a VideoFramer format file (.vfr). REPEAT BY: /usr/video/vfr/bin/sb_encode -o [file-to-overwrite] [iris-image] --- PROBLEM. Many setuid scripts exist in /usr/video/vfr/bin. Though setuid scripts are turned off by default, they may pose a potential security risk. --- TEMPORARY FIX. # chmod -s /usr/video/vfr/* --- DISCUSSION. I assume it is practically impossible to "meaningfully exploit" a VideoFramer-encoded format. The videoframer setup utility also exploded when I tried to create a peculiarly-named device (e.g. ;id). Then again, setup exploded while doing most things ;) Can the preferences .vfr_setup be exploited somehow? I haven't done more than a cursory check. === Tung-Hui Hu Comparative literature, princeton university hhui () stardot net http://www.stardot.net/~hhui
Current thread:
- Repost: Security bug in SGI VideoFramer [SDN-2-sgi-videoframer] Hui-Hui Hu (May 14)
- Re: Repost: Security bug in SGI VideoFramer martinh () mailhost emap co uk (May 23)