Bugtraq mailing list archives
SGI Security Advisory 19961101 - Vulnerabilities in systour and
From: agent99 () boytoy csd sgi com (SGI Security Coordinator)
Date: Wed, 6 Nov 1996 14:37:33 -0800
DISTRIBUTION RESTRICTIONS: NONE - FOR PUBLIC RELEASE
-----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
Silicon Graphics Inc. Security Advisory
Title: Possible Vulnerabilities in systour and OutOfBox
Title: Subsystems for IRIX 5.x, 6.0.x, 6.1, 6.2 and 6.3
Number: 19961101-01-I
Date: November 6, 1996
______________________________________________________________________________
Silicon Graphics provides this information freely to the SGI user community
for its consideration, interpretation, implementation and use. Silicon
Graphics recommends that this information be acted upon as soon as possible.
Silicon Graphics will not be liable for any indirect, special, or
consequential damages arising from the use of, failure to use or improper
use of any of the instructions or information in this Security Advisory.
______________________________________________________________________________
Recently, potential security vulnerabilities in the OutOfBox and systour
subsystems have been advertised in several public forums. Additionally,
the Australian Computer Emergency Response Team (AUSCERT) released an
advisory (AA-96.08) on this issue.
Silicon Graphics Inc. has investigated the issues and recommends the
following steps for neutralizing exposure. It is HIGHLY RECOMMENDED
that these measures be implemented on ALL SGI systems running IRIX versions
5.0.x, 5.1.x, 5.2, 5.3, 6.0.x, 6.1, 6.2 and 6.3. This issue will be
corrected in future releases of IRIX.
- --------------
- --- Impact ---
- --------------
The Silicon Graphics Indigo Magic System Tour and OutOfBox Experience
packages are factory installed on all Silicon Graphics Indy systems.
The Indigo Magic System Tour and OutOfBox Experience packages are not
factory installed with any Silicon Graphics Indigo2 systems however, CDs
with these packages are provided with the systems.
The OutOfBox Experience subsystem is factory installed on all Silicon
Graphics O2 systems. The System Tour subsystem is not part of the
software provided for the O2 system.
Note that either or both the Indigo Magic System Tour and OutOfBox
Experience subsystems maybe be installed from CD on any Silicon Graphics
system.
The purpose of these two packages, systour and OutOfBox, are to demonstrate
and highlight the features and capabilities of the user environment and
system.
Due to the disk space requirements of these subsystems, most sites will
remove these subsystems for disk space reclamation as part of initial
system setup. Those sites which have done this will not be vulnerable.
On those systems that the subsystems are still installed on, both
subsystems provide background setuid root programs to perform a subsystem
removal when a user decides to remove the software. This removal is done
using the standard IRIX /usr/sbin/inst program that manages IRIX software.
Provided with the right environment, the inst program could be manipulated
to execute arbitrary commands with root privileges.
An account on the vulnerable system is required for exploit. With an
account, these vulnerabilities are exploitable by both local and remote
access.
- ----------------
- --- Solution ---
- ----------------
There are no patches for these issues. However, using the
information below steps can be taken to eliminate the exposure.
To determine if the OutOfBox and systour subsystems are installed
on a particular system, the following command can be used:
% versions OutOfBox.sw systour.sw
I = Installed, R = Removed
Name Date Description
I OutOfBox 11/05/96 OutOfBox Experience, 1.1
I OutOfBox.sw 11/05/96 OutOfBox Experience Software, 1.1
I OutOfBox.sw.complete 11/05/96 Complete OutOfBox Experience
I OutOfBox.sw.intro 11/05/96 OutOfBox Intro Movies
I systour 02/12/96 Indigo Magic System Tour, 5.2
I systour.sw 02/12/96 System Tour Execution Environment
I systour.sw.eoe 02/12/96 System Tour Execution Environment
In the above case, the subsystems of concern are installed and the steps
below should be performed. If no output is returned by the command,
the subsystems are not installed and no further action is required.
**** IRIX 4.x ****
The 4.x version of IRIX is not vulnerable as the System Tour and
OutOfBox Experience subsystems are not part of available software
for this IRIX version. No action is required.
**** IRIX 5.x, 6.0, 6.0.1, 6.1, 6.2 ****
There are no patches for this issue.
The steps below can be used to remove the vulnerability by either
changing the program permissions (use step 2a) or by removing the
subsystems (use step 2b).
1) Become the root user on the system.
% /bin/su -
Password:
#
2) Choose either step 2a or 2b depending on which
has the desired result.
2a) Change the setuid root permissions on the programs
of concern.
# /bin/chmod u-s /usr/lib/tour/bin/RemoveSystemTour
# /bin/chmod u-s /usr/people/tour/oob/bin/oobversions
************
*** NOTE ***
************
Removing the setuid root permissions from these tools
will prevent non-root users from removing the subsystems.
Removal of the subsystems will only be possible if the
systour or OutOfBox user is a root user or if the inst
IRIX software manager is used by root for removal.
2b) Remove the vulnerable subsystems.
# /usr/sbin/versions -v remove systour OutOfBox
4) Return to previous level.
# exit
$
**** IRIX 6.3 ****
The IRIX operating system version 6.3 does not have the System
Tour subsystem but does have the OutOfBox Experience subsystem.
There are no patches for this issue.
The steps below can be used to remove the vulnerability by either
changing the program permissions (use step 2a) or by removing the
subsystems (use step 2b).
1) Become the root user on the system.
% /bin/su -
Password:
#
2) Choose either step 2a or 2b depending on which
has the desired result.
2a) Change the setuid root permissions on the program
of concern.
# /bin/chmod u-s /usr/people/tour/oob/bin/oobversions
************
*** NOTE ***
************
Removing the setuid root permissions from this program
will prevent non-root users from removing the subsystem.
Removal of the subsystem will only be possible if the
OutOfBox user is a root user or if the inst IRIX software
manager is used by root for removal.
2b) Remove the vulnerable subsystem.
# /usr/sbin/versions -v remove OutOfBox
4) Return to previous level.
# exit
$
- ------------------------
- --- Acknowledgments ---
- ------------------------
Silicon Graphics wishes to thank AUSCERT and FIRST members worldwide for
their assistance in this matter.
- -----------------------------------------
- --- SGI Security Information/Contacts ---
- -----------------------------------------
If there are questions about this document, email can be sent to
cse-security-alert () csd sgi com.
------oOo------
Silicon Graphics provides security information and patches for
use by the entire SGI community. This information is freely
available to any person needing the information and is available
via anonymous FTP and the Web.
The primary SGI anonymous FTP site for security information and patches
is sgigate.sgi.com (204.94.209.1). Security information and patches
are located under the directories ~ftp/security and ~ftp/patches,
respectively. The Silicon Graphics Security Headquarters Web page is
accessible at the URL http://www.sgi.com/Support/Secur/security.html.
For issues with the patches on the FTP sites, email can be sent to
cse-security-alert () csd sgi com.
For assistance obtaining or working with security patches, please
contact your SGI support provider.
------oOo------
Silicon Graphics provides a free security mailing list service
called wiretap and encourages interested parties to self-subscribe
to receive (via email) all SGI Security Advisories when they are
released. Subscribing to the mailing list can be done via the Web
(http://www.sgi.com/Support/Secur/wiretap.html) or by sending email
to SGI as outlined below.
% mail wiretap-request () sgi com
subscribe wiretap <YourEmailAddress>
end
^d
In the example above, <YourEmailAddress> is the email address that you
wish the mailing list information sent to. The word end must be on a
separate line to indicate the end of the body of the message. The
control-d (^d) is used to indicate to the mail program that you are
finished composing the mail message.
------oOo------
Silicon Graphics provides a comprehensive customer World Wide Web site.
This site is located at http://www.sgi.com/Support/Secur/security.html.
------oOo------
For reporting *NEW* SGI security issues, email can be sent to
security-alert () sgi com or contact your SGI support provider. A
support contract is not required for submitting a security report.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMoESXrQ4cFApAP75AQH6OAQAwqAMKeBjs2VB1jH7RjKHY9f2eh+aqAsh
EGo0YpJw0U57UxQhEQeB6tfrgHzc6e+0n7HQaQ4uPLm+LuElNNiNHd9fAGrV3bCW
W6b59Zdti8PMXLG0Pl2z43Yi+5ABZGGLnYNdvbS7W2wK4oa61vu5QqhFX8ItZ/jp
RW92YXFTH5I=
=kMje
-----END PGP SIGNATURE-----
Current thread:
- SGI Security Advisory 19961101 - Vulnerabilities in systour and SGI Security Coordinator (Nov 06)