-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AA-97.16 AUSCERT Advisory SGI IRIX Scanners Vulnerability 14 May 1997 Last Revised: -- - --------------------------------------------------------------------------- AUSCERT has received information that a vulnerability exists in the scanners(1M) program which is part of the Impressario package. The vulnerability may allow local users to gain root privileges. Exploit information regarding this vulnerability has been made publicly available. AUSCERT recommends that sites take the steps outlined in Section 3 as soon as possible. - --------------------------------------------------------------------------- 1. Description AUSCERT has received information that a vulnerability exists in the scanners(1M) program as supplied with Impressario Server 1.2. The scanners program is a graphical tool for displaying, installing and deleting scanning devices. Information from the enviroment variable SGIHELPROOT is accepted by the scanners program without adequate validity checks being performed. By carefully manipulating this environment variable, it might be possible to execute arbitary commands with root privileges. Impressario Server 1.2 is known to have shipped as an optional extra with IRIX 5.x. The version of Impressario that runs under IRIX 6.2 and later is not known to be vulnerable. Exploit information involving this vulnerability has been made publicly available. Sites can determine if they have this package installed and if the package is vulnerable in the following manner: Determine if the scanners program is installed by using the command: % ls -l /usr/sbin/scanners -rwsr-xr-x 1 root sys 117752 Apr 29 05:28 /usr/sbin/scanners If scanners is installed, check if the version you have uses the SGIHELPROOT environment variable by using this command and getting the indicated output: % strings -a /usr/sbin/scanners | grep SGIHELPROOT | uniq SGIHELPROOT If the scanners program is installed and it uses the environment SGIHELPROOT variable, determine if it has already been patched to remove the vulnerability described herein by using the command: % versions patchSG0000006.impr_scan_sw.impr I = Installed, R = Removed Name Date Description I patchSG0000006 05/07/97 Patch SG0000006 Impressario 1.2 I patchSG0000006.impr_scan_sw 05/07/97 Impressario 1.2 Scanner Software I patchSG0000006.impr_scan_sw.impr 05/07/97 Scanner Base Software If the scanners program is installed and it contains the string SGIHELPROOT and patchSG0000006 is not installed, then your site might be vulnerable and the workarounds given in Section 3 should be applied immediately. 2. Impact Local users may be able to gain root privileges. 3. Workarounds/Solution AUSCERT recommends that sites determine if their system is vulnerable and if so, immediately remove the setuid and execute permissions as stated in Section 3.1 to limit the exploitation of this vulnerability. Sites may then wish to apply the vendor patch given in Section 3.2. 3.1 Remove permissions To prevent the exploitation of the vulnerability described in this advisory, AUSCERT recommends that the setuid and execute permissions be removed from the scanners program immediately. # ls -l /usr/sbin/scanners -rwsr-xr-x 1 root sys 117752 Apr 29 05:28 /usr/sbin/scanners # chmod 700 /usr/sbin/scanners # ls -l /usr/sbin/scanners -rwx------ 1 root sys 117752 Apr 29 05:28 /usr/sbin/scanners Note that all users, except root, will lose the ability to use the functionality of the scanners program. 3.2 Install Vendor Patch Silicon Graphics Inc. has released a patch that appears to address the vulnerability described in this advisory. This patch is very old and there are some concerns about its compatibility with later software and patches. It is advised that only sites that require the scanners program and cannot upgrade to a later version apply this patch. This patch is currently only available to sites that have SurfZone membership. Sites that have Silicon Graphics Inc. support contracts but do not have SurfZone membership should contact Silicon Graphics customer support to obtain this patch. Sites with SurfZone membership can retrieve this patch from: http://www.surf.sgi.com/SurfZone/Support/allpatch/pinfo/i5.2.p6.html 4. Additional measures Most Unix systems ship with numerous programs which have setuid or setgid privileges. Often the functionality supplied by these privileged programs is not required by many sites. The large number of privileged programs that are shipped by default are to cater for all possible uses of the system. AUSCERT encourages sites to examine all the setuid/setgid programs and determine the necessity of each program. If a program does not absolutely require the setuid/setgid privileges to operate (for example, it is only run by the root user), the setuid/setgid privileges should be removed. Furthermore, if a program is not required at your site, then all execute permissions should be removed. A sample command to find all setuid/setgid programs is (run as root): # find / \( -perm -4000 -o -perm -2000 \) -type f -exec ls -l {} \; It is AUSCERT's experience that many vulnerability are being discovered in setuid/setgid programs which are not necessary for the correct operation of most systems. Sites can increase their security by removing unnecessary setuid/setgid programs. For example, the functionality provided by the scanners program is not needed by many sites. If sites had previously disabled this program, they would not have been susceptible to this latest vulnerability. - --------------------------------------------------------------------------- AUSCERT wishes to thank Silicon Graphics Inc. and Wolfgang Ley of DFN-CERT for their assistance in this matter. - --------------------------------------------------------------------------- The AUSCERT team have made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The appropriateness of this document for an organisation or individual system should be considered before application in conjunction with local policies and procedures. AUSCERT takes no responsibility for the consequences of applying the contents of this document. If you believe that your system has been compromised, contact AUSCERT or your representative in FIRST (Forum of Incident Response and Security Teams). AUSCERT is located at The University of Queensland within the Prentice Centre. AUSCERT is a full member of the Forum of Incident Response and Security Teams (FIRST). AUSCERT maintains an anonymous FTP service which is found on: ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT Advisories, and other computer security information. AUSCERT also maintains a World Wide Web service which is found on: http://www.auscert.org.au/. Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 4477 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AUSCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. Postal: Australian Computer Emergency Response Team Prentice Centre Brisbane Qld. 4072. AUSTRALIA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Revision History ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBM3nL5yh9+71yA2DNAQE9JgP/Q/h4jpfJwCOuQeg7x8Y2lbEqai3Pxuvj F8TeWZ4IupQnl7swVlQJumuuvUyJD/00HeDhBTdPztTtxTGRRk7dpYsf/boWKCV9 N+nCkNBZX0IV1cP7khU0Qen0ibq8NBJ41AgSlbHdz68K8Mf9hNh/lVrIKBPAd5yM Z3o18wSmjQ0= =w9uc -----END PGP SIGNATURE-----