=============================================================================== Security Advisory CERT-NL =============================================================================== Author/Source : Ton Verschuren Index : S-96-03 Distribution : World Page : 1 Classification: External Version: 1 Subject : SGI Incorrect Permissions on Packing SubsystDate : 02-Feb-96 =============================================================================== -----BEGIN PGP SIGNED MESSAGE----- Content-Type: text/plain; charset=us-ascii By courtesy of Silicon Graphics, Inc. we received information on a vulnerability within the "ATT Packaging Utility" (eoe2.sw.oampkg) subsystem available for the IRIX operating system. CERT-NL recommends that this information be acted upon as soon as possible. Note that CERT-NL not yet mirrors SGI patches. ============================================================================== ______________________________________________________________________________ Silicon Graphics Inc. Security Advisory Title: Incorrect Permissions on Packing Subsystem Number: 19960102-01-P Date: January 29, 1996 ______________________________________________________________________________ Silicon Graphics provides this information freely to the SGI community for its consideration, interpretation and implementation. Silicon Graphics recommends that this information be acted upon as soon as possible. Silicon Graphics will not be liable for any consequential damages arising from the use of, or failure to use or use properly, any of the instructions or information in this Security Advisory. ______________________________________________________________________________ Silicon Graphics has discovered a security vulnerability within the "ATT Packaging Utility" (eoe2.sw.oampkg) subsystem available for the IRIX operating system. SGI has investigated this issue and recommends the following steps for neutralizing the exposure. It is HIGHLY RECOMMENDED that these measures be implemented on ALL SGI systems running IRIX 5.2, 5.3, 6.0, 6.0.1, 6.1. This issue has been corrected for future releases of IRIX. -------------- --- Impact --- -------------- The "ATT Packaging Utility" (eoe2.sw.oampkg) subsystem is not installed as part of the standard IRIX operating system. It is optionally installed when manually selected to be installed when using the IRIX inst program. Therefore, not all SGI systems will have this subsystem installed. For those systems that the subsystem installed, both local and remote users may be able to overwrite files and/or become root on a targeted SGI system. ---------------- --- Solution --- ---------------- To determine if the packaging system is installed on a particular system, the following command can be used: % versions eoe2.sw.oampkg | grep oampkg I eoe2.sw.oampkg 03/25/94 ATT Packaging Utility % In the above case, the packaging system is installed and the steps below should be performed. If no output is returned by the command, the subsystem is not installed and no further action is required. *IF* the packaging subsystem is installed, the following steps can be used to neutralize the exposure by changing permissions on select programs of the eoe2.sw.oampkg subsystem. There is no patch for this issue. 1) Become the root user on your system. % /bin/su Password: # 2) Change the permissions on the following programs. # /sbin/chmod 755 /usr/pkg/bin/pkgadjust # /sbin/chmod 755 /usr/pkg/bin/abspath 3) Return to the previous user state. # exit % ----------------------------------------- --- SGI Security Information/Contacts --- ----------------------------------------- Past SGI Advisories and security patches can be obtained via anonymous FTP from sgigate.sgi.com or its mirror, ftp.sgi.com. These security patches and advisories are provided freely to all interested parties. For issues with the patches on the FTP sites, email can be sent to cse-security-alert@csd.sgi.com. For assistance obtaining or working with security patches, please contact your SGI support provider. If there are questions about this document, email can be sent to cse-security-alert@csd.sgi.com. For reporting *NEW* SGI security issues, email can be sent to security-alert@sgi.com or contact your SGI support provider. A support contract is not required for submitting a security report. ============================================================================== CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet is the Dutch network for educational, research and related institutes. CERT-NL is a member of the Forum of Incident Response and Security Teams (FIRST). All CERT-NL material is available under: http://www.surfnet.nl/surfnet/security/cert-nl.html ftp://ftp.surfnet.nl/surfnet/net-security In case of computer or network security problems please contact your local CERT/security-team or CERT-NL (if your institute is NOT a SURFnet customer please address the appropriate (local) CERT/security-team). CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer, i.e. UTC+0100 in winter and UTC+0200 in summer (DST). Email: cert-nl@surfnet.nl Phone: +31 302 305 305 Fax: +31 302 305 329 Snailmail: SURFnet bv Attn. CERT-NL P.O. Box 19035 NL - 3501 DA UTRECHT The Netherlands A 7 * 24 hours phone number is available to SURFnet SSC's and FIRST members on request. ============================================================================== -----BEGIN PGP SIGNATURE----- Version: 2.6.2i iQCVAwUBMRHRa2L2fnkJN/jpAQHLxgQAlpSvxX5wzOD/HnkXMseVepui+SZJpjda v8+ahRVVIpH99w1lCGfSH2AKOsZEzqepqnFTKABvlkjwY6UQMNXcVMPjLuIeeZ4v dfA7mXoPjNTQsww7uLclma0vRbbyY9jQ/VDDAvePVuj4wmi1V2uTa7hX9oIKF1u3 3uijU9z+2yE= =uZoT -----END PGP SIGNATURE-----