-----BEGIN PGP SIGNED MESSAGE----- =============================================================================== Security Advisory CERT-NL =============================================================================== Author/Source : Xander Jansen Index : S-96-60 Distribution : World Page : 1 Classification: External Version: 1 Subject : SGI Desktop System Monitor Subsystem Vulnerability Date : 31-Oct-96 =============================================================================== By courtesy of Silicon Graphics Inc. we received information on a vulnerability in the Desktop System Monitor Subsystem used in various versions of the IRIX operating system. The security vulnerability found could allow an unprivileged user to execute any existing binary as other UIDs including possibly root. CERT-NL recommends that this information be acted upon as soon as possible. ============================================================================== ______________________________________________________________________________ Silicon Graphics Inc. Security Advisory Title: IRIX 5.0.x, 5.1.x, 5.2, 5.3, 6.0.x, 6.1 and 6.2 Title: Desktop System Monitor Subsystem Vulnerability Number: 19961001-01-PX Date: October 30, 1996 ______________________________________________________________________________ Silicon Graphics provides this information freely to the SGI user community for its consideration, interpretation, implementation and use. Silicon Graphics recommends that this information be acted upon as soon as possible. Silicon Graphics will not be liable for any indirect, special, or consequential damages arising from the use of, failure to use or improper use of any of the instructions or information in this Security Advisory. ______________________________________________________________________________ As part of on-going security activities, Silicon Graphics Engineering and Worldwide Customer Service divisions have discovered a vulnerability in the IRIX 5.0.x, 5.1.x, 5.2, 5.3, 6.0.x, 6.1 and 6.2 Desktop System Monitor subsystem. Silicon Graphics Inc. has investigated the issue and recommends the following steps for neutralizing the exposure. It is HIGHLY RECOMMENDED that these measures be implemented on ALL SGI systems running IRIX versions 5.0.x, 5.1.x, 5.2, 5.3, 6.0.x, 6.1 and 6.2. This issue will be corrected in future releases of IRIX. - -------------- - --- Impact --- - -------------- The purpose of the Desktop System Monitor subsystem is to provide a set of programs that monitor and report system activity. The programs work in conjunction to provide system status and report possible error or critical conditions. The security vulnerability found within this set of programs could allow an unprivileged user to execute any existing binary as other UIDs including possibly root. It should be noted that exploit is very obscure and difficult. Additionally, a local account and physical access to the console is required in order to exploit this vulnerability. - ---------------- - --- Solution --- - ---------------- **** IRIX 4.x **** This version of IRIX is not vulnerable as the Desktop System Monitor subsystem is not part of available software for this IRIX version. No action is required. **** IRIX 5.0.x, 5.1.x, and 5.2 **** There is no patch available for IRIX operating system versions 5.0.x, 5.1.x, and 5.2. However, two possible actions still remain to address this vulnerability in these IRIX versions. The first option is to upgrade the system to IRIX 5.3 or higher and then install the security patch for that version. See the sections below for IRIX 5.3 and higher for more information. For those systems that can not be upgraded, the /etc/syslog.conf file can be edited to disable the service that is vulnerable. 1) Become the root user on the system. % /bin/su - Password: # 2) Edit the file /etc/syslog.conf. Place a "#" as the first character of the sysmonpp line to comment out and deactivate the service. # vi /etc/syslog.conf {Find the following line} *.crit |/var/adm/sysmonpp /var/adm/SYSLOG {Place a "#" as the first character of the sysmonpp line} #*.crit |/var/adm/sysmonpp /var/adm/SYSLOG {Save the file and exit} 3) Force syslogd to re-read the configuration file. # /etc/killall -HUP syslogd 4) Return to previous level. # exit $ **** IRIX 5.3 **** For the IRIX operating system version 5.3, an inst-able patch is available. This patch is the same patch as available for IRIX 6.1. Please, refer to the section below for IRIX 6.1. **** IRIX 6.0.x **** IRIX operating system version 6.0.x was a limited release version. For the IRIX operating system version 6.0.x an upgrade to 6.1 or better is required first. When the upgrade is completed, then the security patches described in the following sections can be applied depending on the final version of the upgrade. **** IRIX 5.3 and 6.1 **** For the IRIX operating system versions 5.3 and 6.1 an inst-able patch has been generated and made available via anonymous FTP and your service/support provider. The patch is number 1110 and will install on IRIX 5.3 and 6.1. The SGI anonymous FTP site is sgigate.sgi.com (204.94.209.1) or its mirror, ftp.sgi.com. Patch 1110 can be found in the following directories on the FTP server: ~ftp/Security or ~ftp/Patches/5.3 ~ftp/Patches/6.1 ##### Checksums #### The actual patch will be a tar file containing the following files: Filename: README.patch.1110 Algorithm #1 (sum -r): 26694 8 README.patch.1110 Algorithm #2 (sum): 47465 8 README.patch.1110 MD5 checksum: 0A6217E4932A04E2D3BCE5B7FFDC6741 Filename: patchSG0001110 Algorithm #1 (sum -r): 51217 4 patchSG0001110 Algorithm #2 (sum): 64545 4 patchSG0001110 MD5 checksum: 366A2A19ABED47A5A0B4A25B4876051A Filename: patchSG0001110.idb Algorithm #1 (sum -r): 53794 14 patchSG0001110.idb Algorithm #2 (sum): 65228 14 patchSG0001110.idb MD5 checksum: 8B7505A98DF8CA687586026F204DB6A6 Filename: patchSG0001110.insight_sw Algorithm #1 (sum -r): 17118 6066 patchSG0001110.insight_sw Algorithm #2 (sum): 7172 6066 patchSG0001110.insight_sw MD5 checksum: 7D94AE16B413B047640A62386CC545A3 Filename: patchSG0001110.sysmon_books Algorithm #1 (sum -r): 01525 432 patchSG0001110.sysmon_books Algorithm #2 (sum): 49398 432 patchSG0001110.sysmon_books MD5 checksum: 5E2578DB0966A33337BDED1B09943EF9 Filename: patchSG0001110.sysmon_sw Algorithm #1 (sum -r): 56940 103 patchSG0001110.sysmon_sw Algorithm #2 (sum): 32061 103 patchSG0001110.sysmon_sw MD5 checksum: 04518044EAF1507F00473EC10C88CB7E **** IRIX 6.2 **** For the IRIX operating system version 6.2 an inst-able patch has been generated and made available via anonymous FTP and your service/support provider. The patch is number 1417 and will install on IRIX 6.2. The SGI anonymous FTP site is sgigate.sgi.com (204.94.209.1) or its mirror, ftp.sgi.com. Patch 1417 can be found in the following directories on the FTP server: ~ftp/Security or ~ftp/Patches/6.2 ##### Checksums #### The actual patch will be a tar file containing the following files: Filename: README.patch.1417 Algorithm #1 (sum -r): 55229 7 README.patch.1417 Algorithm #2 (sum): 14087 7 README.patch.1417 MD5 checksum: B9D3AF622C2EE231C5BD89E03462C406 Filename: patch1417.pgp.and.chksums Algorithm #1 (sum -r): 13169 1 patch1417.pgp.and.chksums Algorithm #2 (sum): 36412 1 patch1417.pgp.and.chksums MD5 checksum: CBE630E8B05342BBB59C8A67F20CAFF4 Filename: patchSG0001417 Algorithm #1 (sum -r): 03718 1 patchSG0001417 Algorithm #2 (sum): 33504 1 patchSG0001417 MD5 checksum: CD923FF53E0AA47E0098911BB4C05744 Filename: patchSG0001417.idb Algorithm #1 (sum -r): 41936 1 patchSG0001417.idb Algorithm #2 (sum): 39241 1 patchSG0001417.idb MD5 checksum: 7D12AF794CA9AE55C24BE214E6517FE0 Filename: patchSG0001417.insight_sw Algorithm #1 (sum -r): 65383 3084 patchSG0001417.insight_sw Algorithm #2 (sum): 10317 3084 patchSG0001417.insight_sw MD5 checksum: 5CBF3E38119A36E5C5AC1EB1100E195C **** IRIX 6.3 **** The IRIX operating system version 6.3 is not vulnerable to this issue. No further action is required. ============================================================================== CERT-NL is the Computer Emergency Response Team for SURFnet customers. SURFnet is the Dutch network for educational, research and related institutes. CERT-NL is a member of the Forum of Incident Response and Security Teams (FIRST). All CERT-NL material is available under: http://www.surfnet.nl/surfnet/security/cert-nl.html ftp://ftp.surfnet.nl/surfnet/net-security In case of computer or network security problems please contact your local CERT/security-team or CERT-NL (if your institute is NOT a SURFnet customer please address the appropriate (local) CERT/security-team). CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer, i.e. UTC+0100 in winter and UTC+0200 in summer (DST). Email: cert-nl@surfnet.nl Phone: +31 302 305 305 Fax: +31 302 305 329 Snailmail: SURFnet bv Attn. CERT-NL P.O. Box 19035 NL - 3501 DA UTRECHT The Netherlands A 7 * 24 hours phone number is available to SURFnet SSC's and FIRST members on request. ============================================================================== -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv iQCVAwUBMniUv2L2fnkJN/jpAQE69AP/Sj8tM+312W3KDEAfzBhTVU+Wqx3s6YWi vO/y4VNXwBDHt905NsOl+u182a63eJjtsNSadCWNzSZ1WPWuO6hSOHMXQXSC79BB NWCc6RQhQWw1gBZulqjHgZcwPFByR7qXmVW/oh+ThLGW2llvwSwTfXSb2VyGnw54 QptiD1fbbgg= =PIrb -----END PGP SIGNATURE-----