****************************************************************************** ------ ----- ----- --- ----- | ----- ---- | | | | | |--- | | | | | | | | | |-- | | | | |-- | | | | | | | | \ | | ----- ---- ----- ----- | \ ----- A D V I S O R Y 97.37 ****************************************************************************** Topic: SGI Buffer Overflow Vulnerabilities Source: CERT/CC Creation Date: July 16, 1997 Last Updated: To aid in the wide distribution of essential security information, FedCIRC is forwarding the following information from CERT/CC advisory CA-97.21. FedCIRC urges you to act on this information as soon as possible. If you have any questions, please contact FedCIRC: Telephone: +1 888 282 0870 Email: fedcirc@fedcirc.gov =======================FORWARDED TEXT STARTS HERE============================ -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= CERT* Advisory CA-97.21 Original issue date: July 16, 1997 Last revised: -- Topic:SGI Buffer Overflow Vulnerabilities - ----------------------------------------------------------------------------- The technical content of this advisory was originally published by AUSCERT (AA-97.19, AA-97.20, AA-97.21, AA-97.22, AA-97.23, AA-97.24). We use it here with their permission. - ----------------------------------------------------------------------------- Some SGI IRIX systems have buffer overflow vulnerabilities in the following programs: df pset eject login/scheme ordist xlock These vulnerabilities may allow local users to gain root privileges. Exploit information involving these vulnerabilities has been made publicly available. A more detailed discussion of each problem appears in Section I. All these buffer overflow problems can be addressed by similar workarounds or by installing a wrapper developed by AUSCERT (see Section III). We will update this advisory as we receive additional information. Please check our advisory files regularly for updates that relate to your site. - ----------------------------------------------------------------------------- I. Description Due to insufficient bounds checking on arguments that are supplied by users, it is possible to overwrite the internal stack space of the programs listed above while they are executing. By supplying a carefully designed argument to one of these programs, intruders may be able to force the program to execute arbitrary commands. As the programs (except pset) are setuid root, this may allow intruders to run arbitrary commands with root privileges. As pset is setgid sys, this may allow intruders to run arbitrary commands with the privileges of group sys. This may then be leveraged to gain root privileges. A. df df(1) is a program used to display statistics about the amount of used and free disc space on file systems. You can determine if this program is installed by typing % ls -l /sbin/df df is installed by default in /sbin. We encourage you to check for the presence of this program regardless of the version of IRIX installed. B. pset pset(1M) is a program used to display and modify information concerning the use of processor sets in the current system. The pset command is used on multi-processor systems to restrict the execution of different classes of jobs. You can determine if this program is installed by typing % ls -l /sbin/pset pset is installed by default in /sbin. We encourage you to check for the presence of this program regardless of the version of IRIX installed. C. eject eject(1) is a program used to eject a removable media device, such as floppy, CDROM, or tape. If the floppy or CDROM is mounted, eject will first try to unmount it. You can determine if this program is installed by typing % ls -l /usr/sbin/eject eject is installed by default in /usr/sbin. We encourage you to check for the presence of this program regardless of the version of IRIX installed. D. login/scheme login(1) is a program used at the beginning of each terminal session that allows users to identify themselves to the session. Under current versions of IRIX, this functionality is supplied by the program /usr/lib/iaf/scheme. The login program is a symbolic link to /usr/lib/iaf/scheme. The login program is installed in /usr/bin/login. Under default configurations, this is a symbolic link to /usr/lib/iaf/scheme. % ls -l /usr/bin/login lrwxr-xr-x 1 root sys 17 Nov 22 1994 /usr/bin/login -> ../lib/iaf/scheme % ls -l /usr/lib/iaf/scheme -rwsr-xr-x 1 root sys 65832 Nov 22 1994 /usr/lib/iaf/scheme Although this vulnerability has been verified only under IRIX 6.2, it is believed to affect other versions of IRIX, including IRIX 5.x. E. ordist ordist(1c) is a program used to maintain identical copies of files over multiple hosts. It preserves the owner, group, mode and mtime of a file if possible. You can determine if this program is installed by typing % ls -l /usr/bsd/ordist ordist is installed by default in /usr/bsd. We encourage you to check for the presence of this program regardless of the version of IRIX installed. F. xlock xlock(1) is a program that locks the local X display until a password is entered. You can determine if this program is installed by typing % ls -l /usr/bin/X11/xlock xlock is installed by default in /usr/bin/X11. We encourage you to check for the presence of this program regardless of the version of IRIX installed. For more information about vulnerabilities in xlock, see ftp://info.cert.org/pub/cert_advisories/CA-97.13.xlock II. Impact A. df Local users may gain root privileges. B. pset Local users may gain the privileges of group sys. These privileges may then be used to gain root privileges. C. eject Local users may gain root privileges. D. login/scheme Local users may gain root privileges. E. ordist Local users may gain root privileges. F. xlock Local users may gain root privileges. III. Solution There are several possible solutions for these problems. In Section A, we recommend installing vendor patches. In Section B, we discuss workarounds you can use until you install vendor patches. If the workaround is inappropriate for your site, an alternative is to install a wrapper program developed by AUSCERT. Information about the wrapper is in Section C. A. Vendor patches Currently there are no vendor patches available that address these vulnerabilities. The CERT/CC recommends installing official vendor patches when they are available. B. Workaround You should prevent the exploitation of this vulnerability by immediately applying the workaround, which is to remove the setuid and non-root execute permissions of the df, eject, login/scheme, ordist, and xlock programs and to remove the setgid and non-root execute permissions of pset. If the functionality provided by these programs is required by non-root users, apply the wrapper discussed in Section C. 1. df To prevent the exploitation of the vulnerability described in this advisory, you should remove setuid permissions from the df program immediately. As df will no longer work for non-root users, we recommend removing the execute permissions for them also. # ls -l /sbin/df -r-sr-xr-x 1 root sys 23136 Nov 22 1994 /sbin/df # chmod 500 /sbin/df # ls -l /sbin/df -r-x------ 1 root sys 23136 Nov 22 1994 /sbin/df 2. pset To prevent the exploitation of this vulnerability, we recommend that you remove the setgid permissions from the pset program immediately. As pset will no longer work for non-root users, we recommend removing the execute permissions for them also. # ls -l /sbin/pset -rwsr-sr-x 1 root sys 31704 Nov 22 1994 /sbin/pset # chmod 500 /sbin/pset # ls -l /sbin/pset -r-x------ 1 root sys 31704 Nov 22 1994 /sbin/pset 3. eject To prevent the exploitation of the vulnerability described in this advisory, you should remove the setuid permissions from the eject program immediately. As eject will no longer have its full functionality for non-root users, we also recommend removing the execute permissions for these users. # ls -l /usr/sbin/eject -rwsr-xr-x 1 root sys 45892 Nov 28 15:09 /usr/sbin/eject # chmod 500 /usr/sbin/eject # ls -l /usr/sbin/eject -r-x------ 1 root sys 45892 Nov 28 15:09 /usr/sbin/eject 4. login/scheme To prevent the exploitation of the vulnerability described in this advisory, remove the setuid permissions from the scheme program immediately. # ls -l /usr/lib/iaf/scheme -rwsr-xr-x 1 root sys 58324 Nov 28 1996 /usr/lib/iaf/scheme # chmod 500 /usr/lib/iaf/scheme # ls -l /usr/lib/iaf/scheme -r-x------ 1 root sys 58324 Nov 28 1996 /usr/lib/iaf/scheme 5. ordist To prevent the exploitation of the vulnerability described in this advisory, you should remove the setuid permissions from the ordist program immediately. As ordist will no longer work for non-root users, we recommend removing the execute permissions for them also. # ls -l /usr/bsd/ordist -rwsr-xr-x 1 root sys 70564 Nov 28 15:07 /usr/bsd/ordist # chmod 500 /usr/bsd/ordist # ls -l /usr/bsd/ordist -r-x------ 1 root sys 70564 Nov 28 15:07 /usr/bsd/ordist 6. xlock To prevent the exploitation of the vulnerability described in this advisory, you should remove the setuid permissions be from the xlock program immediately. As xlock will no longer work for non-root users, we recommend removing the execute permissions for them also. # ls -l /usr/bin/X11/xlock -rwsr-xr-x 1 root sys 95188 Nov 28 1996 /usr/bin/X11/xlock # chmod 500 /usr/bin/X11/xlock # ls -l /usr/bin/X11/xlock -r-x------ 1 root sys 95188 Nov 28 1996 /usr/bin/X11/xlock C. Workaround AUSCERT has developed a wrapper to help prevent programs from being exploited using the vulnerabilities described in this advisory. Sites that have a C compiler can obtain the source, and compile and install the wrapper as described in Section 1, below. For sites without a C compiler, AUSCERT has made pre-compiled binaries available as described in Section 2. 1. Installing the wrapper from source The source for the wrapper, including installation instructions, can be found at ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper/overflow_wrapper.c This wrapper replaces the df program and checks the length of the command line arguments which are passed to it. If an argument exceeds a certain predefined value (MAXARGLEN), the wrapper exits without executing the df command. The wrapper program can also be configured to syslog any failed attempts to execute df with arguments exceeding MAXARGLEN. For further instructions on using this wrapper, please read the comments at the top of overflow_wrapper.c. When compiling overflow_wrapper.c for use with df, AUSCERT recommends defining MAXARGLEN to be 32. The MD5 checksum for the current version of overflow_wrapper.c can be retrieved from ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper/CHECKSUM The CHECKSUM file has been digitally signed using the AUSCERT PGP key. 2. Installing the wrapper binaries Pre-compiled wrapper binary is provided for sites that wish to install the wrapper but do not have a C compiler available. AUSCERT has compiled the wrapper on IRIX 5.3; however later versions of IRIX should be able to use the wrapper binary without recompilation. The pre-compiled binaries for the wrapper program can be retrieved for each vulnerability. Sites are encouraged to carefully read the installation notes in the README file before installation. a. df The following compile time options have been used to create the binaries: REAL_PROG='"/sbin/df.real"' MAXARGLEN=32 SYSLOG More information on these options can be found in the overflow_wrapper.c source code. You can get the pre-compiled binaries for the wrapper program from ftp://ftp.auscert.org.au/pub/auscert/tools/AA-97.19-df_wrapper.tar.Z MD5 (AA-97.19-df_wrapper.tar.Z) = 9d21e6358129cccbe3768757a5361f56 AA-97.19-df_wrapper.tar.Z contains a README file with installation instructions, as well as a pre-compiled binary. b. pset The following compile time options have been used to create the binaries: REAL_PROG='"/sbin/pset.real"' MAXARGLEN=32 SYSLOG More information on these options can be found in the overflow_wrapper.c source code. You can get the pre-compiled binaries for the wrapper program from ftp://ftp.auscert.org.au/pub/auscert/tools/AA-97.20-pset_wrapper.tar.Z MD5 (AA-97.20-pset_wrapper.tar.Z) = 875367aec70936fc5f4531b0ba8ebc03 AA-97.20-pset_wrapper.tar.Z contains a README file with installation instructions, as well as a pre-compiled binary. c. eject The following compile time options have been used to create the binaries: REAL_PROG='"/usr/sbin/eject.real"' MAXARGLEN=32 SYSLOG More information on these options can be found in the overflow_wrapper.c source code. The pre-compiled binaries for the wrapper program can be retrieved from ftp://ftp.auscert.org.au/pub/auscert/tools/AA-97.21-eject_wrapper.tar.Z MD5 (AA-97.21-eject_wrapper.tar.Z) = 276bf0f51c89e54d4c584a9e8dd9265d AA-97.21-eject_wrapper.tar.Z contains a README file with installation instructions, as well as a pre-compiled binary. d. login/scheme The following compile time options have been used to create the binaries: REAL_PROG='"/usr/lib/iaf/scheme.real"' MAXARGLEN=32 SYSLOG More information on these options can be found in the overflow_wrapper.c source code. The pre-compiled binaries for the wrapper program can be retrieved from ftp://ftp.auscert.org.au/pub/auscert/tools/AA-97.22-scheme_wrapper.tar.Z MD5 (AA-97.22-scheme_wrapper.tar.Z) = dc302aa275a4009d1545180bfce8ebf4 AA-97.22-scheme_wrapper.tar.Z contains a README file with installation instructions, as well as a pre-compiled binary. e. ordist The following compile time options have been used to create the binaries: REAL_PROG='"/usr/bsd/ordist.real"' MAXARGLEN=32 SYSLOG More information on these options can be found in the overflow_wrapper.c source code. The pre-compiled binaries for the wrapper program can be retrieved from ftp://ftp.auscert.org.au/pub/auscert/tools/AA-97.23-ordist_wrapper.tar.Z MD5 (AA-97.23-ordist_wrapper.tar.Z) = 0eed9d9a52658181a1ce9b4ce2ed7fd2 AA-97.23-ordist_wrapper.tar.Z contains a README file with installation instructions, as well as a pre-compiled binary. f. xlock The following compile time options have been used to create the binaries: REAL_PROG='"/usr/bin/X11/xlock.real"' MAXARGLEN=32 SYSLOG More information on these options can be found in the overflow_wrapper.c source code. The pre-compiled binaries for the wrapper program can be retrieved from ftp://ftp.auscert.org.au/pub/auscert/tools/AA-97.24-xlock_wrapper.tar.Z MD5 (AA-97.24-xlock_wrapper.tar.Z) = fe12913cd0f7bb78193488dd58cc2f4f AA-97.24-xlock_wrapper.tar.Z contains a README file with installation instructions, as well as a pre-compiled binary. - ----------------------------------------------------------------------------- The CERT Coordination Center staff thanks AUSCERT for permission to republish the information in six AUSCERT advisories: AA-97.19.IRIX.df.buffer.overflow.vul AA-97.20.IRIX.pset.buffer.overflow.vul AA-97.21.IRIX.eject.buffer.overflow.vul AA-97.22.IRIX.login.scheme.buffer.overflow.vul AA-97.23-IRIX.ordist.buffer.overflow.vul AA-97.24.IRIX.xlock.buffer.overflow.vul AUSCERT originally thanked Ian Farquhar and the Prentice Center, University of Queensland for their assistance in the production of AA-97.22. - ----------------------------------------------------------------------------- If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (see http://www.first.org/team-info/). CERT/CC Contact Information - ---------------------------- Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4) and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA Using encryption We strongly urge you to encrypt sensitive information sent by email. We can support a shared DES key or PGP. Contact the CERT/CC for more information. Location of CERT PGP key ftp://info.cert.org/pub/CERT_PGP.key Getting security information CERT publications and other security information are available from http://www.cert.org/ ftp://info.cert.org/pub/ CERT advisories and bulletins are also posted on the USENET newsgroup comp.security.announce To be added to our mailing list for advisories and bulletins, send email to cert-advisory-request@cert.org In the subject line, type SUBSCRIBE your-email-address - --------------------------------------------------------------------------- * Registered U.S. Patent and Trademark Office. Copyright 1997 Carnegie Mellon University This material may be reproduced and distributed without permission provided it is used for noncommercial purposes and the copyright statement is included. The CERT Coordination Center is part of the Software Engineering Institute (SEI). The SEI is sponsored by the U.S. Department of Defense. - --------------------------------------------------------------------------- This file: ftp://info.cert.org/pub/cert_advisories/CA-97.21.sgi_buffer_overflow http://www.cert.org click on "CERT Advisories" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Revision history -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBM8ztSnVP+x0t4w7BAQFQigQAntj8HDSrmqZcJFLRcpfQ4X12BXiclSvl 9pqeP5fXLPbjmNstfqjUvSdBojWyTSO6WAvy8j2SRBOCpOEgJSIjUxx9QfMyn4S1 OAPCsUTP2u5YE7fRHUq4xIsqU3Lr0aDNDwd6UVqwmAnFsMalBCPwSr6+5g/YDyCP EYvrCWFK7u4= =urqI -----END PGP SIGNATURE----- ========================FORWARDED TEXT ENDS HERE============================= The National Institute of Standards and Technology (NIST) has established a Federal Computer Incident response Capability (FedCIRC) to assist federal civilians agencies in their incident handling efforts by providing proactive and reactive computer security related services. FedCIRC is a partnership among NIST, the Computer Incident Advisory Capability (CIAC), and the CERT* Coordination Center (CERT/CC). If you believe that your system has been compromised, please contact FedCIRC: Telephone: +1 888 282 0870 Email: fedcirc@fedcirc.gov Web Server: http://www.fedcirc.gov/ * Registered in U.S. Patent and Trademark Office The CERT Coordination Center is part of the Software Engineering Institute. The Software Engineering Institute is sponsored by the U.S. Department of Defense. CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.