From agent99@boytoy.csd.sgi.com Mon Aug 26 16:43:56 1996 Date: Mon, 26 Aug 1996 10:39:01 -0700 From: SGI Security Coordinator To: agent99@sgi.com Subject: SGI Security Advisory 19960802-01 - Vulnerability in expreserve RELEASE RESTRICTIONS - NONE - FOR PUBLIC RELEASE -----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ Silicon Graphics Inc. Security Advisory Title: Vulnerability in expreserve Title: CERT(sm) Advisory CA-96.19 Number: 19960802-01-I Date: October 23, 1996 ______________________________________________________________________________ Silicon Graphics provides this information freely to the SGI user community for its consideration, interpretation, implementation and use. Silicon Graphics recommends that this information be acted upon as soon as possible. Silicon Graphics will not be liable for any indirect, special, or consequential damages arising from the use of, failure to use or improper use of any of the instructions or information in this Security Advisory. ______________________________________________________________________________ - ------------------- - --- Description --- - ------------------- In CERT(sm) Advisory CA-96.19, titled "Vulnerability in expreserve", a security vulnerability in the expreserve program is discussed. According to the CERT(sm) advisory, the expreserve program has setuid root privileges which creates a vulnerability that allows users to overwrite any file on the system. - -------------- - --- Impact --- - -------------- As reported by the CERT(sm) Advisory, when exploited, this vulnerability could allow users with access to an account on the system to gain root privileges. Impact for Silicon Graphics IRIX systems is different and very limited, see "Solution" section. - ---------------- - --- Solution --- - ---------------- SGI has investigated the expreserve issue and provides the following information. The Silicon Graphics implementation of expreserv is setgid sys and not setuid root as reported in the CERT(sm) advisory. As such this redefines the exposure to a setgid sys issue. Exploit would have to occur on group sys writable files, however, on a default configured IRIX system there are no system critical files that are group sys writable and therefore exposure and exploit does not exist. Silicon Graphics will not be releasing a patch for this issue, however, the issue will be corrected in future releases of IRIX. If desired, the setgid permission of the expreserv could be removed however, this will disable the recovery functions of the vi(1) and ex(1) editors. This functionality could be fixed by manually creating directories for each user in /var/preserve directory. - ------------------------ - --- Acknowledgments --- - ------------------------ Silicon Graphics wishes to thank the CERT Coordination Center and the FIRST organization for their assistance in this matter. - ----------------------------------------- - --- SGI Security Information/Contacts --- - ----------------------------------------- Past SGI Advisories and security patches can be obtained via anonymous FTP from sgigate.sgi.com or its mirror, ftp.sgi.com. These security patches and advisories are provided freely to all interested parties. For issues with the patches on the FTP sites, email can be sent to cse-security-alert@csd.sgi.com. For assistance obtaining or working with security patches, please contact your SGI support provider. If there are questions about this document, email can be sent to cse-security-alert@csd.sgi.com. Silicon Graphics provides a free security mailing list service. The wiretap service allows interested parties to self-subscribe to receive (via email) all SGI Security Advisories when released. mail wiretap-request@sgi.com [BODY of "subscribe wiretap YourEmailAddress" "end" ] For reporting *NEW* SGI security issues, email can be sent to security-alert@sgi.com or contact your SGI support provider. A support contract is not required for submitting a security report. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMiHfdrQ4cFApAP75AQEXlQP9H+b8uaTwecnP3qCHM5CNDNOLg+blWKX4 CEnE1lmzT2liOZ04BOoTY4DxoQjcbBXSwT/PZCQ51/lu0n5/y2g0pKzJhFQqvgl0 N6rncqK4RAoQfcJAGVKEPrMXSaTFTRwqNy+uYWR6BpHSwcTq6VEYzS2ZUzP9p05Y xLME1oTb1j4= =LYR3 -----END PGP SIGNATURE-----