_____________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ _____________________________________________________ ADVISORY NOTICE Vulnerabilities in the SGI IRIX Help System August 11, 1994 1700 PST Number E-33 _____________________________________________________________________________ PROBLEM: Vulnerabilities in the SGI Help system allows unauthorized access to a root shell. PLATFORM: SGI IRIX 5.x. DAMAGE: Unauthorized users can access a root shell without logging in. SOLUTION: Retrieve and install the patches, or apply the workarounds described below. _____________________________________________________________________________ VULNERABILITY These vulnerabilities have been widely discussed on many ASSESSMENT: public forums on the Internet. Attack scripts have been created and distributed. Vulnerabilities can only be exploited by currently logged in users or by direct access to the console. Although no attacks using these methods have been confirmed as of the date of this bulletin, attacks using these vulnerabilities are inevitable. CIAC recommends that all patches be installed. _____________________________________________________________________________ Critical Information about the Help System vulnerabilities CIAC has received information from Silicon Graphics, Inc. (SGI) concerning vulnerabilities in the IRIX 5.x operating system that allow root access to unauthorized users. The vulnerabilities exist within the Help subsystem. They have been referred to on the Internet by various names including clogin, printer manager, and SGI Help. When exploited, a currently logged in user can create an active root shell, or a person with physical access to the console can get an active root shell without logging in. SGI has issued patch65 to fix these vulnerabilities. This problem will be corrected in a future release of IRIX. The patch will only fix the vulnerabilities in IRIX 5.2; no patch is scheduled for IRIX 5.1. SGI recommends that all IRIX 5.1 users upgrade to IRIX 5.2. A workaround solution exists and is effective on all versions of IRIX 5.x. CIAC and SGI recommend that all IRIX 5.2 users implement the workaround immediately until the IRIX 5.2 patch is obtained. INSTALLATION OF THE WORKAROUND To install the workaround, perform the following command as root: # versions remove sgihelp.sw.eoe This workaround will neutralize this avenue of attack; however it also renders the Help subsystem inactive. This will affect other installed software that use the SGI Help subsystem. Certain help functions from within applications will return non-fatal error messages about the missing subsystem. INSTALLATION OF THE PATCH (IRIX 5.2 only) 1. Determine which patch(es) you need. To install the patch for the help vulnerabilities, you need to use the latest SGI inst program named patch34. To see if you already have patch34 installed on your system, issue the following command: # versions patch\* If the appropriate SGI inst program is loaded, the output will appear as displayed below. Another patch, patchSG0000000, is functionally equivalent to patch34; therefore if it is present you do not need to install patch34. I =\ Installed, R = Removed Name Date Description I patchSG0000034 08/10/94 Patch SG0000034 I patchSG0000034.eoe1_sw 08/10/94 IRIX Execution Environment Software I patchSG0000034.eoe1_sw.unix 08/10/94 IRIX Execution Environment If neither patchSG0000034 nor patchSG0000000 is loaded, you must retrieve and load both patch34 and patch65. Otherwise, you need only retrieve and install patch65. 2. Retrieve the patch(es). The patches can be retrieved in one of two methods: CD and anonymous ftp. SGI has made a CD available which contains the patches. To receive this CD, contact your nearest SGI service provider and ask for a copy of it. The patches can be retrieved via anonymous ftp from ftp.sgi.com in the directory ~ftp/security. CIAC is also making these patches available from ciac.llnl.gov in the directory pub/ciac/patches/sgi. A third location of these patches is first.org in the directory pub/software/sgi. Patch34 is quite large, users are encouraged to download the patches from the closest ftp site. SGI is keeping a list of alternate ftp sites in the file ftp.sgi.com:~ftp/security/ALTERNATE.SITES. Checksums for the patches are provided below. Patch Standard System V MD5 Unix Unix Checksum patch34.tar.Z 11066 15627 1674 31253 2859d0debff715c5beaccd02b6bebded patch65.tar 63059 1220 15843 2440 af8c120f86daab9df74998b31927e397 3. Uninstall the workaround if it was applied to your system. If you have applied the workaround and then wish to install the patch, the system needs to be returned to its initial state prior to installation of the patch. The original Help software can be found on the original software distribution CD labeled as IRIX 5.2. To return the system to its initial state, perform the following command as root IMMEDIATELY PRIOR TO INSTALLATION OF THE PATCH: # inst -f /CDROM/dist/sgihelp.sw.eoe Inst> install sgihelp.sw.eoe Inst> go 4. Install the patch(es). First install patch34, after verifying the checksum. Uncompress and untar the files. Inst the patch as you would any other SGI software, using the software installation guide for additional information. Next, install patch65 after verifying the checksum, then performing an untar of the files. Inst the patch as you would any other SGI software. _____________________________________________________________________________ CIAC wishes to thank Silicon Graphics, Inc. for the information contained in this bulletin, and Max Hailperin of Gustavus Adolphus College for his investigation of these vulnerabilities. _____________________________________________________________________________ For additional information or assistance, please contact CIAC: Voice: 510-422-8193 FAX: 510-423-8002 STU-III: 510-423-2604 E-mail: ciac@llnl.gov Previous CIAC Bulletins and other information are available via anonymous FTP from ciac.llnl.gov (IP address 128.115.19.53) formerly irbis.llnl.gov. CIAC has several self-subscribing mailing lists for electronic publications: 1. CIAC-BULLETIN for Advisories, highest priority - time critical information, and Bulletins, important computer security information; 2. CIAC-NOTES for Notes, a collection of computer security articles; 3. SPI-ANNOUNCE for official news about Security Profile Inspector (SPI) software updates, new features, distribution and availability; 4. SPI-NOTES, for discussion of problems and solutions regarding the use of SPI products. CIAC's mailing lists are managed by a public domain software package called ListProcessor, which ignores E-mail header subject lines. To subscribe (add yourself) to one of our mailing lists, send the following request as the E-mail message body, substituting CIAC-BULLETIN, CIAC-NOTES, SPI-ANNOUNCE or SPI-NOTES for "list-name" and valid information for "LastName" "FirstName" and "PhoneNumber" when sending E-mail to ciac-listproc@llnl.gov: subscribe list-name LastName, FirstName PhoneNumber e.g., subscribe ciac-notes O'Hara, Scarlett 404-555-1212 x36 You will receive an acknowledgment containing address, initial PIN, and information on how to change either of them, cancel your subscription, or get help. _____________________________________________________________________________ PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending E-mail to first-request@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government nor the University of California, and shall not be used for advertising or product endorsement purposes.