Original issue date: January 8, 1997 <BR>
Last revised: December 15, 1997<BR>
Added vendor information for Data General to UPDATES.
<P>A complete revision history is at the end of this file.
<P>The CERT Coordination Center has received information about a
vulnerability in the csetup program under IRIX versions 5.x, 6.0,
6.0.1, 6.1, and 6.2. csetup is not available under IRIX 6.3 and 6.4.
<P>By exploiting this vulnerability, local users can create or
overwrite arbitrary files on the system. With this leverage, they can
ultimately gain root privileges.
<P>Exploitation information involving this vulnerability has been made
publicly available.
<P>We recommend applying a vendor patch when possible. In the
meantime, we urge sites to apply the workaround described in Section
III.
<P>We will update this advisory as we receive additional
information. Please check advisory files regularly for updates that
relate to your site.
<P>Note: Development of this advisory was a joint effort of the CERT
Coordination Center and AUSCERT.
<P><HR>
<H2>I. Description</H2>
There is a vulnerability in the csetup program under IRIX versions 5.x,
6.0, 6.0.1, 6.1, and 6.2. csetup is not available under IRIX 6.3 and 6.4.
<P>csetup is part of the Desktop System Administration subsystem. The
program provides a graphical interface allowing privileged users, as
flagged in the objectserver (cpeople (1M)), or root to modify system
and network configuration parameters. The csetup program is setuid
root to allow those who are flagged as privileged users to modify
system critical files.
<P>It is possible to configure csetup to run in DEBUG mode, creating a
logfile in a publicly writable directory. This file is created in an
insecure manner; and because csetup is running with root privileges at
the time the logfile is created, it is possible for local users to
create or overwrite arbitrary files on the system.
<P>Exploit information involving this vulnerability has been made
publicly available.
<H2>II. Impact</H2>
<P>Anyone with access to an account on the system can create or
overwrite arbitrary files on the system. With this leverage, they can
ultimately gain root privileges.
<H2>III. Solution</H2>
<P>Patch information for this vulnerability is available in SGI"s
Security Advisory 19970101-02-PX, available at <BR>
<A HREF="http://www.sgi.com/Support/Secur/security.html/">http://www.sgi.com/Support/Secur/security.html/</A>
</P>
<P>
<HR></P>
<P>This advisory is a collaborative effort between AUSCERT and the CERT
Coordination Center. <BR>
The CERT Coordination Center acknowledges Yuri Volobuev for reporting the
original problem, and Silicon Graphics, Inc. for their strong support in
the development of the advisory.</P>
<P>
<HR>
<H2>UPDATES</H2>
<H3>Vendor Information</H3>
<P>Below is information we have received from vendors. If you do not
see your vendor's name below, contact the vendor directly for
information.
<P>
<H3>Data General </H3>
<P>DG/UX does not support csetup and therefore is not vulnerable.
<!--#include virtual="/include/footer_nocopyright.html" -->
<P>Copyright 1997 Carnegie Mellon University.</P>
<HR>
Revision History
<PRE>
Dec. 15, 1997 Added vendor information for Data General to UPDATES.
Sep. 26, 1997 Updated copyright statement
May 8, 1997 Updated the Solution section to include URL for
SGI patch information.
</PRE>
|