Original issue date: July 16, 1997<BR>
Last revised: January 15, 1998<BR>
Updated vendor information for SGI.
<P>A complete revision history is at the end of this file.
<P>The technical content of this advisory was originally published by
AUSCERT
(AA-97.19, AA-97.20, AA-97.21, AA-97.22, AA-97.23, AA-97.24).
We use it here with their permission.
<P><HR>
<P>Some SGI IRIX systems have buffer overflow vulnerabilities in the following
programs:
<UL>
<UL>df
<BR>pset
<BR>eject
<BR>login/scheme
<BR>ordist
<BR>xlock</UL>
</UL>
These vulnerabilities may allow local users to gain root privileges. Exploit
information involving these vulnerabilities has been made publicly available.
<P>A more detailed discussion of each problem appears in Section I.
<P>All these buffer overflow problems can be addressed by similar workarounds
or by installing a wrapper developed by AUSCERT (see Section III).
<P>We will update this advisory as we receive additional information. Please
check our advisory files regularly for updates that relate to your site.
<P><HR>
<H2>I. Description</H2>
Due to insufficient bounds checking on arguments that are supplied by users,
it is possible to overwrite the internal stack space of the programs listed
above while they are executing. By supplying a carefully designed argument
to one of these programs, intruders may be able to force the program to
execute arbitrary commands. As the programs (except pset) are setuid root,
this may allow intruders to run arbitrary commands with root privileges.
As pset is setgid sys, this may allow intruders to run arbitrary commands
with the privileges of group sys. This may then be leveraged to gain root
privileges.
<H3>A. df</H3>
<I>df(1)</I> is a program used to display statistics about the amount of
used and free disc space on file systems.
<P>You can determine if this program is installed by typing
<P>% ls -l /sbin/df
<P>df is installed by default in /sbin. We encourage you to check for the
presence of this program regardless of the version of IRIX installed.
<H3>B. pset</H3>
<I>pset(1M)</I> is a program used to display and modify information concerning
the use of processor sets in the current system. The pset command is used
on multi-processor systems to restrict the execution of different classes
of jobs.
<P>You can determine if this program is installed by typing
<P>% ls -l /sbin/pset
<BR>
<BR>pset is installed by default in /sbin. We encourage you to check for
the presence of this program regardless of the version of IRIX installed.
<H3>C. eject</H3>
<I>eject(1)</I> is a program used to eject a removable media device, such
as floppy, CDROM, or tape. If the floppy or CDROM is mounted, eject will
first try to unmount it.
<P>You can determine if this program is installed by typing
<P>% ls -l /usr/sbin/eject
<P>eject is installed by default in /usr/sbin. We encourage you to check
for the presence of this program regardless of the version of IRIX installed.
<H3>D. login/scheme</H3>
<I>login(1)</I> is a program used at the beginning of each terminal session
that allows users to identify themselves to the session. Under current
versions of IRIX, this functionality is supplied by the program /usr/lib/iaf/scheme.
The login program is a symbolic link to /usr/lib/iaf/scheme.
<P>The login program is installed in /usr/bin/login. Under default configurations,
this is a symbolic link to /usr/lib/iaf/scheme.
<P>% ls -l /usr/bin/login
<P>lrwxr-xr-x 1 root sys
17 Nov 22 1994 /usr/bin/login -> ../lib/iaf/scheme
<P>% ls -l /usr/lib/iaf/scheme
<P>-rwsr-xr-x 1 root sys
65832 Nov 22 1994 /usr/lib/iaf/scheme
<P>Although this vulnerability has been verified only under IRIX 6.2, it
is believed to affect other versions of IRIX, including IRIX 5.x.
<H3>E. ordist</H3>
<I>ordist(1c)</I> is a program used to maintain identical copies of files
over multiple hosts. It preserves the owner, group, mode and mtime of a
file if possible.
<P>You can determine if this program is installed by typing
<BR>
<BR>% ls -l /usr/bsd/ordist
<P>ordist is installed by default in /usr/bsd. We encourage you to check
for the presence of this program regardless of the version of IRIX installed.
<BR>
<H3>F. xlock</H3>
<I>xlock(1)</I> is a program that locks the local X display until a password
is entered.
<P>You can determine if this program is installed by typing
<P>% ls -l /usr/bin/X11/xlock
<P>xlock is installed by default in /usr/bin/X11. We encourage you to check
for the presence of this program regardless of the version of IRIX installed.
<P>For more information about vulnerabilities in xlock, see
<P><A
HREF="http://www.cert.org/advisories/CA-97.13.xlock.html">www.cert.org/advisories/CA-97.13.xlock</A>.
<BR>
<BR>
<H2>II. Impact</H2>
<H3>A. df</H3>
Local users may gain root privileges.
<BR>
<H3>B. pset</H3>
Local users may gain the privileges of group sys. These privileges may
then be used to gain root privileges.
<H3>C. eject</H3>
Local users may gain root privileges.
<H3>D. login/scheme</H3>
Local users may gain root privileges.
<H3>E. ordist</H3>
Local users may gain root privileges.
<H3>F. xlock</H3>
Local users may gain root privileges.
<BR>
<H2>III. Solution</H2>
There are several possible solutions for these problems. In Section A,
we recommend installing vendor patches. In Section B, we discuss workarounds
you can use until you install vendor patches. If the workaround is inappropriate
for your site, an alternative is to install a wrapper program developed
by AUSCERT. Information about the wrapper is in Section C.
<H3>A. Vendor patches</H3>
Currently there are no vendor patches available that address these vulnerabilities.
The CERT/CC recommends installing official vendor patches when they are
available.
<H3>B. Workaround</H3>
You should prevent the exploitation of this vulnerability by immediately
applying the workaround, which is to remove the setuid and non-root execute
permissions of the df, eject, login/scheme, ordist, and xlock programs
and to remove the setgid and non-root execute permissions of pset.
<P>If the functionality provided by these programs is required by non-root
users, apply the wrapper discussed in Section C.
<H4>1. df</H4>
To prevent the exploitation of the vulnerability described in this advisory,
you should remove setuid permissions from the df program immediately. As
df will no longer work for non-root users, we recommend removing the execute
permissions for them also.
<P># ls -l /sbin/df
<P>-r-sr-xr-x 1 root sys
23136 Nov 22 1994 /sbin/df
<P># chmod 500 /sbin/df
<P># ls -l /sbin/df
<P>-r-x------ 1 root sys
23136 Nov 22 1994 /sbin/df
<H4>2. pset</H4>
To prevent the exploitation of this vulnerability, we recommend that you
remove the setgid permissions from the pset program immediately. As pset
will no longer work for non-root users, we recommend removing the execute
permissions for them also.
<P># ls -l /sbin/pset
<P>-rwsr-sr-x 1 root sys
31704 Nov 22 1994 /sbin/pset
<P># chmod 500 /sbin/pset
<P># ls -l /sbin/pset
<P>-r-x------ 1 root sys
31704 Nov 22 1994 /sbin/pset
<H4>3. eject</H4>
To prevent the exploitation of the vulnerability described in this advisory,
you should remove the setuid permissions from the eject program immediately.
As eject will no longer have its full functionality for non-root users,
we also recommend removing the execute permissions for these users.
<P># ls -l /usr/sbin/eject
<P>-rwsr-xr-x 1 root sys
45892 Nov 28 15:09 /usr/sbin/eject
<P># chmod 500 /usr/sbin/eject
<P># ls -l /usr/sbin/eject
<P>-r-x------ 1 root sys
45892 Nov 28 15:09 /usr/sbin/eject
<H4>4. login/scheme</H4>
To prevent the exploitation of the vulnerability described in this advisory,
remove the setuid permissions from the scheme program immediately.
<P># ls -l /usr/lib/iaf/scheme
<P>-rwsr-xr-x 1 root sys
58324 Nov 28 1996 /usr/lib/iaf/scheme
<P># chmod 500 /usr/lib/iaf/scheme
<P># ls -l /usr/lib/iaf/scheme
<P>-r-x------ 1 root sys
58324 Nov 28 1996 /usr/lib/iaf/scheme
<H4>5. ordist</H4>
To prevent the exploitation of the vulnerability described in this advisory,
you should remove the setuid permissions from the ordist program immediately.
As ordist will no longer work for non-root users, we recommend removing
the execute permissions for them also.
<P># ls -l /usr/bsd/ordist
<P>-rwsr-xr-x 1 root sys
70564 Nov 28 15:07 /usr/bsd/ordist
<P># chmod 500 /usr/bsd/ordist
<P># ls -l /usr/bsd/ordist
<P>-r-x------ 1 root sys
70564 Nov 28 15:07 /usr/bsd/ordist
<H4>6. xlock</H4>
To prevent the exploitation of the vulnerability described in this advisory,
you should remove the setuid permissions be from the xlock program immediately.
As xlock will no longer work for non-root users, we recommend removing
the execute permissions for them also.
<P># ls -l /usr/bin/X11/xlock
<P>-rwsr-xr-x 1 root sys
95188 Nov 28 1996 /usr/bin/X11/xlock
<P># chmod 500 /usr/bin/X11/xlock
<P># ls -l /usr/bin/X11/xlock
<P>-r-x------ 1 root sys
95188 Nov 28 1996 /usr/bin/X11/xlock
<H3>C. Workaround</H3>
AUSCERT has developed a wrapper to help prevent programs from being exploited
using the vulnerabilities described in this advisory. Sites that have a
C compiler can obtain the source, and compile and install the wrapper as
described in Section 1, below. For sites without a C compiler, AUSCERT
has made pre-compiled binaries available as described in Section 2.
<H4>1. Installing the wrapper from source</H4>
The source for the wrapper, including installation instructions, can be
found at
<P><A HREF="ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper/overflow_wrapper.c">ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper/overflow_wrapper.c</A>
<P>This wrapper replaces the vulnerable programs and checks the length
of the command line arguments which are passed to it. If an argument exceeds
a certain predefined value (MAXARGLEN), the wrapper exits without executing
the command. The wrapper program can also be configured to syslog any failed
attempts to execute the command with arguments exceeding MAXARGLEN. For
further instructions on using this wrapper, please read the comments at
the top of overflow_wrapper.c.
<P>When compiling overflow_wrapper.c, AUSCERT recommends defining MAXARGLEN
to be 32.
<P>The MD5 checksum for the current version of overflow_wrapper.c can be
retrieved from
<P><A HREF="ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper/CHECKSUM">ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper/CHECKSUM</A>
<P>The CHECKSUM file has been digitally signed using the AUSCERT PGP key.
<H4>2. Installing the wrapper binaries</H4>
Pre-compiled wrapper binary is provided for sites that wish to install
the wrapper but do not have a C compiler available. AUSCERT has compiled
the wrapper on IRIX 5.3; however later versions of IRIX should be able
to use the wrapper binary without recompilation.
<P>The pre-compiled binaries for the wrapper program can be retrieved for
each vulnerability. Sites are encouraged to carefully read the installation
notes in the README file before installation.
<BR>
<BR><B>a. df</B>
<P>The following compile time options have been used to create the binaries:
<P>REAL_PROG='"/sbin/df.real"'
<BR>MAXARGLEN=32
<BR>SYSLOG
<P>More information on these options can be found in the overflow_wrapper.c
source code.
<P>You can get the pre-compiled binaries for the wrapper program from
<P><A HREF="ftp://ftp.auscert.org.au/pub/auscert/tools/AA-97.19-df_wrapper.tar.Z">ftp://ftp.auscert.org.au/pub/auscert/tools/AA-97.19-df_wrapper.tar.Z</A>
<P>MD5 (AA-97.19-df_wrapper.tar.Z) =
9d21e6358129cccbe3768757a5361f56
<P>AA-97.19-df_wrapper.tar.Z contains a README file with installation instructions,
as well as a pre-compiled binary.
<P><B>b. pset</B>
<P>The following compile time options have been used to create the binaries:
<P>REAL_PROG='"/sbin/pset.real"'
<BR>MAXARGLEN=32
<BR>SYSLOG
<P>More information on these options can be found in the overflow_wrapper.c
source code.
<P>You can get pre-compiled binaries for the wrapper program from
<P><A HREF="ftp://ftp.auscert.org.au/pub/auscert/tools/AA-97.20-pset_wrapper.tar.Z">ftp://ftp.auscert.org.au/pub/auscert/tools/AA-97.20-pset_wrapper.tar.Z</A>
<P>MD5 (AA-97.20-pset_wrapper.tar.Z) =
875367aec70936fc5f4531b0ba8ebc03
<P>AA-97.20-pset_wrapper.tar.Z contains a README file with installation
instructions, as well as a pre-compiled binary.
<BR>
<BR><B>c. eject</B>
<P>The following compile time options have been used to create the binaries:
<P>REAL_PROG='"/usr/sbin/eject.real"'
<BR>MAXARGLEN=32
<BR>SYSLOG
<P>More information on these options can be found in the overflow_wrapper.c
source code.
<P>The pre-compiled binaries for the wrapper program can be retrieved from
<P><A HREF="ftp://ftp.auscert.org.au/pub/auscert/tools/AA-97.21-eject_wrapper.tar.Z">ftp://ftp.auscert.org.au/pub/auscert/tools/AA-97.21-eject_wrapper.tar.Z</A>
<P>MD5 (AA-97.21-eject_wrapper.tar.Z) =
276bf0f51c89e54d4c584a9e8dd9265d
<P>AA-97.21-eject_wrapper.tar.Z contains a README file with installation
instructions, as well as a pre-compiled binary.
<P><B>d. login/scheme</B>
<P>The following compile time options have been used to create the binaries:
<P>REAL_PROG='"/usr/lib/iaf/scheme.real"'
<BR>MAXARGLEN=32
<BR>SYSLOG
<P>More information on these options can be found in the overflow_wrapper.c
source code.
<P>The pre-compiled binaries for the wrapper program can be retrieved from
<P><A HREF="ftp://ftp.auscert.org.au/pub/auscert/tools/AA-97.22-scheme_wrapper.tar.Z">ftp://ftp.auscert.org.au/pub/auscert/tools/AA-97.22-scheme_wrapper.tar.Z</A>
<P>MD5 (AA-97.22-scheme_wrapper.tar.Z) =
dc302aa275a4009d1545180bfce8ebf4
<P>AA-97.22-scheme_wrapper.tar.Z contains a README file with installation
instructions, as well as a pre-compiled binary.
<BR>
<BR><B>e. ordist</B>
<P>The following compile time options have been used to create the binaries:
<P>REAL_PROG='"/usr/bsd/ordist.real"'
<BR>MAXARGLEN=32
<BR>SYSLOG
<P>More information on these options can be found in the overflow_wrapper.c
source code.
<P>The pre-compiled binaries for the wrapper program can be retrieved from
<P><A HREF="ftp://ftp.auscert.org.au/pub/auscert/tools/AA-97.23-ordist_wrapper.tar.Z">ftp://ftp.auscert.org.au/pub/auscert/tools/AA-97.23-ordist_wrapper.tar.Z</A>
<P>MD5 (AA-97.23-ordist_wrapper.tar.Z) =
0eed9d9a52658181a1ce9b4ce2ed7fd2
<P>AA-97.23-ordist_wrapper.tar.Z contains a README file with installation
instructions, as well as a pre-compiled binary.
<P><B>f. xlock</B>
<P>The following compile time options have been used to create the binaries:
<P>REAL_PROG='"/usr/bin/X11/xlock.real"'
<BR>MAXARGLEN=32
<BR>SYSLOG
<P>More information on these options can be found in the overflow_wrapper.c
source code.
<P>The pre-compiled binaries for the wrapper program can be retrieved from
<P><A HREF="ftp://ftp.auscert.org.au/pub/auscert/tools/AA-97.24-xlock_wrapper.tar.Z">ftp://ftp.auscert.org.au/pub/auscert/tools/AA-97.24-xlock_wrapper.tar.Z</A>
<P>MD5 (AA-97.24-xlock_wrapper.tar.Z) =
fe12913cd0f7bb78193488dd58cc2f4f
<P>AA-97.24-xlock_wrapper.tar.Z contains a README file with installation
instructions, as well as a pre-compiled binary.
<P><HR>
<P>The CERT Coordination Center staff thanks AUSCERT for permission to
republish the information in six AUSCERT advisories:
<P>AA-97.19.IRIX.df.buffer.overflow.vul
<BR>AA-97.20.IRIX.pset.buffer.overflow.vul
<BR>AA-97.21.IRIX.eject.buffer.overflow.vul
<BR>AA-97.22.IRIX.login.scheme.buffer.overflow.vul
<BR>AA-97.23-IRIX.ordist.buffer.overflow.vul
<BR>AA-97.24.IRIX.xlock.buffer.overflow.vul
<P>AUSCERT originally thanked Ian Farquhar and the Prentice Center, University
of Queensland for their assistance in the production of AA-97.22.
<P><HR>
<H2>UPDATES</H2>
<H3>January 15, 1998</H3>
<P>Silicon Graphics Inc. has issued Security Advisory, "IRIX df Buffer
Overrun Vulnerability," 19970505-02-PX, November 18, 1997.
<P>This SGI addresses the vulnerabilities discussed in the
following documents:
<P>
<BLOCKQUOTE>
AUSCERT Advisory AA-97.19 and CERT Advisory CA-97.21
</BLOCKQUOTE>
<P>
<P>
<H3>September 19, 1997</H3>
Silicon Graphics Inc. has issued Security Advisory, "IRIX LOCKOUT and login/scheme
Buffer Overrun" 19970508-02-PX, September 15, 1997.
<P>This SGI advisory addresses the vulnerabilities discussed in the following
documents:
<P>
<BLOCKQUOTE>
AUSCERT AA-97.12 and CERT CA-97.
<BR>
AUSCERT AA-97.22 and CERT CA-97.21
</BLOCKQUOTE>
<P>Patches for these vulnerabilities are available via anonymous FTP and your service/support provider.
<P>The SGI anonymous FTP site is sgigate.sgi.com (204.94.209.1) or its
mirror, ftp.sgi.com. Security information and patches can be found in the
~ftp/security and ~ftp/patches directories, respectfully.
<P>For subscribing to the wiretap mailing list and other SGI security related
information, please refer to the Silicon Graphics Security Headquarters
website located at
<P><A HREF="http://www.sgi.com/Support/Secur/security.html">http://www.sgi.com/Support/Secur/security.html</A>
<!--#include virtual="/include/footer_nocopyright.html" -->
<P>Copyright 1997 Carnegie Mellon University.</P>
<HR>
Revision History
<PRE>
Jan. 15, 1998 Updated vendor information for SGI.
Sept. 30, 1997 Updated copyright statemen
Sept. 19, 1997 Updates Section. Added updated vendor information
for Silicon Graphics, Inc.
Aug. 11, 1997 Updates Section. Added updated vendor
information for Silicon Graphics, Inc.
July 28, 1997 Section III.C.1 - Clarified information about wrapper.
</PRE>
|