mailing list archives
Repost: Security bug in SGI VideoFramer [SDN-2-sgi-videoframer]
From: hhui () stardot net (Hui-Hui Hu)
Date: Tue, 14 May 1996 23:24:10 -0400
This is a repost from a few months ago. It apparently got lost in the
Stardot Networks / Security vulnerability [SDN-2-sgi-videoframer]
The VideoFramer development package on Silicon Graphics systems is subject
to several security holes. This package is installed as vfr.sw.vfr.
Though most SGIs I found did not have the installation, nevertheless the
package was available for exploitation from a NFS mounted partition that
contained the complete IRIX distribution.
A VideoFramer/VLAN board is not required for program exploitation. The
specific problem which I describe below involves the program sb_encode,
which allows off-line frame encoding in VideoFramer format. The result of
poor IRIX security checking is that any user can overwrite-to-destroy an
arbitrary file. It appears that many files in the installation were
improperly permissioned as setuid.
PROGRAM. sb_encode (from vfr.sw.vfr)
AFFECTS. at least SGI IRIX 5.x
REQUIRED. Account on server
RISK. denial of service
AUTHOR. Tung-Hui Hu <hhui () stardot net>
PROBLEM. sb_encode is installed setuid in /usr/video/vfr/bin and does not
check for permissions/ownership. sb_encode takes an IRIS RGB-format image
file and spits out a VideoFramer format file (.vfr).
REPEAT BY: /usr/video/vfr/bin/sb_encode -o [file-to-overwrite] [iris-image]
PROBLEM. Many setuid scripts exist in /usr/video/vfr/bin. Though setuid
scripts are turned off by default, they may pose a potential security
# chmod -s /usr/video/vfr/*
DISCUSSION. I assume it is practically impossible to "meaningfully
exploit" a VideoFramer-encoded format. The videoframer setup utility also
exploded when I tried to create a peculiarly-named device (e.g. ;id). Then
again, setup exploded while doing most things ;) Can the preferences
.vfr_setup be exploited somehow? I haven't done more than a cursory check.
Tung-Hui Hu Comparative literature, princeton university
hhui () stardot net http://www.stardot.net/~hhui
- Repost: Security bug in SGI VideoFramer [SDN-2-sgi-videoframer] Hui-Hui Hu (May 15)