Home page logo
/

bugtraq logo Bugtraq mailing list archives

CERT Advisory CA-97.21 - SGI Buffer Overflow Vulnerabilities
From: aleph1 () DFW NET (Aleph One)
Date: Thu, 17 Jul 1997 03:17:52 -0500


-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
CERT* Advisory CA-97.21
Original issue date: July 16, 1997
Last revised: --

Topic:SGI Buffer Overflow Vulnerabilities

- -----------------------------------------------------------------------------

            The technical content of this advisory
            was originally published by AUSCERT
            (AA-97.19, AA-97.20, AA-97.21, AA-97.22,
            AA-97.23, AA-97.24). We use it here with
            their permission.

- -----------------------------------------------------------------------------

Some SGI IRIX systems have buffer overflow vulnerabilities in the following
programs:

        df
        pset
        eject
        login/scheme
        ordist
        xlock

These vulnerabilities may allow local users to gain root privileges. Exploit
information involving these vulnerabilities has been made publicly available.

A more detailed discussion of each problem appears in Section I.

All these buffer overflow problems can be addressed by similar workarounds or
by installing a wrapper developed by AUSCERT (see Section III).

We will update this advisory as we receive additional information.
Please check our advisory files regularly for updates that relate to your site.

- -----------------------------------------------------------------------------

I.   Description

     Due to insufficient bounds checking on arguments that are supplied by
     users, it is possible to overwrite the internal stack space of the
     programs listed above while they are executing. By supplying a carefully
     designed argument to one of these programs, intruders may be able to
     force the program to execute arbitrary commands. As the programs (except
     pset) are setuid root, this may allow intruders to run arbitrary commands
     with root privileges. As pset is setgid sys, this may allow intruders to
     run arbitrary commands with the privileges of group sys. This may then be
     leveraged to gain root privileges.


     A. df

        df(1) is a program used to display statistics about the amount of used
        and free disc space on file systems.

        You can determine if this program is installed by typing

        % ls -l /sbin/df

        df is installed by default in /sbin. We encourage you to check
        for the presence of this program regardless of the version of IRIX
        installed.


     B. pset

        pset(1M) is a program used to display and modify information
        concerning the use of processor sets in the current system. The pset
        command is used on multi-processor systems to restrict the execution
        of different classes of jobs.

        You can determine if this program is installed by typing

        % ls -l /sbin/pset

        pset is installed by default in /sbin. We encourage you to check for
        the presence of this program regardless of the version of IRIX
        installed.


     C. eject

        eject(1) is a program used to eject a removable media device, such as
        floppy, CDROM, or tape. If the floppy or CDROM is mounted, eject will
        first try to unmount it.

        You can determine if this program is installed by typing

        % ls -l /usr/sbin/eject

        eject is installed by default in /usr/sbin. We encourage you to check
        for the presence of this program regardless of the version of IRIX
        installed.


     D. login/scheme

        login(1) is a program used at the beginning of each terminal session
        that allows users to identify themselves to the session. Under
        current versions of IRIX, this functionality is supplied by the program
        /usr/lib/iaf/scheme. The login program is a symbolic link to
        /usr/lib/iaf/scheme.

        The login program is installed in /usr/bin/login. Under default
        configurations, this is a symbolic link to /usr/lib/iaf/scheme.

        % ls -l /usr/bin/login
        lrwxr-xr-x    1 root     sys     17 Nov 22  1994 /usr/bin/login ->
        ../lib/iaf/scheme

        % ls -l /usr/lib/iaf/scheme
        -rwsr-xr-x    1 root     sys  65832 Nov 22  1994 /usr/lib/iaf/scheme

        Although this vulnerability has been verified only under IRIX 6.2, it
        is believed to affect other versions of IRIX, including IRIX 5.x.


     E. ordist

        ordist(1c) is a program used to maintain identical copies of files
        over multiple hosts. It preserves the owner, group, mode and mtime of
        a file if possible.

        You can determine if this program is installed by typing

        % ls -l /usr/bsd/ordist

        ordist is installed by default in /usr/bsd. We encourage you to check
        for the presence of this program regardless of the version of IRIX
        installed.


     F. xlock

        xlock(1) is a program that locks the local X display until a password
        is entered.

        You can determine if this program is installed by typing

        % ls -l /usr/bin/X11/xlock

        xlock is installed by default in /usr/bin/X11. We encourage you to
        check for the presence of this program regardless of the version of
        IRIX installed.

        For more information about vulnerabilities in xlock, see

        ftp://info.cert.org/pub/cert_advisories/CA-97.13.xlock



II.  Impact


     A. df

        Local users may gain root privileges.


     B. pset

        Local users may gain the privileges of group sys. These privileges may
        then be used to gain root privileges.


     C. eject

        Local users may gain root privileges.


     D. login/scheme

        Local users may gain root privileges.


     E. ordist

        Local users may gain root privileges.


     F. xlock

        Local users may gain root privileges.


III. Solution

     There are several possible solutions for these problems. In Section A, we
     recommend installing vendor patches. In Section B, we discuss workarounds
     you can use until you install vendor patches. If the workaround is
     inappropriate for your site, an alternative is to install a wrapper
     program developed by AUSCERT. Information about the wrapper is in Section
     C.

     A. Vendor patches

        Currently there are no vendor patches available that address these
        vulnerabilities. The CERT/CC recommends installing official vendor
        patches when they are available.

     B. Workaround

        You should prevent the exploitation of this vulnerability by
        immediately applying the workaround, which is to remove the setuid and
        non-root execute permissions of the df, eject, login/scheme, ordist,
        and xlock programs and to remove the setgid and non-root execute
        permissions of pset.

        If the functionality provided by these programs is required by
        non-root users, apply the wrapper discussed in Section C.

        1. df

           To prevent the exploitation of the vulnerability described in this
           advisory, you should remove setuid permissions from the df program
           immediately. As df will no longer work for non-root users, we
           recommend removing the execute permissions for them also.

           # ls -l /sbin/df
           -r-sr-xr-x   1 root   sys     23136 Nov 22  1994 /sbin/df

           # chmod 500 /sbin/df
           # ls -l /sbin/df
           -r-x------   1 root   sys     23136 Nov 22  1994 /sbin/df


        2. pset

           To prevent the exploitation of this vulnerability, we recommend
           that you remove the setgid permissions from the pset program
           immediately. As pset will no longer work for non-root users, we
           recommend removing the execute permissions for them also.

           # ls -l /sbin/pset
           -rwsr-sr-x   1 root   sys     31704 Nov 22  1994 /sbin/pset

           # chmod 500 /sbin/pset
           # ls -l /sbin/pset
           -r-x------   1 root   sys     31704 Nov 22  1994 /sbin/pset


        3. eject

           To prevent the exploitation of the vulnerability described in this
           advisory, you should remove the setuid permissions from the eject
           program immediately. As eject will no longer have its full
           functionality for non-root users, we also recommend removing the
           execute permissions for these users.

           # ls -l /usr/sbin/eject
           -rwsr-xr-x   1 root    sys    45892 Nov 28 15:09 /usr/sbin/eject

           # chmod 500 /usr/sbin/eject
           # ls -l /usr/sbin/eject
           -r-x------   1 root    sys    45892 Nov 28 15:09 /usr/sbin/eject


        4. login/scheme

           To prevent the exploitation of the vulnerability described in this
           advisory, remove the setuid permissions from the scheme program
           immediately.

            # ls -l /usr/lib/iaf/scheme
            -rwsr-xr-x    1 root  sys    58324 Nov 28  1996 /usr/lib/iaf/scheme

            # chmod 500 /usr/lib/iaf/scheme
            # ls -l /usr/lib/iaf/scheme
            -r-x------    1 root  sys    58324 Nov 28  1996 /usr/lib/iaf/scheme


        5. ordist

           To prevent the exploitation of the vulnerability described in this
           advisory, you should remove the setuid permissions from the ordist
           program immediately. As ordist will no longer work for non-root
           users, we recommend removing the execute permissions for them also.

           # ls -l /usr/bsd/ordist
           -rwsr-xr-x   1 root   sys     70564 Nov 28 15:07 /usr/bsd/ordist

           # chmod 500 /usr/bsd/ordist
           # ls -l /usr/bsd/ordist
           -r-x------   1 root   sys     70564 Nov 28 15:07 /usr/bsd/ordist


        6. xlock

           To prevent the exploitation of the vulnerability described in this
           advisory, you should remove the setuid permissions be from the
           xlock program immediately. As xlock will no longer work for
           non-root users, we recommend removing the execute permissions for
           them also.

          # ls -l /usr/bin/X11/xlock
          -rwsr-xr-x    1 root     sys    95188 Nov 28  1996 /usr/bin/X11/xlock

          # chmod 500 /usr/bin/X11/xlock
          # ls -l /usr/bin/X11/xlock
          -r-x------    1 root     sys    95188 Nov 28  1996 /usr/bin/X11/xlock

     C. Workaround

        AUSCERT has developed a wrapper to help prevent programs from being
        exploited using the vulnerabilities described in this advisory. Sites
        that have a C compiler can obtain the source, and compile and install
        the wrapper as described in Section 1, below. For sites without a C
        compiler, AUSCERT has made pre-compiled binaries available as
        described in Section 2.


        1. Installing the wrapper from source

           The source for the wrapper, including installation instructions,
           can be found at

ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper/overflow_wrapper.c

           This wrapper replaces the df program and checks the length of the
           command line arguments which are passed to it. If an argument
           exceeds a certain predefined value (MAXARGLEN), the wrapper exits
           without executing the df command. The wrapper program can also be
           configured to syslog any failed attempts to execute df with
           arguments exceeding MAXARGLEN. For further instructions on using
           this wrapper, please read the comments at the top of
           overflow_wrapper.c.

           When compiling overflow_wrapper.c for use with df, AUSCERT
           recommends defining MAXARGLEN to be 32.

           The MD5 checksum for the current version of overflow_wrapper.c can
           be retrieved from

           ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper/CHECKSUM

           The CHECKSUM file has been digitally signed using the AUSCERT PGP
           key.


        2. Installing the wrapper binaries

           Pre-compiled wrapper binary is provided for sites that wish to
           install the wrapper but do not have a C compiler available.
           AUSCERT has compiled the wrapper on IRIX 5.3; however later
           versions of IRIX should be able to use the wrapper binary without
           recompilation.

           The pre-compiled binaries for the wrapper program can be retrieved
           for each vulnerability. Sites are encouraged to carefully read the
           installation notes in the README file before installation.


           a. df

              The following compile time options have been used to create the
              binaries:

                REAL_PROG='"/sbin/df.real"'
                MAXARGLEN=32
                SYSLOG

              More information on these options can be found in the
              overflow_wrapper.c source code.

              You can get the pre-compiled binaries for the wrapper
              program from

           ftp://ftp.auscert.org.au/pub/auscert/tools/AA-97.19-df_wrapper.tar.Z

           MD5 (AA-97.19-df_wrapper.tar.Z) = 9d21e6358129cccbe3768757a5361f56

              AA-97.19-df_wrapper.tar.Z contains a README file with
              installation instructions, as well as a pre-compiled binary.


           b. pset

              The following compile time options have been used to create the
              binaries:

                REAL_PROG='"/sbin/pset.real"'
                MAXARGLEN=32
                SYSLOG

              More information on these options can be found in the
              overflow_wrapper.c source code.

              You can get the pre-compiled binaries for the wrapper
              program from

         ftp://ftp.auscert.org.au/pub/auscert/tools/AA-97.20-pset_wrapper.tar.Z

         MD5 (AA-97.20-pset_wrapper.tar.Z) = 875367aec70936fc5f4531b0ba8ebc03

              AA-97.20-pset_wrapper.tar.Z contains a README file with
              installation instructions, as well as a pre-compiled binary.


           c. eject

              The following compile time options have been used to create the
              binaries:

                REAL_PROG='"/usr/sbin/eject.real"'
                MAXARGLEN=32
                SYSLOG

              More information on these options can be found in the
              overflow_wrapper.c source code.

              The pre-compiled binaries for the wrapper program can be
              retrieved from

        ftp://ftp.auscert.org.au/pub/auscert/tools/AA-97.21-eject_wrapper.tar.Z

        MD5 (AA-97.21-eject_wrapper.tar.Z) = 276bf0f51c89e54d4c584a9e8dd9265d

              AA-97.21-eject_wrapper.tar.Z contains a README file with
              installation instructions, as well as a pre-compiled binary.


           d. login/scheme

              The following compile time options have been used to create the
              binaries:

                REAL_PROG='"/usr/lib/iaf/scheme.real"'
                MAXARGLEN=32
                SYSLOG

              More information on these options can be found in the
              overflow_wrapper.c source code.

              The pre-compiled binaries for the wrapper program can be
              retrieved from

       ftp://ftp.auscert.org.au/pub/auscert/tools/AA-97.22-scheme_wrapper.tar.Z

       MD5 (AA-97.22-scheme_wrapper.tar.Z) = dc302aa275a4009d1545180bfce8ebf4

              AA-97.22-scheme_wrapper.tar.Z contains a README file with
              installation instructions, as well as a pre-compiled binary.


           e. ordist

              The following compile time options have been used to create the
              binaries:

                REAL_PROG='"/usr/bsd/ordist.real"'
                MAXARGLEN=32
                SYSLOG

              More information on these options can be found in the
              overflow_wrapper.c source code..

              The pre-compiled binaries for the wrapper program can be
              retrieved from

       ftp://ftp.auscert.org.au/pub/auscert/tools/AA-97.23-ordist_wrapper.tar.Z

       MD5 (AA-97.23-ordist_wrapper.tar.Z) = 0eed9d9a52658181a1ce9b4ce2ed7fd2

              AA-97.23-ordist_wrapper.tar.Z contains a README file with
              installation instructions, as well as a pre-compiled binary.


           f. xlock

              The following compile time options have been used to create the
              binaries:

                REAL_PROG='"/usr/bin/X11/xlock.real"'
                MAXARGLEN=32
                SYSLOG

              More information on these options can be found in the
              overflow_wrapper.c source code.

              The pre-compiled binaries for the wrapper program can be
              retrieved from

        ftp://ftp.auscert.org.au/pub/auscert/tools/AA-97.24-xlock_wrapper.tar.Z

        MD5 (AA-97.24-xlock_wrapper.tar.Z) = fe12913cd0f7bb78193488dd58cc2f4f

              AA-97.24-xlock_wrapper.tar.Z contains a README file with
              installation instructions, as well as a pre-compiled binary.


- -----------------------------------------------------------------------------
The CERT Coordination Center staff thanks AUSCERT for permission to republish
the information in six AUSCERT advisories:

AA-97.19.IRIX.df.buffer.overflow.vul
AA-97.20.IRIX.pset.buffer.overflow.vul
AA-97.21.IRIX.eject.buffer.overflow.vul
AA-97.22.IRIX.login.scheme.buffer.overflow.vul
AA-97.23-IRIX.ordist.buffer.overflow.vul
AA-97.24.IRIX.xlock.buffer.overflow.vul

AUSCERT originally thanked Ian Farquhar and the Prentice Center, University of
Queensland for their assistance in the production of AA-97.22.
- -----------------------------------------------------------------------------

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident Response
and Security Teams (see http://www.first.org/team-info/).


CERT/CC Contact Information
- ----------------------------
Email    cert () cert org

Phone    +1 412-268-7090 (24-hour hotline)
                CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)
                and are on call for emergencies during other hours.

Fax      +1 412-268-6989

Postal address
         CERT Coordination Center
         Software Engineering Institute
         Carnegie Mellon University
         Pittsburgh PA 15213-3890
         USA

Using encryption
   We strongly urge you to encrypt sensitive information sent by email. We can
   support a shared DES key or PGP. Contact the CERT/CC for more information.
   Location of CERT PGP key
         ftp://info.cert.org/pub/CERT_PGP.key

Getting security information
   CERT publications and other security information are available from
        http://www.cert.org/
        ftp://info.cert.org/pub/

   CERT advisories and bulletins are also posted on the USENET newsgroup
        comp.security.announce

   To be added to our mailing list for advisories and bulletins, send
   email to
        cert-advisory-request () cert org
   In the subject line, type
        SUBSCRIBE  your-email-address

- ---------------------------------------------------------------------------
* Registered U.S. Patent and Trademark Office.

Copyright 1997 Carnegie Mellon University
This material may be reproduced and distributed without permission provided
it is used for noncommercial purposes and the copyright statement is
included.

The CERT Coordination Center is part of the Software Engineering Institute
(SEI). The SEI is sponsored by the U.S. Department of Defense.
- ---------------------------------------------------------------------------

This file:
ftp://info.cert.org/pub/cert_advisories/CA-97.21.sgi_buffer_overflow

           http://www.cert.org
               click on "CERT Advisories"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision history

-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBM8ztSnVP+x0t4w7BAQFQigQAntj8HDSrmqZcJFLRcpfQ4X12BXiclSvl
9pqeP5fXLPbjmNstfqjUvSdBojWyTSO6WAvy8j2SRBOCpOEgJSIjUxx9QfMyn4S1
OAPCsUTP2u5YE7fRHUq4xIsqU3Lr0aDNDwd6UVqwmAnFsMalBCPwSr6+5g/YDyCP
EYvrCWFK7u4=
=urqI
-----END PGP SIGNATURE-----



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault