Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: IRIX rpc.passwd vulnerability
From: "Frank Bures" <lisfrank () chem toronto edu>
Date: Fri, 07 Jun 2002 13:58:14 -0400 (EDT)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

FYI:

Installation of this patch leads to arbitrarily changed permissions of the 
/tmp directory.

On my various IRIX boxes, some permissions remained correct (1777), some were 
changed to 777, some even to 755.


On Tue, 4 Jun 2002 15:47:28 -0700 (PDT), SGI Security Coordinator wrote:

_____________________________________________________________________________

                         SGI Security Advisory

       Title:      rpc.passwd vulnerability
       Number:     20020601-01-P
       Date:       June 4, 2002
       Reference:  CAN-2002-0357
_____________________________________________________________________________

-----------------------
--- Issue Specifics ---
-----------------------

It's been reported that /usr/etc/rpc.passwd has a vulnerability which
could allow a user to compromise root.

SGI has investigated the issue and recommends the following steps for
neutralizing the exposure.  It is HIGHLY RECOMMENDED that these measures be
implemented on ALL vulnerable SGI systems.

These issues have been corrected with patches and in future releases of
IRIX.


--------------
--- Impact ---
--------------

The rpc.passwd binary is not installed by default on IRIX 6.5 systems. It is
part of the optional subsystem "nfs.sw.nis".

To see if rpc.passwd is installed, execute the following command:

 # versions nfs.sw.nis
 I = Installed, R = Removed

    Name                 Date        Description

    I  nfs                  03/26/2002  Network File System, 6.5.16m
    I  nfs.sw               03/26/2002  NFS Software
    I  nfs.sw.nis           03/26/2002  NIS (formerly Yellow Pages) Support

If the line containing "nfs.sw.nis" is returned, then it is installed and
the system is potentially vulnerable.  This vulnerability applies only to
systems that are configured as YP masters ("chkconfig yp" shows "on", and
"ps -ef | grep rpc.passwd" shows that rpc.passwd is running).

To determine the version of IRIX you are running, execute the following
command:

 # uname -R

That will return a result similar to the following:

 # 6.5 6.5.15f

The first number ("6.5") is the release name, the second ("6.5.15f" in this
case) is the extended release name.  The extended release name is the
"version" we refer to throughout this document.

This vulnerability was assigned the following CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0357


----------------------------
--- Temporary Workaround ---
----------------------------

SGI understands that there are times when upgrading the operating system or
installing patches are inconvenient or not possible.  In those instances, we
recommend the following workaround, although it may have a negative impact
on the functionality of the system:

 Disable the rpc.passwd binary by issuing the following command:

 # chmod 444 /usr/etc/rpc.passwd
 # killall rpc.passwd

 After doing this, it will be necessary to run the "passwd" program on the
 NIS master in order to cause NIS password changes.

Instead of using this workaround, SGI recommends either upgrading to IRIX
6.5.16 when released, or installing the appropriate patch from the listing
below.  We recommend this course of action because IRIX 6.5.16 and the patch
also fix other non security-related issues with rpc.passwd.


----------------
--- Solution ---
----------------

SGI has provided a series of patches for these vulnerabilities. Our
recommendation is to upgrade to IRIX 6.5.16 when available, or install the
appropriate patch.

  OS Version     Vulnerable?     Patch #      Other Actions
  ----------     -----------     -------      -------------
  IRIX 3.x        unknown                     Note 1
  IRIX 4.x        unknown                     Note 1
  IRIX 5.x        unknown                     Note 1
  IRIX 6.0.x      unknown                     Note 1
  IRIX 6.1        unknown                     Note 1
  IRIX 6.2        unknown                     Note 1
  IRIX 6.3        unknown                     Note 1
  IRIX 6.4        unknown                     Note 1
  IRIX 6.5          yes                       Notes 2 & 3
  IRIX 6.5.1        yes                       Notes 2 & 3
  IRIX 6.5.2        yes                       Notes 2 & 3
  IRIX 6.5.3        yes                       Notes 2 & 3
  IRIX 6.5.4        yes                       Notes 2 & 3
  IRIX 6.5.5        yes                       Notes 2 & 3
  IRIX 6.5.6        yes                       Notes 2 & 3
  IRIX 6.5.7        yes                       Notes 2 & 3
  IRIX 6.5.8        yes                       Notes 2 & 3
  IRIX 6.5.9        yes                       Notes 2 & 3
  IRIX 6.5.10       yes                       Notes 2 & 3
  IRIX 6.5.11       yes                       Notes 2 & 3
  IRIX 6.5.12       yes           4588        Note 4
  IRIX 6.5.13       yes           4588        Note 4
  IRIX 6.5.14       yes           4589        Note 4
  IRIX 6.5.15       yes           4589        Note 4
  IRIX 6.5.16       no                        Note 4

  NOTES

    1) This version of the IRIX operating has been retired. Upgrade to an
       actively supported IRIX operating system.  See
       http://support.sgi.com/irix/news/index.html#policy for more
       information.

    2) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact your
       SGI Support Provider or URL: http://support.sgi.com/irix/swupdates/

    3) Upgrade to IRIX 6.5.16m or 6.5.16f.

    4) Note that these patches (and IRIX 6.5.16) address other rpc.passwd
       issues not related to the specific security issue being reported in
       this bulletin.  See the release notes for details.

               ##### Patch File Checksums ####

Frank Bures, Dept. of Chemistry, University of Toronto, M5S 3H6
fbures () chem toronto edu
http://www.chem.utoronto.ca/general/itelec.html
PGP public key: http://wwwkeys.pgp.net:11371/pks/lookup?op=index&search=Frank+Bures
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0 OS/2 for non-commercial use
Comment: PGP 5.0 for OS/2
Charset: cp850

wj8DBQE9AOYmih0Xdz1+w+wRApnwAKCrQlAxnTRYueeKQFMsbxz2EaM7ewCg/lyb
cMqg9wCrLSqj0YwHaVz++RU=
=ihq9
-----END PGP SIGNATURE-----



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]