Home page logo

bugtraq logo Bugtraq mailing list archives

Re: IRIX rpc.passwd vulnerability
From: David Foster <foster () dim ucsd edu>
Date: Fri, 7 Jun 2002 15:00:42 -0700 (PDT)

Strange, I patched 11 systems, all at IRIX 6.5.14, and
didn't see this behavior, all /tmp stayed at 1777.

Dave Foster

From: "Frank Bures" <lisfrank () chem toronto edu>
To: "bugtraq () securityfocus com" <bugtraq () securityfocus com>
Date: Fri, 07 Jun 2002 13:58:14 -0400 (EDT)
Subject: Re: IRIX rpc.passwd vulnerability


Installation of this patch leads to arbitrarily changed permissions of the 
/tmp directory.

On my various IRIX boxes, some permissions remained correct (1777), some were 
changed to 777, some even to 755.

On Tue, 4 Jun 2002 15:47:28 -0700 (PDT), SGI Security Coordinator wrote:


                         SGI Security Advisory

       Title:      rpc.passwd vulnerability
       Number:     20020601-01-P
       Date:       June 4, 2002
       Reference:  CAN-2002-0357

--- Issue Specifics ---

It's been reported that /usr/etc/rpc.passwd has a vulnerability which
could allow a user to compromise root.

SGI has investigated the issue and recommends the following steps for
neutralizing the exposure.  It is HIGHLY RECOMMENDED that these measures be
implemented on ALL vulnerable SGI systems.

These issues have been corrected with patches and in future releases of

--- Impact ---

The rpc.passwd binary is not installed by default on IRIX 6.5 systems. It is
part of the optional subsystem "nfs.sw.nis".

To see if rpc.passwd is installed, execute the following command:

 # versions nfs.sw.nis
 I = Installed, R = Removed

    Name                 Date        Description

    I  nfs                  03/26/2002  Network File System, 6.5.16m
    I  nfs.sw               03/26/2002  NFS Software
    I  nfs.sw.nis           03/26/2002  NIS (formerly Yellow Pages) Support

If the line containing "nfs.sw.nis" is returned, then it is installed and
the system is potentially vulnerable.  This vulnerability applies only to
systems that are configured as YP masters ("chkconfig yp" shows "on", and
"ps -ef | grep rpc.passwd" shows that rpc.passwd is running).

To determine the version of IRIX you are running, execute the following

 # uname -R

That will return a result similar to the following:

 # 6.5 6.5.15f

The first number ("6.5") is the release name, the second ("6.5.15f" in this
case) is the extended release name.  The extended release name is the
"version" we refer to throughout this document.

This vulnerability was assigned the following CVE:

--- Temporary Workaround ---

SGI understands that there are times when upgrading the operating system or
installing patches are inconvenient or not possible.  In those instances, we
recommend the following workaround, although it may have a negative impact
on the functionality of the system:

 Disable the rpc.passwd binary by issuing the following command:

 # chmod 444 /usr/etc/rpc.passwd
 # killall rpc.passwd

 After doing this, it will be necessary to run the "passwd" program on the
 NIS master in order to cause NIS password changes.

Instead of using this workaround, SGI recommends either upgrading to IRIX
6.5.16 when released, or installing the appropriate patch from the listing
below.  We recommend this course of action because IRIX 6.5.16 and the patch
also fix other non security-related issues with rpc.passwd.

--- Solution ---

SGI has provided a series of patches for these vulnerabilities. Our
recommendation is to upgrade to IRIX 6.5.16 when available, or install the
appropriate patch.

  OS Version     Vulnerable?     Patch #      Other Actions
  ----------     -----------     -------      -------------
  IRIX 3.x        unknown                     Note 1
  IRIX 4.x        unknown                     Note 1
  IRIX 5.x        unknown                     Note 1
  IRIX 6.0.x      unknown                     Note 1
  IRIX 6.1        unknown                     Note 1
  IRIX 6.2        unknown                     Note 1
  IRIX 6.3        unknown                     Note 1
  IRIX 6.4        unknown                     Note 1
  IRIX 6.5          yes                       Notes 2 & 3
  IRIX 6.5.1        yes                       Notes 2 & 3
  IRIX 6.5.2        yes                       Notes 2 & 3
  IRIX 6.5.3        yes                       Notes 2 & 3
  IRIX 6.5.4        yes                       Notes 2 & 3
  IRIX 6.5.5        yes                       Notes 2 & 3
  IRIX 6.5.6        yes                       Notes 2 & 3
  IRIX 6.5.7        yes                       Notes 2 & 3
  IRIX 6.5.8        yes                       Notes 2 & 3
  IRIX 6.5.9        yes                       Notes 2 & 3
  IRIX 6.5.10       yes                       Notes 2 & 3
  IRIX 6.5.11       yes                       Notes 2 & 3
  IRIX 6.5.12       yes           4588        Note 4
  IRIX 6.5.13       yes           4588        Note 4
  IRIX 6.5.14       yes           4589        Note 4
  IRIX 6.5.15       yes           4589        Note 4
  IRIX 6.5.16       no                        Note 4


    1) This version of the IRIX operating has been retired. Upgrade to an
       actively supported IRIX operating system.  See
       http://support.sgi.com/irix/news/index.html#policy for more

    2) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact your
       SGI Support Provider or URL: http://support.sgi.com/irix/swupdates/

    3) Upgrade to IRIX 6.5.16m or 6.5.16f.

    4) Note that these patches (and IRIX 6.5.16) address other rpc.passwd
       issues not related to the specific security issue being reported in
       this bulletin.  See the release notes for details.

               ##### Patch File Checksums ####

Frank Bures, Dept. of Chemistry, University of Toronto, M5S 3H6
fbures () chem toronto edu
PGP public key: 
Version: PGPfreeware 5.0 OS/2 for non-commercial use
Comment: PGP 5.0 for OS/2
Charset: cp850


   << All opinions expressed are mine, not the University's >>

   David Foster    National Center for Microscopy and Imaging Research
    Programmer/Analyst     University of California, San Diego
    dfoster () ucsd edu       Department of Neuroscience, Mail 0608
    (858) 534-7968         http://ncmir.ucsd.edu/

   "The reasonable man adapts himself to the world; the unreasonable one
   persists in trying to adapt the world to himself.  Therefore, all progress
   depends on the unreasonable."   -- George Bernard Shaw

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]