IRIX chost/gr_osview vulnerabilities

From: Klaus (klausat_private)
Date: Fri Nov 20 1998 - 10:55:27 PST

Next message: bobortat_private: "Re: Vulnerability in Samba on RedHat, Caldera and PHT TurboLinux"

Previous message: SGI Security Coordinator: "Vulnerability in IRIX autofsd"
Next in thread: Knut Hellebų: "Re: IRIX chost/gr_osview vulnerabilities"
Reply: Knut Hellebų: "Re: IRIX chost/gr_osview vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

The SGI osview GUI tools are victim to another familiar Un*x security bug.

Problem:
^^^^^^^^

When invoked by a privileged user, the osview tools (available under the
/usr/Cadmin/bin/chost GUI or System -> System Manager from the toolchest
app.) will create predictable files in /var/tmp, with mode 0777.

These tools create files in /var/tmp using the syntax
"IP-address.osview.system".

for instance,
-rwxrwxrwx    1 root     sys           12 Nov 20 13:13 192.24.42.12.os.cpu
-rwxrwxrwx    1 root     sys           34 Nov 20 13:13 192.24.42.12.osview.disk
-rwxrwxrwx    1 root     sys          107 Nov 20 13:13 192.24.42.12.osview.gen
-rwxrwxrwx    1 root     sys           31 Nov 20 13:13 192.24.42.12.osview.net

Scope:
^^^^^^

A clever user can dupe a sysadmin into overwriting any supposedly
protected file on the system, such as, say, /etc/passwd, or /unix...
along with it, the associated mayhem.

symlink an important file to one of those, wait for a privileged user to
run the appropriate program, and...

aruba 60# more /etc/passwd
disk(/)
disk(/disk2)
disk(/disk6)
aruba 61#

Solution:
^^^^^^^^^

These files are created to instruct gr_osview what quantities to monitor
on a running system. Apart from waiting for SGI to change the way
gr_osview opens/creates files (O_CREAT|O_EXCL|O_RDONLY) on the open, and
a less generous creation mask (0444 would do just as well), the only
solution is to disable gr_osview entirely. I'm not sure if any other SGI
admins use it, but I find it handy once in a while. This bug was tested on
an Indy running 6.2; I haven't tried it on our other systems (Challenges,
O2, Origins) running different versions of IRIX, but I'd be willing to bet
they're also vulnerable.

Klaus

--
TODO:
1) learn how to use my new Unix account.
2) learn how to change this list.

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.2

mQCNAzWQQ7QAAAEEALulvoUfgDSsm9FkcznQ4z4EZrjBlPPcNqLm9HKD2QSEcJKU
7ewiIVKEPkQc0PLRlsedwv8VN4TruzNhsIigHmRkBoyb4UYLIVRDXqirhJmsvkaW
f0/ahkd+sy35AAiWi8xu0tSISbd8P5sHr5l+1tJH2Z/mQ8OkZBfiXzM9H40RAAUT
tA9LbGF1cyBQLiBTdGVkZW6JAJUDBRA1kEkoF+JfMz0fjREBAVIeBACnEmwA+sLS
RmWadyEtI9vL9FT+qv6o77sm0AptBy+ZAnCK20V1TyjwyTs1nHSkfWJxABx9zWUH
DtMN3vZ/2Q/mnYDUcJEwH/p2e29ETYA7ss/eRBOW4DQ226uYN2R2HTtFB8ZhWS4a
1UovSLmVDsk0FX5q7DXkGToVRl/u9boK4Q==
=KfVd
-----END PGP PUBLIC KEY BLOCK-----

Next message: bobortat_private: "Re: Vulnerability in Samba on RedHat, Caldera and PHT TurboLinux"
Previous message: SGI Security Coordinator: "Vulnerability in IRIX autofsd"
Next in thread: Knut Hellebų: "Re: IRIX chost/gr_osview vulnerabilities"
Reply: Knut Hellebų: "Re: IRIX chost/gr_osview vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:24:05 PDT