Re: IRIX rpc.passwd vulnerability

From: David Foster (fosterat_private)
Date: Fri Jun 07 2002 - 15:00:42 PDT

  • Next message: David F. Skoll: "Re: MIME::Tools Perl module and virus scanners" 

    Strange, I patched 11 systems, all at IRIX 6.5.14, and
didn't see this behavior, all /tmp stayed at 1777.

Dave Foster

> From: "Frank Bures" <lisfrankat_private>
> To: "bugtraqat_private" <bugtraqat_private>
> Date: Fri, 07 Jun 2002 13:58:14 -0400 (EDT)
> Subject: Re: IRIX rpc.passwd vulnerability
> 
> FYI:
> 
> Installation of this patch leads to arbitrarily changed permissions of the 
> /tmp directory.
> 
> On my various IRIX boxes, some permissions remained correct (1777), some were 
> changed to 777, some even to 755.
> 
> 
> On Tue, 4 Jun 2002 15:47:28 -0700 (PDT), SGI Security Coordinator wrote:
> 
> >_____________________________________________________________________________
> >
> >                          SGI Security Advisory
> >
> >        Title:      rpc.passwd vulnerability
> >        Number:     20020601-01-P
> >        Date:       June 4, 2002
> >        Reference:  CAN-2002-0357
> >_____________________________________________________________________________
> >
> >-----------------------
> >--- Issue Specifics ---
> >-----------------------
> >
> >It's been reported that /usr/etc/rpc.passwd has a vulnerability which
> >could allow a user to compromise root.
> >
> >SGI has investigated the issue and recommends the following steps for
> >neutralizing the exposure.  It is HIGHLY RECOMMENDED that these measures be
> >implemented on ALL vulnerable SGI systems.
> >
> >These issues have been corrected with patches and in future releases of
> >IRIX.
> >
> >
> >--------------
> >--- Impact ---
> >--------------
> >
> >The rpc.passwd binary is not installed by default on IRIX 6.5 systems. It is
> >part of the optional subsystem "nfs.sw.nis".
> >
> >To see if rpc.passwd is installed, execute the following command:
> >
> >  # versions nfs.sw.nis
> >  I = Installed, R = Removed
> >
> >     Name                 Date        Description
> >
> >     I  nfs                  03/26/2002  Network File System, 6.5.16m
> >     I  nfs.sw               03/26/2002  NFS Software
> >     I  nfs.sw.nis           03/26/2002  NIS (formerly Yellow Pages) Support
> >
> >If the line containing "nfs.sw.nis" is returned, then it is installed and
> >the system is potentially vulnerable.  This vulnerability applies only to
> >systems that are configured as YP masters ("chkconfig yp" shows "on", and
> >"ps -ef | grep rpc.passwd" shows that rpc.passwd is running).
> >
> >To determine the version of IRIX you are running, execute the following
> >command:
> >
> >  # uname -R
> >
> >That will return a result similar to the following:
> >
> >  # 6.5 6.5.15f
> >
> >The first number ("6.5") is the release name, the second ("6.5.15f" in this
> >case) is the extended release name.  The extended release name is the
> >"version" we refer to throughout this document.
> >
> >This vulnerability was assigned the following CVE:
> >http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0357
> >
> >
> >----------------------------
> >--- Temporary Workaround ---
> >----------------------------
> >
> >SGI understands that there are times when upgrading the operating system or
> >installing patches are inconvenient or not possible.  In those instances, we
> >recommend the following workaround, although it may have a negative impact
> >on the functionality of the system:
> >
> >  Disable the rpc.passwd binary by issuing the following command:
> >
> >  # chmod 444 /usr/etc/rpc.passwd
> >  # killall rpc.passwd
> >
> >  After doing this, it will be necessary to run the "passwd" program on the
> >  NIS master in order to cause NIS password changes.
> >
> >Instead of using this workaround, SGI recommends either upgrading to IRIX
> >6.5.16 when released, or installing the appropriate patch from the listing
> >below.  We recommend this course of action because IRIX 6.5.16 and the patch
> >also fix other non security-related issues with rpc.passwd.
> >
> >
> >----------------
> >--- Solution ---
> >----------------
> >
> >SGI has provided a series of patches for these vulnerabilities. Our
> >recommendation is to upgrade to IRIX 6.5.16 when available, or install the
> >appropriate patch.
> >
> >   OS Version     Vulnerable?     Patch #      Other Actions
> >   ----------     -----------     -------      -------------
> >   IRIX 3.x        unknown                     Note 1
> >   IRIX 4.x        unknown                     Note 1
> >   IRIX 5.x        unknown                     Note 1
> >   IRIX 6.0.x      unknown                     Note 1
> >   IRIX 6.1        unknown                     Note 1
> >   IRIX 6.2        unknown                     Note 1
> >   IRIX 6.3        unknown                     Note 1
> >   IRIX 6.4        unknown                     Note 1
> >   IRIX 6.5          yes                       Notes 2 & 3
> >   IRIX 6.5.1        yes                       Notes 2 & 3
> >   IRIX 6.5.2        yes                       Notes 2 & 3
> >   IRIX 6.5.3        yes                       Notes 2 & 3
> >   IRIX 6.5.4        yes                       Notes 2 & 3
> >   IRIX 6.5.5        yes                       Notes 2 & 3
> >   IRIX 6.5.6        yes                       Notes 2 & 3
> >   IRIX 6.5.7        yes                       Notes 2 & 3
> >   IRIX 6.5.8        yes                       Notes 2 & 3
> >   IRIX 6.5.9        yes                       Notes 2 & 3
> >   IRIX 6.5.10       yes                       Notes 2 & 3
> >   IRIX 6.5.11       yes                       Notes 2 & 3
> >   IRIX 6.5.12       yes           4588        Note 4
> >   IRIX 6.5.13       yes           4588        Note 4
> >   IRIX 6.5.14       yes           4589        Note 4
> >   IRIX 6.5.15       yes           4589        Note 4
> >   IRIX 6.5.16       no                        Note 4
> >
> >   NOTES
> >
> >     1) This version of the IRIX operating has been retired. Upgrade to an
> >        actively supported IRIX operating system.  See
> >        http://support.sgi.com/irix/news/index.html#policy for more
> >        information.
> >
> >     2) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact your
> >        SGI Support Provider or URL: http://support.sgi.com/irix/swupdates/
> >
> >     3) Upgrade to IRIX 6.5.16m or 6.5.16f.
> >
> >     4) Note that these patches (and IRIX 6.5.16) address other rpc.passwd
> >        issues not related to the specific security issue being reported in
> >        this bulletin.  See the release notes for details.
> >
> >                ##### Patch File Checksums ####
> 
> Frank Bures, Dept. of Chemistry, University of Toronto, M5S 3H6
> fburesat_private
> http://www.chem.utoronto.ca/general/itelec.html
> PGP public key: 
http://wwwkeys.pgp.net:11371/pks/lookup?op=index&search=Frank+Bures
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 5.0 OS/2 for non-commercial use
> Comment: PGP 5.0 for OS/2
> Charset: cp850
> 
> wj8DBQE9AOYmih0Xdz1+w+wRApnwAKCrQlAxnTRYueeKQFMsbxz2EaM7ewCg/lyb
> cMqg9wCrLSqj0YwHaVz++RU=
> =ihq9
> -----END PGP SIGNATURE-----
> 


   << All opinions expressed are mine, not the University's >>

  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
   David Foster    National Center for Microscopy and Imaging Research
    Programmer/Analyst     University of California, San Diego
    dfosterat_private       Department of Neuroscience, Mail 0608
    (858) 534-7968         http://ncmir.ucsd.edu/
  =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

   "The reasonable man adapts himself to the world; the unreasonable one
   persists in trying to adapt the world to himself.  Therefore, all progress
   depends on the unreasonable."   -- George Bernard Shaw

    This archive was generated by hypermail 2b30 : Fri Jun 07 2002 - 16:21:39 PDT