=============================================================================
CERT* Advisory CA-97.21
Original issue date: July 16, 1997
Last revised: --
Topic:SGI Buffer Overflow Vulnerabilities
- -----------------------------------------------------------------------------
The technical content of this advisory
was originally published by AUSCERT
(AA-97.19, AA-97.20, AA-97.21, AA-97.22,
AA-97.23, AA-97.24). We use it here with
their permission.
- -----------------------------------------------------------------------------
Some SGI IRIX systems have buffer overflow vulnerabilities in the following
programs:
df
pset
eject
login/scheme
ordist
xlock
These vulnerabilities may allow local users to gain root privileges. Exploit
information involving these vulnerabilities has been made publicly available.
A more detailed discussion of each problem appears in Section I.
All these buffer overflow problems can be addressed by similar workarounds or
by installing a wrapper developed by AUSCERT (see Section III).
We will update this advisory as we receive additional information.
Please check our advisory files regularly for updates that relate to your site.
- -----------------------------------------------------------------------------
I. Description
Due to insufficient bounds checking on arguments that are supplied by
users, it is possible to overwrite the internal stack space of the
programs listed above while they are executing. By supplying a carefully
designed argument to one of these programs, intruders may be able to
force the program to execute arbitrary commands. As the programs (except
pset) are setuid root, this may allow intruders to run arbitrary commands
with root privileges. As pset is setgid sys, this may allow intruders to
run arbitrary commands with the privileges of group sys. This may then be
leveraged to gain root privileges.
A. df
df(1) is a program used to display statistics about the amount of used
and free disc space on file systems.
You can determine if this program is installed by typing
% ls -l /sbin/df
df is installed by default in /sbin. We encourage you to check
for the presence of this program regardless of the version of IRIX
installed.
B. pset
pset(1M) is a program used to display and modify information
concerning the use of processor sets in the current system. The pset
command is used on multi-processor systems to restrict the execution
of different classes of jobs.
You can determine if this program is installed by typing
% ls -l /sbin/pset
pset is installed by default in /sbin. We encourage you to check for
the presence of this program regardless of the version of IRIX
installed.
C. eject
eject(1) is a program used to eject a removable media device, such as
floppy, CDROM, or tape. If the floppy or CDROM is mounted, eject will
first try to unmount it.
You can determine if this program is installed by typing
% ls -l /usr/sbin/eject
eject is installed by default in /usr/sbin. We encourage you to check
for the presence of this program regardless of the version of IRIX
installed.
D. login/scheme
login(1) is a program used at the beginning of each terminal session
that allows users to identify themselves to the session. Under
current versions of IRIX, this functionality is supplied by the program
/usr/lib/iaf/scheme. The login program is a symbolic link to
/usr/lib/iaf/scheme.
The login program is installed in /usr/bin/login. Under default
configurations, this is a symbolic link to /usr/lib/iaf/scheme.
% ls -l /usr/bin/login
lrwxr-xr-x 1 root sys 17 Nov 22 1994 /usr/bin/login ->
../lib/iaf/scheme
% ls -l /usr/lib/iaf/scheme
-rwsr-xr-x 1 root sys 65832 Nov 22 1994 /usr/lib/iaf/scheme
Although this vulnerability has been verified only under IRIX 6.2, it
is believed to affect other versions of IRIX, including IRIX 5.x.
E. ordist
ordist(1c) is a program used to maintain identical copies of files
over multiple hosts. It preserves the owner, group, mode and mtime of
a file if possible.
You can determine if this program is installed by typing
% ls -l /usr/bsd/ordist
ordist is installed by default in /usr/bsd. We encourage you to check
for the presence of this program regardless of the version of IRIX
installed.
F. xlock
xlock(1) is a program that locks the local X display until a password
is entered.
You can determine if this program is installed by typing
% ls -l /usr/bin/X11/xlock
xlock is installed by default in /usr/bin/X11. We encourage you to
check for the presence of this program regardless of the version of
IRIX installed.
For more information about vulnerabilities in xlock, see
ftp://info.cert.org/pub/cert_advisories/CA-97.13.xlock
II. Impact
A. df
Local users may gain root privileges.
B. pset
Local users may gain the privileges of group sys. These privileges may
then be used to gain root privileges.
C. eject
Local users may gain root privileges.
D. login/scheme
Local users may gain root privileges.
E. ordist
Local users may gain root privileges.
F. xlock
Local users may gain root privileges.
III. Solution
There are several possible solutions for these problems. In Section A, we
recommend installing vendor patches. In Section B, we discuss workarounds
you can use until you install vendor patches. If the workaround is
inappropriate for your site, an alternative is to install a wrapper
program developed by AUSCERT. Information about the wrapper is in Section
C.
A. Vendor patches
Currently there are no vendor patches available that address these
vulnerabilities. The CERT/CC recommends installing official vendor
patches when they are available.
B. Workaround
You should prevent the exploitation of this vulnerability by
immediately applying the workaround, which is to remove the setuid and
non-root execute permissions of the df, eject, login/scheme, ordist,
and xlock programs and to remove the setgid and non-root execute
permissions of pset.
If the functionality provided by these programs is required by
non-root users, apply the wrapper discussed in Section C.
1. df
To prevent the exploitation of the vulnerability described in this
advisory, you should remove setuid permissions from the df program
immediately. As df will no longer work for non-root users, we
recommend removing the execute permissions for them also.
# ls -l /sbin/df
-r-sr-xr-x 1 root sys 23136 Nov 22 1994 /sbin/df
# chmod 500 /sbin/df
# ls -l /sbin/df
-r-x------ 1 root sys 23136 Nov 22 1994 /sbin/df
2. pset
To prevent the exploitation of this vulnerability, we recommend
that you remove the setgid permissions from the pset program
immediately. As pset will no longer work for non-root users, we
recommend removing the execute permissions for them also.
# ls -l /sbin/pset
-rwsr-sr-x 1 root sys 31704 Nov 22 1994 /sbin/pset
# chmod 500 /sbin/pset
# ls -l /sbin/pset
-r-x------ 1 root sys 31704 Nov 22 1994 /sbin/pset
3. eject
To prevent the exploitation of the vulnerability described in this
advisory, you should remove the setuid permissions from the eject
program immediately. As eject will no longer have its full
functionality for non-root users, we also recommend removing the
execute permissions for these users.
# ls -l /usr/sbin/eject
-rwsr-xr-x 1 root sys 45892 Nov 28 15:09 /usr/sbin/eject
# chmod 500 /usr/sbin/eject
# ls -l /usr/sbin/eject
-r-x------ 1 root sys 45892 Nov 28 15:09 /usr/sbin/eject
4. login/scheme
To prevent the exploitation of the vulnerability described in this
advisory, remove the setuid permissions from the scheme program
immediately.
# ls -l /usr/lib/iaf/scheme
-rwsr-xr-x 1 root sys 58324 Nov 28 1996 /usr/lib/iaf/scheme
# chmod 500 /usr/lib/iaf/scheme
# ls -l /usr/lib/iaf/scheme
-r-x------ 1 root sys 58324 Nov 28 1996 /usr/lib/iaf/scheme
5. ordist
To prevent the exploitation of the vulnerability described in this
advisory, you should remove the setuid permissions from the ordist
program immediately. As ordist will no longer work for non-root
users, we recommend removing the execute permissions for them also.
# ls -l /usr/bsd/ordist
-rwsr-xr-x 1 root sys 70564 Nov 28 15:07 /usr/bsd/ordist
# chmod 500 /usr/bsd/ordist
# ls -l /usr/bsd/ordist
-r-x------ 1 root sys 70564 Nov 28 15:07 /usr/bsd/ordist
6. xlock
To prevent the exploitation of the vulnerability described in this
advisory, you should remove the setuid permissions be from the
xlock program immediately. As xlock will no longer work for
non-root users, we recommend removing the execute permissions for
them also.
# ls -l /usr/bin/X11/xlock
-rwsr-xr-x 1 root sys 95188 Nov 28 1996 /usr/bin/X11/xlock
# chmod 500 /usr/bin/X11/xlock
# ls -l /usr/bin/X11/xlock
-r-x------ 1 root sys 95188 Nov 28 1996 /usr/bin/X11/xlock
C. Workaround
AUSCERT has developed a wrapper to help prevent programs from being
exploited using the vulnerabilities described in this advisory. Sites
that have a C compiler can obtain the source, and compile and install
the wrapper as described in Section 1, below. For sites without a C
compiler, AUSCERT has made pre-compiled binaries available as
described in Section 2.
1. Installing the wrapper from source
The source for the wrapper, including installation instructions,
can be found at
ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper/overflow_wrapper.c
This wrapper replaces the df program and checks the length of the
command line arguments which are passed to it. If an argument
exceeds a certain predefined value (MAXARGLEN), the wrapper exits
without executing the df command. The wrapper program can also be
configured to syslog any failed attempts to execute df with
arguments exceeding MAXARGLEN. For further instructions on using
this wrapper, please read the comments at the top of
overflow_wrapper.c.
When compiling overflow_wrapper.c for use with df, AUSCERT
recommends defining MAXARGLEN to be 32.
The MD5 checksum for the current version of overflow_wrapper.c can
be retrieved from
ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper/CHECKSUM
The CHECKSUM file has been digitally signed using the AUSCERT PGP
key.
2. Installing the wrapper binaries
Pre-compiled wrapper binary is provided for sites that wish to
install the wrapper but do not have a C compiler available.
AUSCERT has compiled the wrapper on IRIX 5.3; however later
versions of IRIX should be able to use the wrapper binary without
recompilation.
The pre-compiled binaries for the wrapper program can be retrieved
for each vulnerability. Sites are encouraged to carefully read the
installation notes in the README file before installation.
a. df
The following compile time options have been used to create the
binaries:
REAL_PROG='"/sbin/df.real"'
MAXARGLEN=32
SYSLOG
More information on these options can be found in the
overflow_wrapper.c source code.
You can get the pre-compiled binaries for the wrapper
program from
ftp://ftp.auscert.org.au/pub/auscert/tools/AA-97.19-df_wrapper.tar.Z
MD5 (AA-97.19-df_wrapper.tar.Z) = 9d21e6358129cccbe3768757a5361f56
AA-97.19-df_wrapper.tar.Z contains a README file with
installation instructions, as well as a pre-compiled binary.
b. pset
The following compile time options have been used to create the
binaries:
REAL_PROG='"/sbin/pset.real"'
MAXARGLEN=32
SYSLOG
More information on these options can be found in the
overflow_wrapper.c source code.
You can get the pre-compiled binaries for the wrapper
program from
ftp://ftp.auscert.org.au/pub/auscert/tools/AA-97.20-pset_wrapper.tar.Z
MD5 (AA-97.20-pset_wrapper.tar.Z) = 875367aec70936fc5f4531b0ba8ebc03
AA-97.20-pset_wrapper.tar.Z contains a README file with
installation instructions, as well as a pre-compiled binary.
c. eject
The following compile time options have been used to create the
binaries:
REAL_PROG='"/usr/sbin/eject.real"'
MAXARGLEN=32
SYSLOG
More information on these options can be found in the
overflow_wrapper.c source code.
The pre-compiled binaries for the wrapper program can be
retrieved from
ftp://ftp.auscert.org.au/pub/auscert/tools/AA-97.21-eject_wrapper.tar.Z
MD5 (AA-97.21-eject_wrapper.tar.Z) = 276bf0f51c89e54d4c584a9e8dd9265d
AA-97.21-eject_wrapper.tar.Z contains a README file with
installation instructions, as well as a pre-compiled binary.
d. login/scheme
The following compile time options have been used to create the
binaries:
REAL_PROG='"/usr/lib/iaf/scheme.real"'
MAXARGLEN=32
SYSLOG
More information on these options can be found in the
overflow_wrapper.c source code.
The pre-compiled binaries for the wrapper program can be
retrieved from
ftp://ftp.auscert.org.au/pub/auscert/tools/AA-97.22-scheme_wrapper.tar.Z
MD5 (AA-97.22-scheme_wrapper.tar.Z) = dc302aa275a4009d1545180bfce8ebf4
AA-97.22-scheme_wrapper.tar.Z contains a README file with
installation instructions, as well as a pre-compiled binary.
e. ordist
The following compile time options have been used to create the
binaries:
REAL_PROG='"/usr/bsd/ordist.real"'
MAXARGLEN=32
SYSLOG
More information on these options can be found in the
overflow_wrapper.c source code.
The pre-compiled binaries for the wrapper program can be
retrieved from
ftp://ftp.auscert.org.au/pub/auscert/tools/AA-97.23-ordist_wrapper.tar.Z
MD5 (AA-97.23-ordist_wrapper.tar.Z) = 0eed9d9a52658181a1ce9b4ce2ed7fd2
AA-97.23-ordist_wrapper.tar.Z contains a README file with
installation instructions, as well as a pre-compiled binary.
f. xlock
The following compile time options have been used to create the
binaries:
REAL_PROG='"/usr/bin/X11/xlock.real"'
MAXARGLEN=32
SYSLOG
More information on these options can be found in the
overflow_wrapper.c source code.
The pre-compiled binaries for the wrapper program can be
retrieved from
ftp://ftp.auscert.org.au/pub/auscert/tools/AA-97.24-xlock_wrapper.tar.Z
MD5 (AA-97.24-xlock_wrapper.tar.Z) = fe12913cd0f7bb78193488dd58cc2f4f
AA-97.24-xlock_wrapper.tar.Z contains a README file with
installation instructions, as well as a pre-compiled binary.
- -----------------------------------------------------------------------------
The CERT Coordination Center staff thanks AUSCERT for permission to republish
the information in six AUSCERT advisories:
AA-97.19.IRIX.df.buffer.overflow.vul
AA-97.20.IRIX.pset.buffer.overflow.vul
AA-97.21.IRIX.eject.buffer.overflow.vul
AA-97.22.IRIX.login.scheme.buffer.overflow.vul
AA-97.23-IRIX.ordist.buffer.overflow.vul
AA-97.24.IRIX.xlock.buffer.overflow.vul
AUSCERT originally thanked Ian Farquhar and the Prentice Center, University of
Queensland for their assistance in the production of AA-97.22.
- -----------------------------------------------------------------------------
If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident Response
and Security Teams (see http://www.first.org/team-info/).
CERT/CC Contact Information
- ----------------------------
Email cert@cert.org
Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)
and are on call for emergencies during other hours.
Fax +1 412-268-6989
Postal address
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
USA
Using encryption
We strongly urge you to encrypt sensitive information sent by email. We can
support a shared DES key or PGP. Contact the CERT/CC for more information.
Location of CERT PGP key
ftp://info.cert.org/pub/CERT_PGP.key
Getting security information
CERT publications and other security information are available from
http://www.cert.org/
ftp://info.cert.org/pub/
CERT advisories and bulletins are also posted on the USENET newsgroup
comp.security.announce
To be added to our mailing list for advisories and bulletins, send
email to
cert-advisory-request@cert.org
In the subject line, type
SUBSCRIBE your-email-address
- ---------------------------------------------------------------------------
* Registered U.S. Patent and Trademark Office.
Copyright 1997 Carnegie Mellon University
This material may be reproduced and distributed without permission provided
it is used for noncommercial purposes and the copyright statement is
included.
The CERT Coordination Center is part of the Software Engineering Institute
(SEI). The SEI is sponsored by the U.S. Department of Defense.
- ---------------------------------------------------------------------------
This file:
ftp://info.cert.org/pub/cert_advisories/CA-97.21.sgi_buffer_overflow
http://www.cert.org
click on "CERT Advisories"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision history
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBM8ztSnVP+x0t4w7BAQFQigQAntj8HDSrmqZcJFLRcpfQ4X12BXiclSvl
9pqeP5fXLPbjmNstfqjUvSdBojWyTSO6WAvy8j2SRBOCpOEgJSIjUxx9QfMyn4S1
OAPCsUTP2u5YE7fRHUq4xIsqU3Lr0aDNDwd6UVqwmAnFsMalBCPwSr6+5g/YDyCP
EYvrCWFK7u4=
=urqI
-----END PGP SIGNATURE-----