comp.sys.sgi.bugs: YET another security alert (sigh)

Arthur Hagen (art@KETHER.GLOBAL-ONE.NO)
Mon, 04 Aug 1997 12:15:41 +0300

Path:
kronos.fmi.fi!news.funet.fi!news.cs.hut.fi!news.clinet.fi!uunet!in2.uu.net!198.82.160.249!solaris.cc.vt.edu!newsgate.duke.edu!nntprelay.mathworks.com!howland.erols.net!newsfeed.nacamar.de!news-feed.inet.tele.dk!uninett.no!news.global-one.no!kether!art
Date: 1 Aug 1997 04:40:27 GMT
From: art@kether.global-one.no (Arthur Hagen)
Subject: YET another security alert (sigh)
To: security-alert@sgi.com
Cc: support@oslo.sgi.com
Reply-to: art@broomstick.com
Message-id: <5rrpbr$l88$4@bone.global-one.no>
Organization: Global One
MIME-version: 1.0
Content-type: TEXT/PLAIN; CHARSET=US-ASCII
Newsgroups: comp.sys.sgi.bugs,comp.sys.sgi.admin
Lines: 48
NNTP-posting-host: kether.global-one.no
Xref: kronos.fmi.fi comp.sys.sgi.bugs:3905 comp.sys.sgi.admin:49554

I just discovered that I can gain access to any IRIX 6.3 (and probably 6.4)
machine by making a cgi script emulating the .tdf files in /usr/sysadm.
The principle is simple - you make the cgi script use a mime type
similar to an .edf or .tdf file (application/x-sgi-exec or
application/x-sgi-task), and make the file name contain spaces and
look quite similar to SaAddUserTask.tdf (or even SaModifyMyPassword.tdf),
with the only difference being it containing the arguments too.
If writing a cgi script to do this is too awkward, you can do this hack
by simply installing a different web server than Netscape and modify
the file type. Apache works fine. Basically, you make the server
give one of the application types described above, and instruct it
to execute one of the *legal* commands in /usr/sysadm when someone
connects, with arguments enough to make it lethal. Then make a link
to it (with the spaces in the link - %20 is a space in HTML) from
another page. Then you just wait for someone with an SGI to access that
file. Now, what I ask myself is:
Is that *huge* security hole, which is much like ActiveX a deliberate
thing from SGI, or didn't the people who made it know that SGI users
could access web pages beyond the local trusted LAN?
Was /usr/sysadm/* made by the same people who made the
(now thankfully obsolete) objectserver?

To everyone with IRIX 6.3+: To feel a BIT safer, open the "General
Preferences" in Netscape, and change the actions for "x-sgi-task" and
"x-sgi-exec" to "Unknown - prompt user".
This means you won't be able to use some of the sysadm pages on the
server at port 2077, but that's no big worry. You can do everything
from root anyhow, and the 2077 server is by default running with access
allowed from the whole world with root access, so it's a security bug
in itself. So call do the above mods (preferably to the file
/usr/local/lib/netscape/mailcap as well), then "chkconfig webface off",
and even better, "chkconfig privileges off", and then call SGI and tell
them what you think about their Mickey Mouse attitude towards security.

(It took me almost 40 minutes to hack root with a .tdf file. I'm thick,
so it took me a while to figure out how. I'm sure someone else can do
better. To my knowledge, it does work for ANY 6.3+ client with a
privileged user accessing a remote web page set up for hacking SGI's.)

I *do* hope that SGI takes this seriously, and issues a warning that
people who are accessing the internet (or anything outside the trusted
LAN) should NOT run webface or privileges. Even if it means losing
face for some SGI developers.

Regards,

--
*Art