Date: Wed, 19 May 1999 11:25:59 -0400 From: Larry W. Cashdollar To: BUGTRAQ@netspace.org Subject: IRIX midikeys root exploit. Aleph1, Please forgive me if this has already been on this list. I searched geek-girl with no luck. I have been auditing our IRIX boxes and found what I believe to be a new vulnerability. On IRIX 6.5 systems (IRIX Release 6.5 IP28 ) # uname -a IRIX64 devel 6.5 05190004 The setuid root binary midikeys can be used to read any file on the system using its gui interface. It can also be used to edit anyfile on the system. I was able to get from guest account access to root access using the following procedure. 1) Choose an unpassworded account and telnet in. I like guest or lp. devel 25% id uid=998 gid=998(guest) 2) Execute the midikeys application with display set to your host. devel 26% ./midikeys devel 27% Xlib: extension "GLX" missing on display "grinch:0.0". Xlib: extension "GLX" missing on display "grinch:0.0". 3) under the midikeys window click sounds and then midi songs. This will open a file manager type interface. 4) You can enter the path and filename of files you which to read. including root owned with group/world read/write permissions unset. 5) If you select a file like "/usr/share/data/music/README" it will appear in a text editor. Use the text editor to open /etc/passwd and make modifications at will. Save and enjoy. So I removed the '*' from sysadm... $ su sysadm # id uid=0(root) gid=0(sys) devel 28% ls -l /usr/sbin/midikeys -rwsr-xr-x 1 root root 218712 Jan 10 17:19 /usr/sbin/midikeys I have tested this on 2 IRIX 6.5 hosts with success. A patch exists for startmidi and stopmidi buffer overflows. More info on previous patch: ftp://sgigate.sgi.com/security/19980301-01-PX). However, I didnt find any for midikeys. -- Larry W. Cashdollar UNIX/Security Operations. Computer Sciences Corporation. --------------------------------------------------------------------------------- Date: Thu, 20 May 1999 11:49:11 +0200 From: Erik Mouw To: BUGTRAQ@netspace.org Subject: Re: IRIX midikeys root exploit. Larry W. Cashdollar wrote: > Please forgive me if this has already been on this list. I searched > geek-girl with no luck. I have been auditing our IRIX boxes and found what I > believe to be a new vulnerability. > > On IRIX 6.5 systems (IRIX Release 6.5 IP28 ) > # uname -a > IRIX64 devel 6.5 05190004 > > The setuid root binary midikeys can be used to read any file on the > system using its gui interface. It can also be used to edit anyfile on the > system. I was able to get from guest account access to root access using the > following procedure. > > > 1) Choose an unpassworded account and telnet in. I like guest or lp. > > devel 25% id > uid=998 gid=998(guest) Unpassworded account? That's a known (and documented) feature on IRIX systems. First thing you do when you unpack an IRIX box: set a root password and disable the open accounts (EZsetup, OutOfBox, lp, guest, 4Dgifts, sgiweb). There's even an entry in the "System manager" to do it. You just need an account to gain root priviliges; it's not limited to the unpassworded accounts, any normal user could use this exploit. > 2) Execute the midikeys application with display set to your host. > > devel 26% ./midikeys > devel 27% Xlib: extension "GLX" missing on display "grinch:0.0". > Xlib: extension "GLX" missing on display "grinch:0.0". > > > 3) under the midikeys window click sounds and then midi songs. This will > open a file manager type interface. > > 4) You can enter the path and filename of files you which to read. > including root owned with group/world read/write permissions unset. > > 5) If you select a file like "/usr/share/data/music/README" it will > appear in a text editor. Use the text editor to open /etc/passwd and > make modifications at will. Save and enjoy. > > So I removed the '*' from sysadm... > > $ su sysadm > # id > uid=0(root) gid=0(sys) > > devel 28% ls -l /usr/sbin/midikeys > -rwsr-xr-x 1 root root 218712 Jan 10 17:19 /usr/sbin/midikeys > > > I have tested this on 2 IRIX 6.5 hosts with success. A patch exists for > startmidi and stopmidi buffer overflows. Verified to work on an O2 running IRIX 6.3: uname -aR IRIX o2 6.3 O2 R10000 12161207 IP32 And on an Octane running IRIX 6.5.3: uname -aR IRIX64 octane 6.5 6.5.3m 01221553 IP30 Editor was XEmacs, but that doesn't really matter. Erik (strictly speaking for myself) -- J.A.K. (Erik) Mouw, Information and Communication Theory Group, Department of Electrical Engineering, Faculty of Information Technology and Systems, Delft University of Technology, PO BOX 5031, 2600 GA Delft, The Netherlands Phone: +31-15-2785859 Fax: +31-15-2781843 Email J.A.K.Mouw@its.tudelft.nl WWW: http://www-ict.its.tudelft.nl/~erik/ --------------------------------------------------------------------------- Date: Fri, 21 May 1999 10:56:33 -0400 From: Larry W. Cashdollar To: BUGTRAQ@netspace.org Subject: IRIX midikeys vulnerability list. I am attempting to compile a list of vulnerable systems for this exploit. I would like to provide as much information to SGI as possible. Here is what I have found so far. Erik Mouw Email J.A.K.Mouw@its.tudelft.nl | ---------------------------------------------| Verified to work on an O2 running IRIX 6.3: | uname -aR IRIX o2 6.3 O2 R10000 12161207 IP32 And on an Octane running IRIX 6.5.3: uname -aR IRIX64 octane 6.5 6.5.3m 01221553 IP30 Larry W. Cashdollar lwcashd@biw.com | ----------------------------------------------| Verified on an ONYX/2 running IRIX 6.5. uname -aR IRIX64 onyx 6.5 05190003 IP27 Verified on an Indigo running IRIX 6.5. uname -aR IRIX64 flier 6.5 05190004 IP28 I was unable to test this on our IRIX 6.2 box. /usr/sbin/midikeys does exist and it is setuid root however. Anthony C . Zboralski acz@hert.org | ----------------------------------------------| It works on latest 6.5.4 maintenance release: | IRIX ra 6.5 04151556 IP32 mips Larry W. Cashdollar Unix Administrator Computer Security Operations --------------------------------------------------------------------------- Date: Thu, 20 May 1999 19:08:44 -0600 From: Philipp Schott To: BUGTRAQ@netspace.org Subject: Re: IRIX midikeys root exploit. On May 20, 11:49am, Erik Mouw wrote: > Subject: Re: IRIX midikeys root exploit. > > Verified to work on an O2 running IRIX 6.3: > uname -aR > IRIX o2 6.3 O2 R10000 12161207 IP32 > > And on an Octane running IRIX 6.5.3: > uname -aR > IRIX64 octane 6.5 6.5.3m 01221553 IP30 > > Erik > (strictly speaking for myself) > how's the package called, that includes "midikeys"?? on all boxes (5.3, 6.3, 6.4, 6.5.2) i've checked there is no such program. but there is start-/stopmidi. philipp -- =============================================================== Philipp M. W. Schott Institute for Applied Mathematics Fon: +49 (0)761/203-5626 Hermann-Herder-Str. 10 Fax: +49 (0)761/203-5632 Freiburg University smtp: pmws@pmws.de D-79104 Freiburg http: www.pmws.de =============================================================== --------------------------------------------------------------------------- Date: Fri, 21 May 1999 08:55:01 +0200 From: "[ISO-8859-1] Björn Torkelsson" To: BUGTRAQ@netspace.org Subject: Re: IRIX midikeys root exploit. Erik Mouw writes: > > I have tested this on 2 IRIX 6.5 hosts with success. A patch exists for > > startmidi and stopmidi buffer overflows. > > Verified to work on an O2 running IRIX 6.3: > uname -aR > IRIX o2 6.3 O2 R10000 12161207 IP32 > > And on an Octane running IRIX 6.5.3: > uname -aR > IRIX64 octane 6.5 6.5.3m 01221553 IP30 Verified to work on an O2 running IRIX 6.5.3. After a chmod u-s midikeys, midikeys still works, at least after a very quick test. Does anybody know why midikeys is setuid root? Is this reported to SGI? /torkel --------------------------------------------------------------------------- Date: Fri, 21 May 1999 09:04:47 -0700 From: Steve Allen To: BUGTRAQ@netspace.org Subject: Re: IRIX midikeys root exploit. On May 20, 7:08pm, Philipp Schott wrote: >how's the package called, that includes "midikeys"?? >on all boxes (5.3, 6.3, 6.4, 6.5.2) i've checked there is no such program. >but there is start-/stopmidi. dmedia_eoe.sw.synth teve -- Steven R. Allen - steve.allen@boeing.com -- SGI Admin Weenie http://www.eskimo.com/~wormey/ ICQ# 6709819 Contrary to popular belief, Unix is user friendly. It just happens to be selective about who it makes friends with. --------------------------------------------------------------------------- Date: Fri, 21 May 1999 21:26:22 GMT From: SGI Security Coordinator Reply-To: agent99@sgi.com To: BUGTRAQ@netspace.org Subject: IRIX midikeys Vulnerability -----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ SGI Security Advisory Title: IRIX midikeys Vulnerability Number: 19990501-01-A Date: May 21, 1999 ______________________________________________________________________________ SGI provides this information freely to the SGI user community for its consideration, interpretation, implementation and use. SGI recommends that this information be acted upon as soon as possible. SGI provides the information in this Security Advisory on an "AS-IS" basis only, and disclaims all warranties with respect thereto, express, implied or otherwise, including, without limitation, any warranty of merchantability or fitness for a particular purpose. In no event shall SGI be liable for any loss of profits, loss of business, loss of data or for any indirect, special, exemplary, incidental or consequential damages of any kind arising >from your use of, failure to use or improper use of any of the instructions or information in this Security Advisory. ______________________________________________________________________________ SGI acknowledges the publicly reported IRIX midikeys vulnerability and is currently investigating. For the protection of all our customers, SGI does not disclose, discuss or confirm vulnerabilities until a full investigation has occurred and any necessary patch(es) or release streams are available for all vulnerable and supported Unicos and IRIX operating systems. Until SGI has more definitive information to provide, customers are encouraged to assume all security vulnerabilities as exploitable and take appropriate steps according to local site security policies and requirements. Steps to remove setuid on the IRIX midikeys program are found in the Temporary Solution section below. No further information is available at this time. As further information becomes available, additional advisories will be issued via the normal SGI security information distribution methods including the wiretap mailing list. - ---------------------------- - ----- Temporary Solution --- - ---------------------------- The steps below can be used to remove setuid from the IRIX midikeys(1) program. ================ **** NOTE **** ================ Removal of the setuid permission disables functionality that is not implemented or utilized at this time. 1) Verify midikeys(1) is installed on the system. It is installed by default on IRIX 6.2 and higher. Note that the program size may vary depending on IRIX release. % ls -la /usr/sbin/midikeys -rwsr-xr-x 1 root sys 218712 Mar 8 14:57 /usr/sbin/midikeys 2) Become the root user on the system. % /bin/su - Password: # 3) Change the permissions on the program. # /bin/chmod 555 /usr/sbin/midikeys 4) Verify the new permissions on the program. # ls -la /usr/sbin/midikeys -r-xr-xr-x 1 root sys 218712 May 20 13:57 /usr/sbin/midikeys 4) Return to previous level. # exit % - ----------------------------------------- - --- SGI Security Information/Contacts --- - ----------------------------------------- If there are questions about this document, email can be sent to cse-security-alert@sgi.com. ------oOo------ SGI provides security information and patches for use by the entire SGI community. This information is freely available to any person needing the information and is available via anonymous FTP and the Web. The primary SGI anonymous FTP site for security information and patches is sgigate.sgi.com (204.94.209.1). Security information and patches are located under the directories ~ftp/security and ~ftp/patches, respectively. The SGI Security Headquarters Web page is accessible at the URL http://www.sgi.com/Support/security/security.html . For issues with the patches on the FTP sites, email can be sent to cse-security-alert@sgi.com. For assistance obtaining or working with security patches, please contact your SGI support provider. ------oOo------ SGI provides a free security mailing list service called wiretap and encourages interested parties to self-subscribe to receive (via email) all SGI Security Advisories when they are released. Subscribing to the mailing list can be done via the Web (http://www.sgi.com/Support/security/wiretap.html) or by sending email to SGI as outlined below. % mail wiretap-request@sgi.com subscribe wiretap end ^d In the example above, is the email address that you wish the mailing list information sent to. The word end must be on a separate line to indicate the end of the body of the message. The control-d (^d) is used to indicate to the mail program that you are finished composing the mail message. ------oOo------ SGI provides a comprehensive customer World Wide Web site. This site is located at http://www.sgi.com/Support/security/security.html . ------oOo------ For reporting *NEW* SGI security issues, email can be sent to security-alert@sgi.com or contact your SGI support provider. A support contract is not required for submitting a security report. ______________________________________________________________________________ This information is provided freely to all interested parties and may be redistributed provided that it is not altered in any way, SGI is appropriately credited and the document retains and includes its valid PGP signature. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBN0XOZ7Q4cFApAP75AQFAXQP/XPq9JyXVm8xiPDjxF327yZ8QAF3u1OF6 27Z+wIW01G6XKo0Hfu1mPVV0DNQnuKA8NQHST6iQ8F3CnwMI8Ue2RxMMDursQ19Q X9FkoIJCHveDWlJwExwR99Gek/rG/pRT4ZizqvaT87ac4yLqK/4IGzo/WUJXxJT1 zhD9saxG/Z8= =QQ8H -----END PGP SIGNATURE----- --------------------------------------------------------------------------- Date: Fri, 21 May 1999 16:39:18 -0700 From: Aleph One To: BUGTRAQ@netspace.org Subject: Re: IRIX midikeys vulnerability list. This is a summary of some of the responses to this thread. It seems that whether or not you use a vi or some other editor makes a difference. Would the people that reported it as not working please repeat their test using a different editor? Thank you. >From Jean-Francois Malouin : dmedia_eoe.sw.synth ( at least on IRIX 6.5.3m). Following the aforementionned recipe, I tried to modify some system files on an Octane IP30 running 6.5.3m but to no avail. hmmmm, I see that same system as being reported vulnerable... # uname -Ra # IRIX64 6.5 6.5.3m 01221553 IP30 >From Jeremy Hinegardner : I have tested the exploit on a couple of Octanes, and it seems to be fixed in the IRIX 6.5.3 feature stream. Our machines using 6.5.3f were not vulnerable. Both the filemanager and the editor ran as the user no root. Verified to work on Octane running IRIX 6.4 uname -aR IRIX64 octane 6.4 S2MP+OCTANE 02121744 IP30 Verified to NOT work on Octane running IRIX 6.5.3f uname -aR IRIX64 octane 6.5 6.5.3f 01221643 IP30 The IRIX 6.5.4 streams is available for download, anyone try them? >From J.A. Gutierrez : * verified: IRIX64 IRIX 6.5.3f (editor (jot) runs as root) |-+------- 1147467 root midikeys | \-+----- 1150492 root dirview /usr/share/data/music | \----- 1152654 root fmserv sgonyx.ita.es:1.0 * Didn't work at first IRIX 6.2 where midikeys is from dmedia_eoe.sw.synth (editor (vi) runs as user) But if you open an X11 editor (gvim), it will run as root, and you will be able to edit anything, again... >From eLement : The vulnerability is verified to work on uname -aR IRIX eLement 6.3 O2 R10000 12161207 IP32 >From Klaus The machine on my desk: IRIX grimlock 6.5 6.5.2m 11051733 IP32 didn't seem to be vulnerable, but I don't have nedit installed; vi didn't preserve my setuid from midikeys. However, on a machine -with- nedit, IRIX jazz 6.5 6.5.2m 11051733 IP32 I was able to replicate it. I was also able to replicate the exploit using jot (another window based text editor). So the exploit seems to revolve around the use of an editor that doesn't require a terminal device; opening a tty to run the editor (although I'm not 100% on how gvim works in that respect) seems to reset the effective UID. -- Aleph One / aleph1@underground.org http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01 --------------------------------------------------------------------------- Date: Thu, 27 May 1999 14:20:50 -0400 From: Pawel K. Peczak To: BUGTRAQ@netspace.org Subject: Re: IRIX midikeys Vulnerability As a comment on Aleph's recent summary of the responses to the IRIX midikeys vulnerability (http://www.geek-girl.com/bugtraq/1999_2/0518.html) let me add my own observation. It turns out that one does not need any particular text editor to exploit the vulnerability. That's because of a nice "feature" of the desktop environment variable WINEDITOR that can be set to any system command, e.g., "/bin/chmod 4755 /tmp/bsh" (where /tmp/bsh is just a root-owned copy of Bourne shell). This can be done on both irix 6.2 (e.g., using toolchest -> Desktop -> Customize ->Desktop ->Default Editor: Other...) and on irix 6.5 (toolchest -> Desktop -> Customize -> Utilities -> Text Editor: Other...). After setting WINEDITOR (which can be verified by inspecting ~/.desktop-hostname/desktopenv) the exploit follows the well-known path by running midikeys, opening a file manager, etc. Using this method I was able to gain root access (via a local account) on two systems running irix 6.2 and 6.5.3m. I suspect that any system running irix 6.2 or higher with suid midikeys program may be vulnerable. To remove the vulnerability one should immediately remove suid from the IRIX midikeys program, as suggested in the recent SGI Security Advisory 19990501-01-A. Pawel Peczak pkpecza@erenj.com