MCI Telecommunications internetMCI Security Group Report Name: iMCI MIIGS Security Alert Report Number: iMCISE:IMCIAUSCERT:110696:01:P1R1 Report Date: 11/06/96 Report Format: Formal Report Classification: MCI Informational Report Reference: http://www.security.mci.net Report Distribution: iMCI Security, MCI Internal Internet Gateway Security (MIIGS), MCI Emergency Alert LiSt (MEALS) (names on file) ---------------------------------------------------------------------------- --- -----BEGIN PGP SIGNED MESSAGE----- Content-Type: text/plain; charset=us-ascii =========================================================================== AA-96.08 AUSCERT Advisory Vulnerability in SGI systour package 5 November 1996 Last Revised: -- - --------------------------------------------------------------------------- AUSCERT has received information that there is a vulnerability in the SGI Indigo Magic System Tour package, systour, under IRIX 5.x and 6.x. This product is used to demonstrate the features and functionality of the Indigo Magic User Environment. This vulnerability may allow local users to gain root privileges. Exploit details involving this vulnerability have been widely distributed. At this stage, AUSCERT is not aware of any official vendor patches. Until patches are made available, AUSCERT recommends that sites apply the steps outlined in Section 3 immediately. This advisory will be updated when vendor patches are made available. - --------------------------------------------------------------------------- 1. Description The SGI Indigo Magic System Tour package, systour, is used to demonstrate the features and functionality of the Indigo Magic User Environment under IRIX 5.x and 6.x. As part of the tour, there is an option to remove the tour when the user is finished. The tour is removed with the auxiliary program: /usr/lib/tour/bin/RemoveSystemTour RemoveSystemTour uses "inst", IRIX's software management tool, to remove the system tour. As inst requires root privileges to remove the tour, RemoveSystemTour is setuid root. This allows local users to effectively execute inst with root privileges when removing the tour. As inst is a highly configurable program, local users may be able to manipulate environment variables and local configuration files to force inst, when called from RemoveSystemTour, to execute arbitrary commands with root privileges. All sites are encouraged to check their systems for the systour package and, if installed, immediately apply the actions recommended in Section 3. To determine if the vulnerable package is installed, use the command: % versions systour 2. Impact Local users may be able to execute arbitrary commands with root privileges. 3. Workarounds/Solution AUSCERT recommends that sites prevent exploitation of this vulnerability by immediately applying the workaround given in Section 3.1. If the systour package is no longer needed, it is recommended that sites remove it from their systems (Section 3.2) At this stage AUSCERT is not aware of any official vendor patches which address this vulnerability. When vendor patches are made available, AUSCERT recommends that they be installed. 3.1 Remove setuid permissions Until official vendor patches are made available, sites should remove the setuid root permissions from the RemoveSystemTour executable. The following command should be run as root. # chmod u-s /usr/lib/tour/bin/RemoveSystemTour # ls -l /usr/lib/tour/bin/RemoveSystemTour -rwxr-xr-x 1 root sys 10024 Nov 22 1994 /usr/lib/tour/bin/RemoveSystemTour Note that the removal of the setuid bit will prevent non-privileged users removing the system tour. 3.2 Remove the package If the systour package is no longer needed, sites are encouraged to remove it completely from their systems. This can be done by running, as root, the GUI software management tool, swmgr, or the command: # versions remove systour Sites can check that the package has been removed with the command: # versions systour - --------------------------------------------------------------------------- The AUSCERT team have made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The appropriateness of this document for an organisation or individual system should be considered before application in conjunction with local policies and procedures. AUSCERT takes no responsibility for the consequences of applying the contents of this document. If you believe that your system has been compromised, contact AUSCERT or your representative in FIRST (Forum of Incident Response and Security Teams). AUSCERT is located at The University of Queensland within the Prentice Centre. AUSCERT is a full member of the Forum of Incident Response and Security Teams (FIRST). AUSCERT maintains an anonymous FTP service which is found on: ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT Advisories, and other computer security information. AUSCERT also maintains a World Wide Web service which is found on: http://www.auscert.org.au/. Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 4477 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AUSCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. Postal: Australian Computer Emergency Response Team c/- Prentice Centre The University of Queensland Brisbane Qld. 4072. AUSTRALIA ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Revision History ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBMn8qnih9+71yA2DNAQFX0AP/RDUTunaYdo4ICZZFo2OtCiH2gbqZwAvA +JuHXQhRZhsGWuwymAAPFjfCZCzpZZDGPCN+7IGbeWQ92CWjWm2s+CWVvvRqqBxH XTbSR9Jk5pAfQ0VETb/2hmRJsUkJfMcpwJL4LINKor1EeAhGrT8lKbr67nIxSuQJ 0eSiaoYn0BY= =nzIX -----END PGP SIGNATURE----- ===============================================================