MCI Telecommunications internetMCI Security Group Report Title: iMCI MIIGS Security Alert Report Name: Vulnerability in IRIX csetup Report Number: iMCISE:IMCICERT:010996:01:P1R1 Report Date: 01/09/96 Report Format: Formal Report Classification: MCI Informational Report Reference: http://www.security.mci.net Report Distribution: iMCI Security, MCI Internal Internet Gateway Security (MIIGS), MCI Emergency Alert LiSt (MEALS) (names on file) -------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= CERT(sm) Advisory CA-97.03 Original issue date: January 8, 1997 Last revised: -- Topic: Vulnerability in IRIX csetup - ----------------------------------------------------------------------------- The CERT Coordination Center has received information about a vulnerability in the csetup program under IRIX versions 5.x, 6.0, 6.0.1, 6.1, and 6.2. csetup is not available under IRIX 6.3 and 6.4. By exploiting this vulnerability, local users can create or overwrite arbitrary files on the system. With this leverage, they can ultimately gain root privileges. Exploitation information involving this vulnerability has been made publicly available. We recommend applying a vendor patch when possible. In the meantime, we urge sites to apply the workaround described in Section III. We will update this advisory as we receive additional information. Please check advisory files regularly for updates that relate to your site. Note: Development of this advisory was a joint effort of the CERT Coordination Center and AUSCERT. - ----------------------------------------------------------------------------- I. Description There is a vulnerability in the csetup program under IRIX versions 5.x, 6.0, 6.0.1, 6.1, and 6.2. csetup is not available under IRIX 6.3 and 6.4. csetup is part of the Desktop System Administration subsystem. The program provides a graphical interface allowing privileged users, as flagged in the objectserver (cpeople (1M)), or root to modify system and network configuration parameters. The csetup program is setuid root to allow those who are flagged as privileged users to modify system critical files. It is possible to configure csetup to run in DEBUG mode, creating a logfile in a publicly writable directory. This file is created in an insecure manner; and because csetup is running with root privileges at the time the logfile is created, it is possible for local users to create or overwrite arbitrary files on the system. Exploit information involving this vulnerability has been made publicly available. II. Impact Anyone with access to an account on the system can create or overwrite arbitrary files on the system. With this leverage, they can ultimately gain root privileges. III. Solution Currently there are no vendor patches available that address this vulnerability. We recommend installing official vendor patches when they are made available. If the /usr/Cadmin/bin/csetup file is installed setuid root at your site, the following workaround is recommended until vendor patches are available. Sites can prevent the exploitation of this vulnerability by immediately removing the setuid privileges on csetup. # /bin/chmod 0700 /usr/Cadmin/bin/csetup # /bin/ls -l /usr/Cadmin/bin/csetup -rwx------ 1 root sys 363360 Aug 20 12:10 /usr/Cadmin/bin/csetup Next, the file /var/tmp/csetupLog should be created with permissions 0600. The sticky bit should also be set on /var/tmp/ (this is a good security practice in general). # /bin/chmod 1777 /var/tmp # /bin/touch /var/tmp/csetupLog # /bin/chmod 0600 /var/tmp/csetupLog (Note that the /var/tmp directory is not cleared at boot time.) Before executing the csetup program, the root user should confirm the existence, ownership, and the access permissions of /var/tmp/csetupLog. Ensure that csetupLog is not linked to any other file. The impact of this workaround is that only the root user will be able to use this program for its intended purpose. Privileged users previously established using the /usr/Cadmin/bin/cpeople program will no longer be able to do the system administration tasks they were previously able perform using the csetup program. - ----------------------------------------------------------------------------- This advisory is a collaborative effort between AUSCERT and the CERT Coordination Center. The CERT Coordination Center acknowledges Yuri Volobuev for reporting the original problem, and Silicon Graphics, Inc. for their strong support in the development of the advisory. - ----------------------------------------------------------------------------- If you believe that your system has been compromised, contact the CERT Coordination Center or your representative in the Forum of Incident Response and Security Teams (see ftp://info.cert.org/pub/FIRST/first-contacts). CERT/CC Contact Information - ---------------------------- Email cert@cert.org Phone +1 412-268-7090 (24-hour hotline) CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4) and are on call for emergencies during other hours. Fax +1 412-268-6989 Postal address CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 USA Using encryption We strongly urge you to encrypt sensitive information sent by email. We can support a shared DES key or PGP. Contact the CERT/CC for more information. Location of CERT PGP key ftp://info.cert.org/pub/CERT_PGP.key Getting security information CERT publications and other security information are available from http://www.cert.org/ ftp://info.cert.org/pub/ CERT advisories and bulletins are also posted on the USENET newsgroup comp.security.announce To be added to our mailing list for advisories and bulletins, send your email address to cert-advisory-request@cert.org - --------------------------------------------------------------------------- Copyright 1997 Carnegie Mellon University This material may be reproduced and distributed without permission provided it is used for noncommercial purposes and the copyright statement is included. CERT is a service mark of Carnegie Mellon University. - --------------------------------------------------------------------------- This file: ftp://info.cert.org/pub/cert_advisories/CA-97.03.csetup http://www.cert.org click on "CERT Advisories" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Revision history -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMtQcQHVP+x0t4w7BAQHfuwQAmOxsr1ByY11KTBnkwcSyBdCBsRLT0ECk 6mWm0HkRKrLcyRq4u2bQvNqwUA1PahceW8KXVsm1KNZHCfTzb0ntrqeYKrLVnWkC T8TWq7Ng2F4HYsPuu4PSSV0D8ash1S/Il2B6umfYbUFj2+YFC5gKzuyBThVwRzXD haxlbqKDYmY= =FWDY -----END PGP SIGNATURE-----