============================================================================= AA-94.04a AUSCERT Advisory 12-Aug-1994 SGI IRIX 5.x sgihelp vulnerability ----------------------------------------------------------------------------- *** This Advisory contains updated information *** The Australian Computer Emergency Response Team has received information that a vulnerability exists within the sgihelp subsystem of all SGI IRIX 5.x systems. The previous version of this Advisory indicated that the status of earlier versions of IRIX was unknown. 1. Description A vulnerability exists with all Silicon Graphics IRIX 5.x systems that allows exploitation of the sgihelp system to gain privileged access. The user must either log into an account on the system, or have physical access to the console to exploit this vulnerability. Information on how to exploit this vulnerability has recently been made available to the firewalls list. Silicon Graphics have released patches for this vulnerability. They can be obtained from either: ftp://ftp.sgi.com/~ftp/security/patch34.tar.Z ftp://ftp.sgi.com/~ftp/security/patch65.tar or ftp://ftp.sert.edu.au/security/sgi/patch/patch34.tar.Z ftp://ftp.sert.edu.au/security/sgi/patch/patch65.tar **** Australian users are advised to obtain these patches from the **** ftp.sert.edu.au site, as these patch files are approximately 17Mb **** in size. These patches will be available shortly. Silicon Graphics recently issued a Security Advisory that indicated a workaround for this vulnerability by removing the ViewerHelp books. This workaround was only partially effective, and should not be used as a total solution. See Section 3 for more details. An sgihelp wrapper program was recently sent to the bugtraq list. This wrapper only partially addresses the problem. It will still allow one non-privileged user to become another non-privileged user. Exploitation of this vulnerability is not easily detected. Standard intrusion detection techniques such as Tripwire, Cops, and good system administration skills will assist in the detection of any intrusion. 2. Impact Non-privileged users may gain privileged access. Non-logged in users may gain privileged access if they have physical access to the console. 3. Solutions Two solutions are provided. The first is an emergency solution that resolves the vulnerability, and may be used if there is a reason why the patches cannot be installed. The second solution is only available for IRIX 5.2. 3.1 Remove the Help facility. By removing the help facility, the vulnerability cannot be exploited. This solution is implemented by issuing the following command as root: # /bin/mv /usr/sbin/sgihelp /usr/sbin/sgihelp.disabled The sgihelp facility can be reenabled by renaming the sgihelp.disabled file back to sgihelp after the patches detailed below have been applied. Another method that is functionally equivalent to renaming the sgihelp binary is to remove it by issuing the following commands as root: # versions remove sgihelp.sw.eoe To reinstall the software after the patches detailed below have been applied, the following commands can be used: # inst -f /CDROM/dist/sgihelp Inst> install sgihelp.sw.eoe Inst> go The impact of this solution is that the "Help" facilities within the IRIX system will not function for any user. This solution removes the vulnerability. **** Note: This is the only solution available for versions of IRIX **** other than 5.2. The supplied patches will operate only for **** IRIX 3.2 Install the Silicon Graphics supplied patches **** Note: This solution will only operate for IRIX version 5.2. **** Earlier versions must either use solution 3.1, or upgrade to **** IRIX 5.2 and apply either of solutions 3.1 or 3.2. If you are running IRIX 5.2, obtain and install patch65 according to the instructions provided. These instructions can be found in the "relnotes.patchSG0000065" file in the patch65.tar file (see below). To install this patch successfully, you need to have the latest SGI "inst" program installed (this is available as patch00 or patch34). SGI has provided instructions for determining if the new install program is on your system. We have placed these in an appendix at the end of this advisory. Filename patch65.tar Standard Unix Sum 63059 1220 System V Sum 15843 2440 MD5 af8c120f86daab9df74998b31927e397 Filename patch34.tar.Z Standard Unix Sum 11066 15627 System V Sum 1674 31253 MD5 2859d0debff715c5beaccd02b6bebded Patches are available on CD. Contact your nearest SGI service provider for distribution. SGI advise that customers do not require a service support agreement to receive the security patches. ---------------------------------------------------------------------------- The AUSCERT team wishes to thank Max Hailperin of Gustavus Adolphus College, Douglas Ray of Melbourne University, Jeffrey Olds of Silicon Graphics, and members of the CIAC and CERT teams for their advice and cooperation in this matter. ---------------------------------------------------------------------------- If you believe that your system has been compromised, contact AUSCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 365 4477 AUSCERT Hotline:(07) 365 4417 AUSCERT personnel answer during business hours (AEST GMT+10:00). (On call after hours for emergencies). Australian Computer Emergency Response Team c/- Prentice Centre The University of Queensland Qld. 4072. Australia. -------------------------------------8<-------------------------------------- Appendix to AA-94.04 There are three patches related to this Advisory - patch00, patch34, and patch65. Patch34 is an update to patch00 which modifies the "inst" program to be able to handle patch updates. At least one of patch00 or patch34 is required to be installed before installing patch65. To determine if the new inst program is already installed on your system, the following command can be issued: # versions patch\* I = Installed, R = Removed Name Date Description I patchSG0000034 08/10/94 Patch SG0000034 I patchSG0000034.eoe1_sw 08/10/94 IRIX Execution Environment Software I patchSG0000034.eoe1_sw.unix 08/10/94 IRIX Execution Environment If patchSG0000000 or patchSG0000034 (as seen above) is loaded, then it is only necessary to download patch65 as described in the advisory. This is important since patch34 is rather large (16MB). Otherwise, download both patch34 and patch65. Install patch34 first, then patch65. To install patch34, uncompress and untar "patch34.tar.Z" and follow the instructions in the "README.FIRST" file.