From xforce@iss.net Wed May 16 02:32:03 2001 From: X-Force To: bugtraq@securityfocus.com Date: Tue, 15 May 2001 09:13:51 -0400 Subject: ISS Advisory: Remote Buffer Overflow Vulnerability in IRIX Embedded Support Partner Infrastructure -----BEGIN PGP SIGNED MESSAGE----- Internet Security Systems Security Advisory May 9, 2001 Remote Buffer Overflow Vulnerability in IRIX Embedded Support Partner Infrastructure Synopsis: ISS X-Force has discovered a buffer overflow in the ^Órpc.espd^Ô component of the Embedded Support Partner (ESP) subsystem. ESP is installed and enabled by default on all current SGI IRIX installations. Impact: There is a buffer overflow in ^Órpc.espd^Ô that may allow remote attackers to execute arbitrary commands on a vulnerable host. A local account is not required to exploit this vulnerability. Affected Versions: IRIX 6.5.5 ^Ö 6.5.8 Description: ESP was developed by SGI to address the concerns of many system administrators who needed to manage large-scale SGI environments. ESP allows administrators better access to information regarding the state of all SGI devices on a network. It integrates and correlates system configuration management, event management, resource management, reporting, statistics generation and analysis as well as many other features. ESP was first introduced in IRIX version 6.5.5. The ESP daemon, rpc.espd, contains a buffer overflow condition that may allow remote attackers to execute arbitrary commands with super user privileges on the target server. Recommendations: SGI recommends immediately disabling rpc.espd to prevent exposure before patches can be applied. To disable rpc.espd: 1. Become the root user on the system. % /bin/su - Password: # 2. Change the permissions on the rpc.espd daemon. # /bin/chmod -x /usr/etc/rpc.espd 3. Restart inetd to kill any vulnerable running daemons. # /etc/killall -HUP inetd 4. Return to previous level. # exit % SGI has made security patch 4123 available to address this vulnerability. SGI security patches can be found at: http://www.sgi.com/support/security. ISS X-Force recommends that all unused daemons or services be disabled to prevent exposure to both known and unknown vulnerabilities. ISS^Ò SAFEsuite intrusion detection system, RealSecure, and network security assessment system, Internet Scanner, will have signatures available for this vulnerability in upcoming X-Press Updates. Additional Information: SGI Security Advisory, ^ÓIRIX Embedded Support Partner Buffer Overflow^Ô: http://www.sgi.com/support/security/advisories.html SGI Services and Support website: http://www.sgi.com/support SGI Services and Support, Security homepage: http://www.sgi.com/support/security The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2001-0331 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Credits: This vulnerability was discovered and researched by Mark Dowd of ISS X-Force. Internet Security Systems would like to thank SGI for their response and handling of this vulnerability. ______ About Internet Security Systems (ISS) Internet Security Systems (ISS) is a leading global provider of security management solutions for the Internet. By providing industry-leading SAFEsuite security software, remote managed security services, and strategic consulting and education offerings, ISS is a trusted security provider to its customers, protecting digital assets and ensuring safe and uninterrupted e-business. ISS' security management solutions protect more than 5,500 customers worldwide including 21 of the 25 largest U.S. commercial banks, 10 of the largest telecommunications companies and over 35 government agencies. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe, Latin America and the Middle East. For more information, visit the Internet Security Systems web site at www.iss.net or call 888-901-7477. Copyright (c) 2001 Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce@iss.net of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBOwErXTRfJiV99eG9AQHdSwP/Xir9QRH69YGZnZJuWJLXWg1vXGgA+z41 clDzwo0B8FJgRo+VVz0MWCoMZgCQGDFf3o0JG1l+FFpiLNBnyo6c3KZLEEYTXsT+ sZp7wju1JbJvKkmp5aemREIrgjAIaG/laUNHnPyRak2URaWYDWsLbimLoaCTVxh+ 3ildktReFF8= =/dxQ -----END PGP SIGNATURE-----