From agent99@boytoy.csd.sgi.com Wed Nov 6 18:04:19 1996 Date: Wed, 6 Nov 1996 14:37:33 -0800 From: SGI Security Coordinator To: agent99@sgi.com Subject: SGI Security Advisory 19961101 - Vulnerabilities in systour and OutOfBox DISTRIBUTION RESTRICTIONS: NONE - FOR PUBLIC RELEASE -----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ Silicon Graphics Inc. Security Advisory Title: Possible Vulnerabilities in systour and OutOfBox Title: Subsystems for IRIX 5.x, 6.0.x, 6.1, 6.2 and 6.3 Number: 19961101-01-I Date: November 6, 1996 ______________________________________________________________________________ Silicon Graphics provides this information freely to the SGI user community for its consideration, interpretation, implementation and use. Silicon Graphics recommends that this information be acted upon as soon as possible. Silicon Graphics will not be liable for any indirect, special, or consequential damages arising from the use of, failure to use or improper use of any of the instructions or information in this Security Advisory. ______________________________________________________________________________ Recently, potential security vulnerabilities in the OutOfBox and systour subsystems have been advertised in several public forums. Additionally, the Australian Computer Emergency Response Team (AUSCERT) released an advisory (AA-96.08) on this issue. Silicon Graphics Inc. has investigated the issues and recommends the following steps for neutralizing exposure. It is HIGHLY RECOMMENDED that these measures be implemented on ALL SGI systems running IRIX versions 5.0.x, 5.1.x, 5.2, 5.3, 6.0.x, 6.1, 6.2 and 6.3. This issue will be corrected in future releases of IRIX. - -------------- - --- Impact --- - -------------- The Silicon Graphics Indigo Magic System Tour and OutOfBox Experience packages are factory installed on all Silicon Graphics Indy systems. The Indigo Magic System Tour and OutOfBox Experience packages are not factory installed with any Silicon Graphics Indigo2 systems however, CDs with these packages are provided with the systems. The OutOfBox Experience subsystem is factory installed on all Silicon Graphics O2 systems. The System Tour subsystem is not part of the software provided for the O2 system. Note that either or both the Indigo Magic System Tour and OutOfBox Experience subsystems maybe be installed from CD on any Silicon Graphics system. The purpose of these two packages, systour and OutOfBox, are to demonstrate and highlight the features and capabilities of the user environment and system. Due to the disk space requirements of these subsystems, most sites will remove these subsystems for disk space reclamation as part of initial system setup. Those sites which have done this will not be vulnerable. On those systems that the subsystems are still installed on, both subsystems provide background setuid root programs to perform a subsystem removal when a user decides to remove the software. This removal is done using the standard IRIX /usr/sbin/inst program that manages IRIX software. Provided with the right environment, the inst program could be manipulated to execute arbitrary commands with root privileges. An account on the vulnerable system is required for exploit. With an account, these vulnerabilities are exploitable by both local and remote access. - ---------------- - --- Solution --- - ---------------- There are no patches for these issues. However, using the information below steps can be taken to eliminate the exposure. To determine if the OutOfBox and systour subsystems are installed on a particular system, the following command can be used: % versions OutOfBox.sw systour.sw I = Installed, R = Removed Name Date Description I OutOfBox 11/05/96 OutOfBox Experience, 1.1 I OutOfBox.sw 11/05/96 OutOfBox Experience Software, 1.1 I OutOfBox.sw.complete 11/05/96 Complete OutOfBox Experience I OutOfBox.sw.intro 11/05/96 OutOfBox Intro Movies I systour 02/12/96 Indigo Magic System Tour, 5.2 I systour.sw 02/12/96 System Tour Execution Environment I systour.sw.eoe 02/12/96 System Tour Execution Environment In the above case, the subsystems of concern are installed and the steps below should be performed. If no output is returned by the command, the subsystems are not installed and no further action is required. **** IRIX 4.x **** The 4.x version of IRIX is not vulnerable as the System Tour and OutOfBox Experience subsystems are not part of available software for this IRIX version. No action is required. **** IRIX 5.x, 6.0, 6.0.1, 6.1, 6.2 **** There are no patches for this issue. The steps below can be used to remove the vulnerability by either changing the program permissions (use step 2a) or by removing the subsystems (use step 2b). 1) Become the root user on the system. % /bin/su - Password: # 2) Choose either step 2a or 2b depending on which has the desired result. 2a) Change the setuid root permissions on the programs of concern. # /bin/chmod u-s /usr/lib/tour/bin/RemoveSystemTour # /bin/chmod u-s /usr/people/tour/oob/bin/oobversions ************ *** NOTE *** ************ Removing the setuid root permissions from these tools will prevent non-root users from removing the subsystems. Removal of the subsystems will only be possible if the systour or OutOfBox user is a root user or if the inst IRIX software manager is used by root for removal. 2b) Remove the vulnerable subsystems. # /usr/sbin/versions -v remove systour OutOfBox 4) Return to previous level. # exit $ **** IRIX 6.3 **** The IRIX operating system version 6.3 does not have the System Tour subsystem but does have the OutOfBox Experience subsystem. There are no patches for this issue. The steps below can be used to remove the vulnerability by either changing the program permissions (use step 2a) or by removing the subsystems (use step 2b). 1) Become the root user on the system. % /bin/su - Password: # 2) Choose either step 2a or 2b depending on which has the desired result. 2a) Change the setuid root permissions on the program of concern. # /bin/chmod u-s /usr/people/tour/oob/bin/oobversions ************ *** NOTE *** ************ Removing the setuid root permissions from this program will prevent non-root users from removing the subsystem. Removal of the subsystem will only be possible if the OutOfBox user is a root user or if the inst IRIX software manager is used by root for removal. 2b) Remove the vulnerable subsystem. # /usr/sbin/versions -v remove OutOfBox 4) Return to previous level. # exit $ - ------------------------ - --- Acknowledgments --- - ------------------------ Silicon Graphics wishes to thank AUSCERT and FIRST members worldwide for their assistance in this matter. - ----------------------------------------- - --- SGI Security Information/Contacts --- - ----------------------------------------- If there are questions about this document, email can be sent to cse-security-alert@csd.sgi.com. ------oOo------ Silicon Graphics provides security information and patches for use by the entire SGI community. This information is freely available to any person needing the information and is available via anonymous FTP and the Web. The primary SGI anonymous FTP site for security information and patches is sgigate.sgi.com (204.94.209.1). Security information and patches are located under the directories ~ftp/security and ~ftp/patches, respectively. The Silicon Graphics Security Headquarters Web page is accessible at the URL http://www.sgi.com/Support/Secur/security.html. For issues with the patches on the FTP sites, email can be sent to cse-security-alert@csd.sgi.com. For assistance obtaining or working with security patches, please contact your SGI support provider. ------oOo------ Silicon Graphics provides a free security mailing list service called wiretap and encourages interested parties to self-subscribe to receive (via email) all SGI Security Advisories when they are released. Subscribing to the mailing list can be done via the Web (http://www.sgi.com/Support/Secur/wiretap.html) or by sending email to SGI as outlined below. % mail wiretap-request@sgi.com subscribe wiretap end ^d In the example above, is the email address that you wish the mailing list information sent to. The word end must be on a separate line to indicate the end of the body of the message. The control-d (^d) is used to indicate to the mail program that you are finished composing the mail message. ------oOo------ Silicon Graphics provides a comprehensive customer World Wide Web site. This site is located at http://www.sgi.com/Support/Secur/security.html. ------oOo------ For reporting *NEW* SGI security issues, email can be sent to security-alert@sgi.com or contact your SGI support provider. A support contract is not required for submitting a security report. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMoESXrQ4cFApAP75AQH6OAQAwqAMKeBjs2VB1jH7RjKHY9f2eh+aqAsh EGo0YpJw0U57UxQhEQeB6tfrgHzc6e+0n7HQaQ4uPLm+LuElNNiNHd9fAGrV3bCW W6b59Zdti8PMXLG0Pl2z43Yi+5ABZGGLnYNdvbS7W2wK4oa61vu5QqhFX8ItZ/jp RW92YXFTH5I= =kMje -----END PGP SIGNATURE-----