|
|
Home : Advisories : Vulnerability in IRIX csetup
| Title: |
Vulnerability in IRIX csetup |
| Released by: |
CERT |
| Date: |
8th January 1997 |
| Printable version: |
Click here |
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
CERT(sm) Advisory CA-97.03
Original issue date: January 8, 1997
Last Revised: December 15, 1997 - Added vendor information for Data
General to UPDATES.
A complete revision history is at the end of this file.
Topic: Vulnerability in IRIX csetup
- -----------------------------------------------------------------------------
The CERT Coordination Center has received information about a vulnerability in
the csetup program under IRIX versions 5.x, 6.0, 6.0.1, 6.1, and 6.2. csetup is
not available under IRIX 6.3 and 6.4.
By exploiting this vulnerability, local users can create or overwrite
arbitrary files on the system. With this leverage, they can ultimately gain
root privileges.
Exploitation information involving this vulnerability has been made publicly
available.
We recommend applying a vendor patch when possible. In the meantime, we urge
sites to apply the workaround described in Section III.
We will update this advisory as we receive additional information.
Please check advisory files regularly for updates that relate to your site.
Note: Development of this advisory was a joint effort of the CERT Coordination
Center and AUSCERT.
- -----------------------------------------------------------------------------
I. Description
There is a vulnerability in the csetup program under IRIX versions
5.x, 6.0, 6.0.1, 6.1, and 6.2. csetup is not available under IRIX 6.3
and 6.4.
csetup is part of the Desktop System Administration subsystem. The
program provides a graphical interface allowing privileged users,
as flagged in the objectserver (cpeople (1M)), or root to modify
system and network configuration parameters. The csetup program is
setuid root to allow those who are flagged as privileged users to
modify system critical files.
It is possible to configure csetup to run in DEBUG mode, creating a
logfile in a publicly writable directory. This file is created in an
insecure manner; and because csetup is running with root privileges at
the time the logfile is created, it is possible for local users to
create or overwrite arbitrary files on the system.
Exploit information involving this vulnerability has been made
publicly available.
II. Impact
Anyone with access to an account on the system can create or overwrite
arbitrary files on the system. With this leverage, they can ultimately
gain root privileges.
III. Solution
Patch information for this vulnerability is available
in SGI"s Security Advisory 19970101-02-PX, available at
http://www.sgi.com/Support/Secur/security.html/
- -----------------------------------------------------------------------------
This advisory is a collaborative effort between AUSCERT and the CERT
Coordination Center.
The CERT Coordination Center acknowledges Yuri Volobuev for reporting the
original problem, and Silicon Graphics, Inc. for their strong support in the
development of the advisory.
- -----------------------------------------------------------------------------
If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident Response
and Security Teams (see http://info.cert.org/pub/FIRST/first-contacts).
CERT/CC Contact Information
- ----------------------------
Email cert@cert.org
Phone +1 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)
and are on call for emergencies during other hours.
Fax +1 412-268-6989
Postal address
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
USA
Using encryption
We strongly urge you to encrypt sensitive information sent by email. We can
support a shared DES key or PGP. Contact the CERT/CC for more information.
Location of CERT PGP key
http://info.cert.org/pub/CERT_PGP.key
Getting security information
CERT publications and other security information are available from
http://www.cert.org/
http://info.cert.org/pub/
CERT advisories and bulletins are also posted on the USENET newsgroup
comp.security.announce
To be added to our mailing list for advisories and bulletins, send your
email address to
cert-advisory-request@cert.org
- ------------------------------------------------------------------------------
Copyright 1997 Carnegie Mellon University. Conditions for use, disclaimers,
and sponsorship information can be found in
http://www.cert.org/legal_stuff.html and http://ftp.cert.org/pub/legal_stuff .
If you do not have FTP or web access, send mail to cert@cert.org with
"copyright" in the subject line.
CERT is registered in the U.S. Patent and Trademark Office.
- ---------------------------------------------------------------------------
This file: http://info.cert.org/pub/cert_advisories/CA-97.03.csetup
http://www.cert.org
click on "CERT Advisories"
========================================================================
UPDATES
Vendor Information
Below is information we have received from vendors. If you do not see your
vendor's name below, contact the vendor directly for information.
Data General
- ------------
DG/UX does not support csetup and therefore is not vulnerable.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision history
Dec. 15, 1997 Added vendor information for Data General to UPDATES.
Sep. 26, 1997 Updated copyright statement
May 8, 1997 Updated the Solution section to include URL for SGI patch
information.
-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv
iQA/AwUBOBS/B1r9kb5qlZHQEQIV/ACfUwciseXQv+xekKhUSUu2qxKxNzAAmwQs
Y4YdpdCrO4ttumvt/sRERrjL
=qlzy
-----END PGP SIGNATURE-----
|
