[ advisories | exploits | discussions | news | conventions | security tools | texts & papers ]
 main menu
- feedback
- advertising
- privacy
- FightAIDS
- newsletter
- news
 
 discussions
- read forum
- new topic
- search
 

 meetings
- meetings list
- recent additions
- add your info
 
 top 100 sites
- visit top sites
- sign up now
- members
 
 webmasters

- add your url
- add domain
- search box
- link to us

 
 projects
- our projects
- free email
 
 m4d network
- security software
- secureroot
- m4d.com
Home : Advisories : Possible Vulnerabilities in systour and OutOfBox

Title: Possible Vulnerabilities in systour and OutOfBox
Released by: SGI
Date: 6th November 1996
Printable version: Click here
                Silicon Graphics Inc. Security Advisory



     Title:   Possible Vulnerabilities in systour and OutOfBox

     Title:   Subsystems for IRIX 5.x, 6.0.x, 6.1, 6.2 and 6.3

     Number:  19961101-01-I

     Date:    November 6, 1996

______________________________________________________________________________



Silicon Graphics provides this information freely to the SGI user community

for its consideration, interpretation, implementation and use.   Silicon

Graphics recommends that this information be acted upon as soon as possible.



Silicon Graphics  will  not  be  liable  for any  indirect, special, or

consequential damages arising from the use of, failure to use or improper

use of any of the instructions or information in this Security Advisory.

______________________________________________________________________________





Recently, potential security vulnerabilities in the OutOfBox and systour

subsystems have been advertised in several public forums.   Additionally,

the Australian Computer Emergency Response Team (AUSCERT) released an

advisory (AA-96.08) on this issue.



Silicon Graphics Inc. has investigated the issues and recommends the

following steps for neutralizing exposure.  It is HIGHLY RECOMMENDED

that these measures be implemented on ALL SGI systems running IRIX versions

5.0.x, 5.1.x, 5.2, 5.3, 6.0.x, 6.1, 6.2 and 6.3.  This issue will be

corrected in future releases of IRIX.





- --------------

- --- Impact ---

- --------------



The Silicon Graphics Indigo Magic System Tour and OutOfBox Experience

packages are factory installed on all Silicon Graphics Indy systems.



The Indigo Magic System Tour and OutOfBox Experience packages are not

factory installed with any Silicon Graphics Indigo2 systems however, CDs

with these packages are provided with the systems.



The OutOfBox Experience subsystem is factory installed on all Silicon

Graphics O2 systems.  The System Tour subsystem is not part of the

software provided for the O2 system.



Note that either or both the Indigo Magic System Tour and OutOfBox

Experience subsystems maybe be installed from CD on any Silicon Graphics

system.



The purpose of these two packages, systour and OutOfBox, are to demonstrate

and highlight the features and capabilities of the user environment and

system.



Due to the disk space requirements of these subsystems, most sites will

remove these subsystems for disk space reclamation as part of initial

system setup.  Those sites which have done this will not be vulnerable.



On those systems that the subsystems are still installed on, both

subsystems provide background setuid root programs to perform a subsystem

removal when a user decides to remove the software.  This removal is done

using the standard IRIX /usr/sbin/inst program that manages IRIX software.



Provided with the right environment, the inst program could be manipulated

to execute arbitrary commands with root privileges.



An account on the vulnerable system is required for exploit.  With an

account, these vulnerabilities are exploitable by both local and remote

access.







- ----------------

- --- Solution ---

- ----------------



There are no patches for these issues.   However, using the

information below steps can be taken to eliminate the exposure.



To determine if the OutOfBox and systour subsystems are installed

on a particular system, the following command can be used:





         % versions OutOfBox.sw systour.sw

         I = Installed, R = Removed



           Name                 Date      Description



        I  OutOfBox             11/05/96  OutOfBox Experience, 1.1

        I  OutOfBox.sw          11/05/96  OutOfBox Experience Software, 1.1

        I  OutOfBox.sw.complete 11/05/96  Complete OutOfBox Experience

        I  OutOfBox.sw.intro    11/05/96  OutOfBox Intro Movies



        I  systour              02/12/96  Indigo Magic System Tour, 5.2

        I  systour.sw           02/12/96  System Tour Execution Environment

        I  systour.sw.eoe       02/12/96  System Tour Execution Environment





In the above case, the subsystems of concern are installed and the steps

below should be performed.  If no output is returned by the command,

the subsystems are not installed and no further action is required.







**** IRIX 4.x ****



The 4.x version of IRIX is not vulnerable as the System Tour and

OutOfBox Experience subsystems are not part of available software

for this IRIX version.  No action is required.







**** IRIX 5.x, 6.0, 6.0.1, 6.1, 6.2 ****



There are no patches for this issue.



The steps below can be used to remove the vulnerability by either

changing the program permissions (use step 2a) or by removing the

subsystems (use step 2b).







     1) Become the root user on the system.



                % /bin/su -

                Password:

                #





     2) Choose either step 2a or 2b depending on which

        has the desired result.





     2a) Change the setuid root permissions on the programs

         of concern.





                # /bin/chmod u-s /usr/lib/tour/bin/RemoveSystemTour

                # /bin/chmod u-s /usr/people/tour/oob/bin/oobversions



                           ************

                           *** NOTE ***

                           ************



               Removing the setuid root permissions from these tools

               will prevent non-root users from removing the subsystems.

               Removal of the subsystems will only be possible if the

               systour or OutOfBox user is a root user or if the inst

               IRIX software manager is used by root for removal.







      2b) Remove the vulnerable subsystems.



                # /usr/sbin/versions -v remove systour OutOfBox







     4) Return to previous level.



                # exit

                $











**** IRIX 6.3 ****





The IRIX operating system version 6.3 does not have the System

Tour subsystem but does have the OutOfBox Experience subsystem.



There are no patches for this issue.



The steps below can be used to remove the vulnerability by either

changing the program permissions (use step 2a) or by removing the

subsystems (use step 2b).







     1) Become the root user on the system.



                % /bin/su -

                Password:

                #





     2) Choose either step 2a or 2b depending on which

        has the desired result.



     2a) Change the setuid root permissions on the program

         of concern.





                # /bin/chmod u-s /usr/people/tour/oob/bin/oobversions



                           ************

                           *** NOTE ***

                           ************





               Removing the setuid root permissions from this program

               will prevent non-root users from removing the subsystem.

               Removal of the subsystem will only be possible if the

               OutOfBox user is a root user or if the inst IRIX software

               manager is used by root for removal.







      2b) Remove the vulnerable subsystem.



                # /usr/sbin/versions -v remove OutOfBox







     4) Return to previous level.



                # exit

                $











- ------------------------

- --- Acknowledgments ---

- ------------------------



Silicon Graphics wishes to thank AUSCERT and FIRST members worldwide for

their assistance in this matter.







- -----------------------------------------

- --- SGI Security Information/Contacts ---

- -----------------------------------------



If there are questions about this document, email can be sent to

cse-security-alert@csd.sgi.com.



                      ------oOo------



Silicon Graphics provides security information and patches for

use by the entire SGI community.  This information is freely

available to any person needing the information and is available

via anonymous FTP and the Web.



The primary SGI anonymous FTP site for security information and patches

is sgigate.sgi.com (204.94.209.1).  Security information and patches

are located under the directories ~ftp/security and ~ftp/patches,

respectively. The Silicon Graphics Security Headquarters Web page is

accessible at the URL http://www.sgi.com/Support/Secur/security.html.



For issues with the patches on the FTP sites, email can be sent to

cse-security-alert@csd.sgi.com.



For assistance obtaining or working with security patches, please

contact your SGI support provider.



                      ------oOo------



Silicon Graphics provides a free security mailing list service

called wiretap and encourages interested parties to self-subscribe

to receive (via email) all SGI Security Advisories when they are

released. Subscribing to the mailing list can be done via the Web

(http://www.sgi.com/Support/Secur/wiretap.html) or by sending email

to SGI as outlined below.



% mail wiretap-request@sgi.com

subscribe wiretap 

end

^d



In the example above,  is the email address that you

wish the mailing list information sent to.  The word end must be on a

separate line to indicate the end of the body of the message. The

control-d (^d) is used to indicate to the mail program that you are

finished composing the mail message.





                      ------oOo------



Silicon Graphics provides a comprehensive customer World Wide Web site.

This site is located at http://www.sgi.com/Support/Secur/security.html.



                      ------oOo------



For reporting *NEW* SGI security issues, email can be sent to

security-alert@sgi.com or contact your SGI support provider.  A

support contract is not required for submitting a security report.










(C) 1999-2000 All rights reserved.