Copy Link
Add to Bookmark
Report
CERT Advisory 085
-----BEGIN PGP SIGNED MESSAGE-----
============================================================================
CERT(sm) Advisory CA-94:13
Original issue date: August 11, 1994
Last revised: August 30, 1996
Information previously in the README was inserted
into the advisory.
A complete revision history is at the end of this file.
Topic: SGI IRIX Help Vulnerability
- -----------------------------------------------------------------------------
The CERT Coordination Center has received information about a vulnerability in
the Silicon Graphics, Inc. IRIX operating system, versions 5.1.x and 5.2.
This vulnerability enables users to gain unauthorized root access. To
exploit the vulnerability, a person must log into an account on the system
or have physical access to the system console.
SGI has developed a patch for the vulnerability. Because the vulnerability has
been widely discussed in public forums on the Internet, we recommend that you
install the patch as soon as possible. Section III below contains
instructions for obtaining the patch, along with a workaround you can use
until you install it.
We will update this advisory as we receive additional information.
Please check advisory files regularly for updates that relate to your site.
- -----------------------------------------------------------------------------
I. Description
A vulnerability exists in the SGI help system and print manager, enabling
users to get unauthorized root access if they can log into an account on the
system or get physical access to the system console. The vulnerability is
present in the SGI IRIX operating system, versions 5.1.x and 5.2. SGI reports
that the problem will be permanently corrected in a future release of IRIX.
In public discussions, the vulnerability has been referred to by various
names, including clogin, printer manager, and SGI Help.
II. Impact
Individuals with accounts on the system or physical access to the system
console can obtain root access.
III. Solutions
A. For IRIX 5.2
If you are running IRIX 5.2, obtain and install patch65 according
to the instructions provided. These instructions can be found in the
"relnotes.patchSG0000065" file in the patch65.tar file (see below).
To install this patch successfully, you need to have the latest SGI
"inst" program installed (this is available as patch00 or patch34).
SGI has provided instructions for determining if the new install
program is on your system. We have placed these in an appendix
at the end of this advisory.
These patches are available by anonymous FTP from ftp.sgi.com and
from sgigate.sgi.com in the "/security" directory.
Filename patch65.tar
Standard Unix Sum 63059 1220
System V Sum 15843 2440
MD5 af8c120f86daab9df74998b31927e397
Filename patch34.tar.Z
Standard Unix Sum 11066 15627
System V Sum 1674 31253
MD5 2859d0debff715c5beaccd02b6bebded
Patches are available on CD. Contact your nearest SGI service
provider for distribution.
B. For IRIX 5.1.x
If you are running versions 5.1.x, SGI recommends that you upgrade to
version 5.2, if possible, and then follow the instructions in Section
III.A. above. If you cannot upgrade to 5.2, see the workaround
instructions in III.C.
C. Workaround
If you cannot install the patches or are delayed in obtaining them,
SGI recommends removing the help subsystem using the following
command (as root):
# versions remove sgihelp.sw.eoe
PLEASE NOTE: Removal of this subsystem will affect other
installed software that use the SGI Help system. After
the removal, certain help functions from within applications
will return non-fatal error messages about the missing subsystem.
At a later date, when the patch can be installed on the system,
you will need to re-install the previously removed SGI Help software
prior to installing patch65. This can be found on your original
software distribution (CD labeled as IRIX 5.2). As root, use the
command:
# inst -f /CDROM/dist/sgihelp
Inst> install sgihelp.sw.eoe
Inst> go
The installation documentation provides further information.
.............................................................................
Appendix
There are three patches related to this issue - patch00, patch34, and patch65.
Patch34 is an update to patch00 which modifies the "inst" program to
be able to handle patch updates. At least one of patch00 or patch34
is required to be installed before installing patch65. To determine
if the new inst program is already installed on your system,
the following command can be issued:
# versions patch\*
I = Installed, R = Removed
Name Date Description
I patchSG0000034 08/10/94 Patch SG0000034
I patchSG0000034.eoe1_sw 08/10/94 IRIX Execution Environment Software
I patchSG0000034.eoe1_sw.unix 08/10/94 IRIX Execution Environment
If patchSG0000000 or patchSG0000034 (as seen above) is loaded,
then it is only necessary to download patch65 as described in the advisory.
This is important since patch34 is rather large (16MB).
Otherwise, download both patch34 and patch65. Install patch34 first,
then patch65. To install patch34, uncompress and untar "patch34.tar.Z"
and follow the instructions in the "README.FIRST" file.
These patches are available by anonymous FTP from ftp.sgi.com
in the "security" directory:
Standard System V MD5
Unix Unix Digital Signature
patch34.tar.Z: 11066 15627 1674 31253 2859d0debff715c5beaccd02b6bebded
patch65.tar: 63059 1220 15843 2440 af8c120f86daab9df74998b31927e397
- ---------------------------------------------------------------------------
The CERT Coordination Center wishes to thank Silicon Graphics, Inc., for their
cooperation in responding to this problem and members of the AUSCERT and CIAC
response teams for their contributions to this advisory.
- ---------------------------------------------------------------------------
If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in Forum of Incident
Response and Security Teams (FIRST).
If you wish to send sensitive incident or vulnerability information to
CERT via electronic mail, CERT strongly advises that the e-mail be
encrypted. CERT can support a shared DES key, PGP (public key
available via anonymous FTP on info.cert.org), or PEM (contact CERT
for details).
Internet E-mail: cert@cert.org
Telephone: 412-268-7090 (24-hour hotline)
CERT personnel answer 8:30 a.m.-5:00 p.m. EST(GMT-5)/EDT(GMT-4),
and are on call for emergencies during other hours.
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213-3890
USA
Past advisories, information about FIRST representatives, and other
information related to computer security are available for
anonymous FTP from info.cert.org.
Copyright 1994, 1996 Carnegie Mellon University
This material may be reproduced and distributed without permission provided
it is used for noncommercial purposes and the copyright statement is
included.
CERT is a service mark of Carnegie Mellon University.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision history
Aug. 30, 1996 Information previously in the README was inserted
into the advisory.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBMiSpz3VP+x0t4w7BAQHo6wQAiiaiarjPGRyVfbLFvr+t8rqtqacnGeZy
1YeZVcwJliMZAXthgpYWAxx5F56/lW7VL11oSm/crBMv/fWrvbPyl+uR90bKirO2
Mw1CFaOETxps51l92rPUFYakmiki6P5yhsp00vnxGeOhr6KWQ+ALieeRnSH3yWn0
Z6jnDQiBErY=
=CrFP
-----END PGP SIGNATURE-----