[25690] in bugtraq
Re: IRIX rpc.passwd vulnerability
daemon@ATHENA.MIT.EDU (Frank Bures)
Fri Jun 7 17:53:42 2002
Message-Id: <200206071758.g57HwFh20970@alchemy.chem.utoronto.ca>
From: "Frank Bures" <lisfrank@chem.toronto.edu>
To: "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>
Date: Fri, 07 Jun 2002 13:58:14 -0400 (EDT)
Reply-To: "Frank Bures" <lisfrank@chem.toronto.edu>
In-Reply-To: <10206041547.ZM3458@einstein.csd.sgi.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
FYI:
Installation of this patch leads to arbitrarily changed permissions of the
/tmp directory.
On my various IRIX boxes, some permissions remained correct (1777), some were
changed to 777, some even to 755.
On Tue, 4 Jun 2002 15:47:28 -0700 (PDT), SGI Security Coordinator wrote:
>_____________________________________________________________________________
>
> SGI Security Advisory
>
> Title: rpc.passwd vulnerability
> Number: 20020601-01-P
> Date: June 4, 2002
> Reference: CAN-2002-0357
>_____________________________________________________________________________
>
>-----------------------
>--- Issue Specifics ---
>-----------------------
>
>It's been reported that /usr/etc/rpc.passwd has a vulnerability which
>could allow a user to compromise root.
>
>SGI has investigated the issue and recommends the following steps for
>neutralizing the exposure. It is HIGHLY RECOMMENDED that these measures be
>implemented on ALL vulnerable SGI systems.
>
>These issues have been corrected with patches and in future releases of
>IRIX.
>
>
>--------------
>--- Impact ---
>--------------
>
>The rpc.passwd binary is not installed by default on IRIX 6.5 systems. It is
>part of the optional subsystem "nfs.sw.nis".
>
>To see if rpc.passwd is installed, execute the following command:
>
> # versions nfs.sw.nis
> I = Installed, R = Removed
>
> Name Date Description
>
> I nfs 03/26/2002 Network File System, 6.5.16m
> I nfs.sw 03/26/2002 NFS Software
> I nfs.sw.nis 03/26/2002 NIS (formerly Yellow Pages) Support
>
>If the line containing "nfs.sw.nis" is returned, then it is installed and
>the system is potentially vulnerable. This vulnerability applies only to
>systems that are configured as YP masters ("chkconfig yp" shows "on", and
>"ps -ef | grep rpc.passwd" shows that rpc.passwd is running).
>
>To determine the version of IRIX you are running, execute the following
>command:
>
> # uname -R
>
>That will return a result similar to the following:
>
> # 6.5 6.5.15f
>
>The first number ("6.5") is the release name, the second ("6.5.15f" in this
>case) is the extended release name. The extended release name is the
>"version" we refer to throughout this document.
>
>This vulnerability was assigned the following CVE:
>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0357
>
>
>----------------------------
>--- Temporary Workaround ---
>----------------------------
>
>SGI understands that there are times when upgrading the operating system or
>installing patches are inconvenient or not possible. In those instances, we
>recommend the following workaround, although it may have a negative impact
>on the functionality of the system:
>
> Disable the rpc.passwd binary by issuing the following command:
>
> # chmod 444 /usr/etc/rpc.passwd
> # killall rpc.passwd
>
> After doing this, it will be necessary to run the "passwd" program on the
> NIS master in order to cause NIS password changes.
>
>Instead of using this workaround, SGI recommends either upgrading to IRIX
>6.5.16 when released, or installing the appropriate patch from the listing
>below. We recommend this course of action because IRIX 6.5.16 and the patch
>also fix other non security-related issues with rpc.passwd.
>
>
>----------------
>--- Solution ---
>----------------
>
>SGI has provided a series of patches for these vulnerabilities. Our
>recommendation is to upgrade to IRIX 6.5.16 when available, or install the
>appropriate patch.
>
> OS Version Vulnerable? Patch # Other Actions
> ---------- ----------- ------- -------------
> IRIX 3.x unknown Note 1
> IRIX 4.x unknown Note 1
> IRIX 5.x unknown Note 1
> IRIX 6.0.x unknown Note 1
> IRIX 6.1 unknown Note 1
> IRIX 6.2 unknown Note 1
> IRIX 6.3 unknown Note 1
> IRIX 6.4 unknown Note 1
> IRIX 6.5 yes Notes 2 & 3
> IRIX 6.5.1 yes Notes 2 & 3
> IRIX 6.5.2 yes Notes 2 & 3
> IRIX 6.5.3 yes Notes 2 & 3
> IRIX 6.5.4 yes Notes 2 & 3
> IRIX 6.5.5 yes Notes 2 & 3
> IRIX 6.5.6 yes Notes 2 & 3
> IRIX 6.5.7 yes Notes 2 & 3
> IRIX 6.5.8 yes Notes 2 & 3
> IRIX 6.5.9 yes Notes 2 & 3
> IRIX 6.5.10 yes Notes 2 & 3
> IRIX 6.5.11 yes Notes 2 & 3
> IRIX 6.5.12 yes 4588 Note 4
> IRIX 6.5.13 yes 4588 Note 4
> IRIX 6.5.14 yes 4589 Note 4
> IRIX 6.5.15 yes 4589 Note 4
> IRIX 6.5.16 no Note 4
>
> NOTES
>
> 1) This version of the IRIX operating has been retired. Upgrade to an
> actively supported IRIX operating system. See
> http://support.sgi.com/irix/news/index.html#policy for more
> information.
>
> 2) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact your
> SGI Support Provider or URL: http://support.sgi.com/irix/swupdates/
>
> 3) Upgrade to IRIX 6.5.16m or 6.5.16f.
>
> 4) Note that these patches (and IRIX 6.5.16) address other rpc.passwd
> issues not related to the specific security issue being reported in
> this bulletin. See the release notes for details.
>
> ##### Patch File Checksums ####
Frank Bures, Dept. of Chemistry, University of Toronto, M5S 3H6
fbures@chem.toronto.edu
http://www.chem.utoronto.ca/general/itelec.html
PGP public key: http://wwwkeys.pgp.net:11371/pks/lookup?op=index&search=Frank+Bures
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0 OS/2 for non-commercial use
Comment: PGP 5.0 for OS/2
Charset: cp850
wj8DBQE9AOYmih0Xdz1+w+wRApnwAKCrQlAxnTRYueeKQFMsbxz2EaM7ewCg/lyb
cMqg9wCrLSqj0YwHaVz++RU=
=ihq9
-----END PGP SIGNATURE-----
