[25694] in bugtraq
Re: IRIX rpc.passwd vulnerability
daemon@ATHENA.MIT.EDU (David Foster)
Fri Jun 7 19:21:58 2002
Message-Id: <200206072200.g57M0gw04249@dim.ucsd.edu>
Date: Fri, 7 Jun 2002 15:00:42 -0700 (PDT)
From: David Foster <foster@dim.ucsd.edu>
Reply-To: David Foster <foster@dim.ucsd.edu>
To: bugtraq@securityfocus.com
Cc: lisfrank@chem.toronto.edu
MIME-Version: 1.0
Content-Type: TEXT/plain; charset=us-ascii
Content-MD5: kp5tKd3D0Co0ukICz+1avA==
Strange, I patched 11 systems, all at IRIX 6.5.14, and
didn't see this behavior, all /tmp stayed at 1777.
Dave Foster
> From: "Frank Bures" <lisfrank@chem.toronto.edu>
> To: "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>
> Date: Fri, 07 Jun 2002 13:58:14 -0400 (EDT)
> Subject: Re: IRIX rpc.passwd vulnerability
>
> FYI:
>
> Installation of this patch leads to arbitrarily changed permissions of the
> /tmp directory.
>
> On my various IRIX boxes, some permissions remained correct (1777), some were
> changed to 777, some even to 755.
>
>
> On Tue, 4 Jun 2002 15:47:28 -0700 (PDT), SGI Security Coordinator wrote:
>
> >_____________________________________________________________________________
> >
> > SGI Security Advisory
> >
> > Title: rpc.passwd vulnerability
> > Number: 20020601-01-P
> > Date: June 4, 2002
> > Reference: CAN-2002-0357
> >_____________________________________________________________________________
> >
> >-----------------------
> >--- Issue Specifics ---
> >-----------------------
> >
> >It's been reported that /usr/etc/rpc.passwd has a vulnerability which
> >could allow a user to compromise root.
> >
> >SGI has investigated the issue and recommends the following steps for
> >neutralizing the exposure. It is HIGHLY RECOMMENDED that these measures be
> >implemented on ALL vulnerable SGI systems.
> >
> >These issues have been corrected with patches and in future releases of
> >IRIX.
> >
> >
> >--------------
> >--- Impact ---
> >--------------
> >
> >The rpc.passwd binary is not installed by default on IRIX 6.5 systems. It is
> >part of the optional subsystem "nfs.sw.nis".
> >
> >To see if rpc.passwd is installed, execute the following command:
> >
> > # versions nfs.sw.nis
> > I = Installed, R = Removed
> >
> > Name Date Description
> >
> > I nfs 03/26/2002 Network File System, 6.5.16m
> > I nfs.sw 03/26/2002 NFS Software
> > I nfs.sw.nis 03/26/2002 NIS (formerly Yellow Pages) Support
> >
> >If the line containing "nfs.sw.nis" is returned, then it is installed and
> >the system is potentially vulnerable. This vulnerability applies only to
> >systems that are configured as YP masters ("chkconfig yp" shows "on", and
> >"ps -ef | grep rpc.passwd" shows that rpc.passwd is running).
> >
> >To determine the version of IRIX you are running, execute the following
> >command:
> >
> > # uname -R
> >
> >That will return a result similar to the following:
> >
> > # 6.5 6.5.15f
> >
> >The first number ("6.5") is the release name, the second ("6.5.15f" in this
> >case) is the extended release name. The extended release name is the
> >"version" we refer to throughout this document.
> >
> >This vulnerability was assigned the following CVE:
> >http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0357
> >
> >
> >----------------------------
> >--- Temporary Workaround ---
> >----------------------------
> >
> >SGI understands that there are times when upgrading the operating system or
> >installing patches are inconvenient or not possible. In those instances, we
> >recommend the following workaround, although it may have a negative impact
> >on the functionality of the system:
> >
> > Disable the rpc.passwd binary by issuing the following command:
> >
> > # chmod 444 /usr/etc/rpc.passwd
> > # killall rpc.passwd
> >
> > After doing this, it will be necessary to run the "passwd" program on the
> > NIS master in order to cause NIS password changes.
> >
> >Instead of using this workaround, SGI recommends either upgrading to IRIX
> >6.5.16 when released, or installing the appropriate patch from the listing
> >below. We recommend this course of action because IRIX 6.5.16 and the patch
> >also fix other non security-related issues with rpc.passwd.
> >
> >
> >----------------
> >--- Solution ---
> >----------------
> >
> >SGI has provided a series of patches for these vulnerabilities. Our
> >recommendation is to upgrade to IRIX 6.5.16 when available, or install the
> >appropriate patch.
> >
> > OS Version Vulnerable? Patch # Other Actions
> > ---------- ----------- ------- -------------
> > IRIX 3.x unknown Note 1
> > IRIX 4.x unknown Note 1
> > IRIX 5.x unknown Note 1
> > IRIX 6.0.x unknown Note 1
> > IRIX 6.1 unknown Note 1
> > IRIX 6.2 unknown Note 1
> > IRIX 6.3 unknown Note 1
> > IRIX 6.4 unknown Note 1
> > IRIX 6.5 yes Notes 2 & 3
> > IRIX 6.5.1 yes Notes 2 & 3
> > IRIX 6.5.2 yes Notes 2 & 3
> > IRIX 6.5.3 yes Notes 2 & 3
> > IRIX 6.5.4 yes Notes 2 & 3
> > IRIX 6.5.5 yes Notes 2 & 3
> > IRIX 6.5.6 yes Notes 2 & 3
> > IRIX 6.5.7 yes Notes 2 & 3
> > IRIX 6.5.8 yes Notes 2 & 3
> > IRIX 6.5.9 yes Notes 2 & 3
> > IRIX 6.5.10 yes Notes 2 & 3
> > IRIX 6.5.11 yes Notes 2 & 3
> > IRIX 6.5.12 yes 4588 Note 4
> > IRIX 6.5.13 yes 4588 Note 4
> > IRIX 6.5.14 yes 4589 Note 4
> > IRIX 6.5.15 yes 4589 Note 4
> > IRIX 6.5.16 no Note 4
> >
> > NOTES
> >
> > 1) This version of the IRIX operating has been retired. Upgrade to an
> > actively supported IRIX operating system. See
> > http://support.sgi.com/irix/news/index.html#policy for more
> > information.
> >
> > 2) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact your
> > SGI Support Provider or URL: http://support.sgi.com/irix/swupdates/
> >
> > 3) Upgrade to IRIX 6.5.16m or 6.5.16f.
> >
> > 4) Note that these patches (and IRIX 6.5.16) address other rpc.passwd
> > issues not related to the specific security issue being reported in
> > this bulletin. See the release notes for details.
> >
> > ##### Patch File Checksums ####
>
> Frank Bures, Dept. of Chemistry, University of Toronto, M5S 3H6
> fbures@chem.toronto.edu
> http://www.chem.utoronto.ca/general/itelec.html
> PGP public key:
http://wwwkeys.pgp.net:11371/pks/lookup?op=index&search=Frank+Bures
> -----BEGIN PGP SIGNATURE-----
> Version: PGPfreeware 5.0 OS/2 for non-commercial use
> Comment: PGP 5.0 for OS/2
> Charset: cp850
>
> wj8DBQE9AOYmih0Xdz1+w+wRApnwAKCrQlAxnTRYueeKQFMsbxz2EaM7ewCg/lyb
> cMqg9wCrLSqj0YwHaVz++RU=
> =ihq9
> -----END PGP SIGNATURE-----
>
<< All opinions expressed are mine, not the University's >>
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
David Foster National Center for Microscopy and Imaging Research
Programmer/Analyst University of California, San Diego
dfoster@ucsd.edu Department of Neuroscience, Mail 0608
(858) 534-7968 http://ncmir.ucsd.edu/
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
"The reasonable man adapts himself to the world; the unreasonable one
persists in trying to adapt the world to himself. Therefore, all progress
depends on the unreasonable." -- George Bernard Shaw
