[2523] in bugtraq
Repost: Security bug in SGI VideoFramer [SDN-2-sgi-videoframer]
daemon@ATHENA.MIT.EDU (Hui-Hui Hu)
Wed May 15 01:43:08 1996
Date: Tue, 14 May 1996 23:24:10 -0400
Reply-To: Bugtraq List <BUGTRAQ@netspace.org>
From: Hui-Hui Hu <hhui@stardot.net>
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@netspace.org>
This is a repost from a few months ago. It apparently got lost in the
shuffle.
===
Stardot Networks / Security vulnerability [SDN-2-sgi-videoframer]
The VideoFramer development package on Silicon Graphics systems is subject
to several security holes. This package is installed as vfr.sw.vfr.
Though most SGIs I found did not have the installation, nevertheless the
package was available for exploitation from a NFS mounted partition that
contained the complete IRIX distribution.
A VideoFramer/VLAN board is not required for program exploitation. The
specific problem which I describe below involves the program sb_encode,
which allows off-line frame encoding in VideoFramer format. The result of
poor IRIX security checking is that any user can overwrite-to-destroy an
arbitrary file. It appears that many files in the installation were
improperly permissioned as setuid.
PROGRAM. sb_encode (from vfr.sw.vfr)
AFFECTS. at least SGI IRIX 5.x
REQUIRED. Account on server
RISK. denial of service
AUTHOR. Tung-Hui Hu <hhui@stardot.net>
---
PROBLEM. sb_encode is installed setuid in /usr/video/vfr/bin and does not
check for permissions/ownership. sb_encode takes an IRIS RGB-format image
file and spits out a VideoFramer format file (.vfr).
REPEAT BY: /usr/video/vfr/bin/sb_encode -o [file-to-overwrite] [iris-image]
---
PROBLEM. Many setuid scripts exist in /usr/video/vfr/bin. Though setuid
scripts are turned off by default, they may pose a potential security
risk.
---
TEMPORARY FIX.
# chmod -s /usr/video/vfr/*
---
DISCUSSION. I assume it is practically impossible to "meaningfully
exploit" a VideoFramer-encoded format. The videoframer setup utility also
exploded when I tried to create a peculiarly-named device (e.g. ;id). Then
again, setup exploded while doing most things ;) Can the preferences
.vfr_setup be exploited somehow? I haven't done more than a cursory check.
===
Tung-Hui Hu Comparative literature, princeton university
hhui@stardot.net http://www.stardot.net/~hhui
