[36] in Security FYI
Recent Irix break-ins
daemon@ATHENA.MIT.EDU (Bob Mahoney)
Thu Feb 24 23:33:56 2000
Mime-Version: 1.0
Message-Id: <v04220804b4d8b06227f5@[18.177.0.98]>
Date: Thu, 24 Feb 2000 23:33:22 -0500
To: security-fyi@mit.edu
From: Bob Mahoney <net-security@MIT.EDU>
Cc: Security Team <security-internal@mit.edu>
-----BEGIN PGP SIGNED MESSAGE-----
MIT has recently seen a number of attacks which exploit a previously
unknown problem with the Irix objectserver. This exploit is known to
work on Irix 5.2, 5.3, 6.0.1, 6.1 and 6.2, but any systems that are
running the objectserver should be considered potentially vulnerable.
The vulnerability allows a remote attacker to create an account on
the local system.
We will be conducting scans of the network for this vulnerability
over the next few days. You may see evidence of this in your system
logs. The scans will be conducted from these machines:
IS-SECURITY-SCAN-1.MIT.EDU
IS-SECURITY-SCAN-2.MIT.EDU
IS-SECURITY-SCAN-3.MIT.EDU
In most cases, the scan will not show up in your logs. For the
machines that respond positively to the test for the objectserver, we
will also be issuing a finger request for the account "rox" which is
an indication that the machine was actually compromised. Owners with
machines that are vulnerable and that have been compromised will then
be notified.
There is currently no patch available from SGI that address this
problem. To remove the vulnerability, you must turn off the
objectserver. This can be done by running the following as root:
/etc/init.d/cadmin stop
Then use chkconfig to turn off the objectserver as follows
/etc/chkconfig objectserver off
Now if you're running the directory server and such, you'd want to
turn cadmin back on by typing:
/etc/init.d/cadmin start
The objectserver is required for use of some of the graphical system
maintenance tasks, such as adding a user. The workaround is to start
the objectserver by hand before using any of these graphical tools.
As root type:
/usr/Cadmin/bin/objectserver
and give it a few minutes to start up. Once you are done, either kill
the processes, or use cadmin to shut it down cleanly:
/etc/init.d/cadmin stop
/etc/init.d/cadmin start
Please send mail to security@mit.edu with any questions.
- -Bob Mahoney, for the Network Security Team
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com>
iQCVAwUBOLYGJCbWm6ZidLmFAQFfdAP/WsPOEeO7Ha3cpz/qIyc2BWnFzeiElugv
0NJh13om/b27D6egPAB2iKYCDYFvXXOR+0JhZ9wmkB85iM/Hq2HSQh5ZWYxyaMoh
s0+9XBnDTuo6FYFEdIK5WKK7gUv/4X6QvT0OL9b3jnI6X3RJXIfje5LU2NdZJ/1G
u4t1SexD2i8=
=hxnW
-----END PGP SIGNATURE-----
