Archive of CERT general posting, CERT Advisory CA-97.03 - Vulnerability in IRIX csetup

09/01/97, CERT Advisory CA-97.03 - Vulnerability in IRIX csetup
From: CERT Advisory <cert-advisory@cert.org>

Generated by MHonArc

CSIM Logo WelcomeCourses
Faculty, Student, Staff
Projects and reports
Conferences, workshop and seminars
Laboratories and reasearch facilities
Information related to CSIM
Information non-related to CSIM
Address, map, phone, etc.
Search

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


To: cert-advisory@cert.org
Subject: CERT Advisory CA-97.03 - Vulnerability in IRIX csetup
From: CERT Advisory <cert-advisory@cert.org>
Date: Wed, 8 Jan 1997 17:34:44 -0500
Organization: CERT(sm) Coordination Center - +1 412-268-7090
Reply-To: cert-advisory-request@cert.org

-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
CERT(sm) Advisory CA-97.03
Original issue date: January 8, 1997
Last revised: --

Topic: Vulnerability in IRIX csetup
- -----------------------------------------------------------------------------

The CERT Coordination Center has received information about a vulnerability in
the csetup program under IRIX versions 5.x, 6.0, 6.0.1, 6.1, and 6.2. csetup is
not available under IRIX 6.3 and 6.4.

By exploiting this vulnerability, local users can create or overwrite
arbitrary files on the system. With this leverage, they can ultimately gain
root privileges.

Exploitation information involving this vulnerability has been made publicly
available.

We recommend applying a vendor patch when possible. In the meantime, we urge
sites to apply the workaround described in Section III.

We will update this advisory as we receive additional information.
Please check advisory files regularly for updates that relate to your site.

Note: Development of this advisory was a joint effort of the CERT Coordination
      Center and AUSCERT.
- -----------------------------------------------------------------------------

I.   Description

        There is a vulnerability in the csetup program under IRIX versions
        5.x, 6.0, 6.0.1, 6.1, and 6.2. csetup is not available under IRIX 6.3
        and 6.4.

        csetup is part of the Desktop System Administration subsystem. The
        program provides a graphical interface allowing privileged users,
        as flagged in the objectserver (cpeople (1M)), or root to modify
        system and network configuration parameters. The csetup program is
        setuid root to allow those who are flagged as privileged users to
        modify system critical files.

        It is possible to configure csetup to run in DEBUG mode, creating a
        logfile in a publicly writable directory. This file is created in an
        insecure manner; and because csetup is running with root privileges at
        the time the logfile is created, it is possible for local users to
        create or overwrite arbitrary files on the system.

        Exploit information involving this vulnerability has been made
        publicly available.

II.  Impact

        Anyone with access to an account on the system can create or overwrite
        arbitrary files on the system. With this leverage, they can ultimately
        gain root privileges.

III. Solution

        Currently there are no vendor patches available that address this
        vulnerability. We recommend installing official vendor patches
        when they are made available.

        If the /usr/Cadmin/bin/csetup file is installed setuid root at your
        site, the following workaround is recommended until vendor patches
        are available.

        Sites can prevent the exploitation of this vulnerability by
        immediately removing the setuid privileges on csetup.

        # /bin/chmod 0700 /usr/Cadmin/bin/csetup
        # /bin/ls -l /usr/Cadmin/bin/csetup
        -rwx------    1 root  sys 363360 Aug 20 12:10 /usr/Cadmin/bin/csetup

        Next, the file /var/tmp/csetupLog should be created with permissions
        0600. The sticky bit should also be set on /var/tmp/ (this is a good
        security practice in general).

        # /bin/chmod 1777 /var/tmp
        # /bin/touch /var/tmp/csetupLog
        # /bin/chmod 0600 /var/tmp/csetupLog

        (Note that the /var/tmp directory is not cleared at boot time.)

        Before executing the csetup program, the root user should confirm
        the existence, ownership, and the access permissions of
        /var/tmp/csetupLog. Ensure that csetupLog is not linked to any
        other file.

        The impact of this workaround is that only the root user will be
        able to use this program for its intended purpose. Privileged users
        previously established using the /usr/Cadmin/bin/cpeople program
        will no longer be able to do the system administration tasks
        they were previously able perform using the csetup program.

- -----------------------------------------------------------------------------
This advisory is a collaborative effort between AUSCERT and the CERT
Coordination Center.

The CERT Coordination Center acknowledges Yuri Volobuev for reporting the
original problem, and Silicon Graphics, Inc. for their strong support in the
development of the advisory.
- -----------------------------------------------------------------------------

If you believe that your system has been compromised, contact the CERT
Coordination Center or your representative in the Forum of Incident Response
and Security Teams (see ftp://info.cert.org/pub/FIRST/first-contacts).


CERT/CC Contact Information
- ----------------------------
Email    cert@cert.org

Phone    +1 412-268-7090 (24-hour hotline)
                CERT personnel answer 8:30-5:00 p.m. EST(GMT-5) / EDT(GMT-4)
                and are on call for emergencies during other hours.

Fax      +1 412-268-6989

Postal address
         CERT Coordination Center
         Software Engineering Institute
         Carnegie Mellon University
         Pittsburgh PA 15213-3890
         USA

Using encryption
   We strongly urge you to encrypt sensitive information sent by email. We can
   support a shared DES key or PGP. Contact the CERT/CC for more information.
   Location of CERT PGP key
         ftp://info.cert.org/pub/CERT_PGP.key

Getting security information
   CERT publications and other security information are available from
        http://www.cert.org/
        ftp://info.cert.org/pub/

   CERT advisories and bulletins are also posted on the USENET newsgroup
        comp.security.announce

   To be added to our mailing list for advisories and bulletins, send your
   email address to
        cert-advisory-request@cert.org

- ---------------------------------------------------------------------------
Copyright 1997 Carnegie Mellon University
This material may be reproduced and distributed without permission provided
it is used for noncommercial purposes and the copyright statement is
included.

CERT is a service mark of Carnegie Mellon University.
- ---------------------------------------------------------------------------

This file: ftp://info.cert.org/pub/cert_advisories/CA-97.03.csetup
           http://www.cert.org
               click on "CERT Advisories"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision history


-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMtQcQHVP+x0t4w7BAQHfuwQAmOxsr1ByY11KTBnkwcSyBdCBsRLT0ECk
6mWm0HkRKrLcyRq4u2bQvNqwUA1PahceW8KXVsm1KNZHCfTzb0ntrqeYKrLVnWkC
T8TWq7Ng2F4HYsPuu4PSSV0D8ash1S/Il2B6umfYbUFj2+YFC5gKzuyBThVwRzXD
haxlbqKDYmY=
=FWDY
-----END PGP SIGNATURE-----



Previous message sorted by date: CERT Advisory CA-97.02 - HP-UX newgrp Buffer Overrun Vulnerability
Next message sorted by date: CERT Advisory CA-97.04 - talkd Vulnerability
Previous message sorted by thread: CERT Advisory CA-97.02 - HP-UX newgrp Buffer Overrun Vulnerability
Next message by thread: CERT Advisory CA-97.04 - talkd Vulnerability
Main Index
Thread Index

CSIM home pageWMailAccount managementCSIM LibraryNetwork test toolsSearch CSIM directories
Contact us: Olivier Nicole CSIM    SET    AIT Last update: Feb 2000