OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: David Foster (fosterdim.ucsd.edu)
Date: Fri Jun 07 2002 - 17:00:42 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Strange, I patched 11 systems, all at IRIX 6.5.14, and
    didn't see this behavior, all /tmp stayed at 1777.

    Dave Foster

    > From: "Frank Bures" <lisfrankchem.toronto.edu>
    > To: "bugtraqsecurityfocus.com" <bugtraqsecurityfocus.com>
    > Date: Fri, 07 Jun 2002 13:58:14 -0400 (EDT)
    > Subject: Re: IRIX rpc.passwd vulnerability
    >
    > FYI:
    >
    > Installation of this patch leads to arbitrarily changed permissions of the
    > /tmp directory.
    >
    > On my various IRIX boxes, some permissions remained correct (1777), some were
    > changed to 777, some even to 755.
    >
    >
    > On Tue, 4 Jun 2002 15:47:28 -0700 (PDT), SGI Security Coordinator wrote:
    >
    > >_____________________________________________________________________________
    > >
    > > SGI Security Advisory
    > >
    > > Title: rpc.passwd vulnerability
    > > Number: 20020601-01-P
    > > Date: June 4, 2002
    > > Reference: CAN-2002-0357
    > >_____________________________________________________________________________
    > >
    > >-----------------------
    > >--- Issue Specifics ---
    > >-----------------------
    > >
    > >It's been reported that /usr/etc/rpc.passwd has a vulnerability which
    > >could allow a user to compromise root.
    > >
    > >SGI has investigated the issue and recommends the following steps for
    > >neutralizing the exposure. It is HIGHLY RECOMMENDED that these measures be
    > >implemented on ALL vulnerable SGI systems.
    > >
    > >These issues have been corrected with patches and in future releases of
    > >IRIX.
    > >
    > >
    > >--------------
    > >--- Impact ---
    > >--------------
    > >
    > >The rpc.passwd binary is not installed by default on IRIX 6.5 systems. It is
    > >part of the optional subsystem "nfs.sw.nis".
    > >
    > >To see if rpc.passwd is installed, execute the following command:
    > >
    > > # versions nfs.sw.nis
    > > I = Installed, R = Removed
    > >
    > > Name Date Description
    > >
    > > I nfs 03/26/2002 Network File System, 6.5.16m
    > > I nfs.sw 03/26/2002 NFS Software
    > > I nfs.sw.nis 03/26/2002 NIS (formerly Yellow Pages) Support
    > >
    > >If the line containing "nfs.sw.nis" is returned, then it is installed and
    > >the system is potentially vulnerable. This vulnerability applies only to
    > >systems that are configured as YP masters ("chkconfig yp" shows "on", and
    > >"ps -ef | grep rpc.passwd" shows that rpc.passwd is running).
    > >
    > >To determine the version of IRIX you are running, execute the following
    > >command:
    > >
    > > # uname -R
    > >
    > >That will return a result similar to the following:
    > >
    > > # 6.5 6.5.15f
    > >
    > >The first number ("6.5") is the release name, the second ("6.5.15f" in this
    > >case) is the extended release name. The extended release name is the
    > >"version" we refer to throughout this document.
    > >
    > >This vulnerability was assigned the following CVE:
    > >http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0357
    > >
    > >
    > >----------------------------
    > >--- Temporary Workaround ---
    > >----------------------------
    > >
    > >SGI understands that there are times when upgrading the operating system or
    > >installing patches are inconvenient or not possible. In those instances, we
    > >recommend the following workaround, although it may have a negative impact
    > >on the functionality of the system:
    > >
    > > Disable the rpc.passwd binary by issuing the following command:
    > >
    > > # chmod 444 /usr/etc/rpc.passwd
    > > # killall rpc.passwd
    > >
    > > After doing this, it will be necessary to run the "passwd" program on the
    > > NIS master in order to cause NIS password changes.
    > >
    > >Instead of using this workaround, SGI recommends either upgrading to IRIX
    > >6.5.16 when released, or installing the appropriate patch from the listing
    > >below. We recommend this course of action because IRIX 6.5.16 and the patch
    > >also fix other non security-related issues with rpc.passwd.
    > >
    > >
    > >----------------
    > >--- Solution ---
    > >----------------
    > >
    > >SGI has provided a series of patches for these vulnerabilities. Our
    > >recommendation is to upgrade to IRIX 6.5.16 when available, or install the
    > >appropriate patch.
    > >
    > > OS Version Vulnerable? Patch # Other Actions
    > > ---------- ----------- ------- -------------
    > > IRIX 3.x unknown Note 1
    > > IRIX 4.x unknown Note 1
    > > IRIX 5.x unknown Note 1
    > > IRIX 6.0.x unknown Note 1
    > > IRIX 6.1 unknown Note 1
    > > IRIX 6.2 unknown Note 1
    > > IRIX 6.3 unknown Note 1
    > > IRIX 6.4 unknown Note 1
    > > IRIX 6.5 yes Notes 2 & 3
    > > IRIX 6.5.1 yes Notes 2 & 3
    > > IRIX 6.5.2 yes Notes 2 & 3
    > > IRIX 6.5.3 yes Notes 2 & 3
    > > IRIX 6.5.4 yes Notes 2 & 3
    > > IRIX 6.5.5 yes Notes 2 & 3
    > > IRIX 6.5.6 yes Notes 2 & 3
    > > IRIX 6.5.7 yes Notes 2 & 3
    > > IRIX 6.5.8 yes Notes 2 & 3
    > > IRIX 6.5.9 yes Notes 2 & 3
    > > IRIX 6.5.10 yes Notes 2 & 3
    > > IRIX 6.5.11 yes Notes 2 & 3
    > > IRIX 6.5.12 yes 4588 Note 4
    > > IRIX 6.5.13 yes 4588 Note 4
    > > IRIX 6.5.14 yes 4589 Note 4
    > > IRIX 6.5.15 yes 4589 Note 4
    > > IRIX 6.5.16 no Note 4
    > >
    > > NOTES
    > >
    > > 1) This version of the IRIX operating has been retired. Upgrade to an
    > > actively supported IRIX operating system. See
    > > http://support.sgi.com/irix/news/index.html#policy for more
    > > information.
    > >
    > > 2) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact your
    > > SGI Support Provider or URL: http://support.sgi.com/irix/swupdates/
    > >
    > > 3) Upgrade to IRIX 6.5.16m or 6.5.16f.
    > >
    > > 4) Note that these patches (and IRIX 6.5.16) address other rpc.passwd
    > > issues not related to the specific security issue being reported in
    > > this bulletin. See the release notes for details.
    > >
    > > ##### Patch File Checksums ####
    >
    > Frank Bures, Dept. of Chemistry, University of Toronto, M5S 3H6
    > fbureschem.toronto.edu
    > http://www.chem.utoronto.ca/general/itelec.html
    > PGP public key:
    http://wwwkeys.pgp.net:11371/pks/lookup?op=index&search=Frank+Bures
    > -----BEGIN PGP SIGNATURE-----
    > Version: PGPfreeware 5.0 OS/2 for non-commercial use
    > Comment: PGP 5.0 for OS/2
    > Charset: cp850
    >
    > wj8DBQE9AOYmih0Xdz1+w+wRApnwAKCrQlAxnTRYueeKQFMsbxz2EaM7ewCg/lyb
    > cMqg9wCrLSqj0YwHaVz++RU=
    > =ihq9
    > -----END PGP SIGNATURE-----
    >

       << All opinions expressed are mine, not the University's >>

      =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
       David Foster National Center for Microscopy and Imaging Research
        Programmer/Analyst University of California, San Diego
        dfosterucsd.edu Department of Neuroscience, Mail 0608
        (858) 534-7968 http://ncmir.ucsd.edu/
      =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

       "The reasonable man adapts himself to the world; the unreasonable one
       persists in trying to adapt the world to himself. Therefore, all progress
       depends on the unreasonable." -- George Bernard Shaw