|
|
|
|
|
|
| Author |
Message |
S.C.Sprong
*nix forums beginner
Joined: 21 May 2005
Posts: 36
|
 Posted: Tue Apr 12, 2005 11:56 am Post subject:
Re: If you admin IRIX 6.5.21 to 6.5.27...
|
|
|
josehill@canada.com <josehill@canada.com> wrote:
| Quote: | ...be sure to remove the setuid bit from gr_osview [...]
Seriously. Stop what you are doing, and get this one done.
|
I know what the setuid bit in a Unix 98 system does, so please
explain or provide a pointer to an explanation why it should be
unset in this case?
scs |
|
| Back to top |
|
 |
Atro Tossavainen
*nix forums Guru Wannabe
Joined: 22 Feb 2005
Posts: 131
|
| Posted: Tue Apr 12, 2005 2:44 pm Post subject:
Re: If you admin IRIX 6.5.21 to 6.5.27...
|
|
|
"S.C.Sprong" <scsprong@gmail.com> writes:
| Quote: | I know what the setuid bit in a Unix 98 system does, so please
explain or provide a pointer to an explanation why it should be
unset in this case?
|
There is a programming error in gr_osview. The fact that the application
is installed setuid by default means that if it is possible to exploit
the programming error, and apparently it is, it becomes possible to gain
root access if you're able to run gr_osview in the target system as a
normal user.
--
Atro Tossavainen (Mr.) / The Institute of Biotechnology at
Systems Analyst, Techno-Amish & / the University of Helsinki, Finland,
+358-9-19158939 UNIX Dinosaur / employs me, but my opinions are my own.
< URL : http : / / www . helsinki . fi / %7E atossava / > NO FILE ATTACHMENTS |
|
| Back to top |
|
|
S.C.Sprong
*nix forums beginner
Joined: 21 May 2005
Posts: 36
|
| Posted: Tue Apr 12, 2005 3:15 pm Post subject:
Re: If you admin IRIX 6.5.21 to 6.5.27...
|
|
|
Atro Tossavainen <Atro.Tossavainen+news@helsinki.finland.invalid> wrote:
| Quote: | "S.C.Sprong" <scsprong@gmail.com> writes:
[ removing setuid bit from /usr/sbin/gr_osview ] |
| Quote: | There is a programming error in gr_osview. The fact that the application
is installed setuid by default means that if it is possible to exploit
the programming error, and apparently it is
|
Ah, a standard security risk, then. Thanks.
scs |
|
| Back to top |
|
|
josehill@canada.com
*nix forums beginner
Joined: 22 May 2005
Posts: 19
|
| Posted: Sun Apr 17, 2005 5:31 pm Post subject:
Re: If you admin IRIX 6.5.21 to 6.5.27...
|
|
|
It's actually a little worse than a "standard security risk" because
this particular glitch with gr_osview is unusually simple to exploit
(not even script kiddie knowledge is required), and the easiest way
(trivial, actually) to exploit the flaw can result in immediate,
possibly catastrophic loss of data.
It's the simplicity of the hack coupled with the potentially severe
consequences which grabbed my attention (I've been admin'ing IRIX
systems for a decade, and I'll admit I was stunned at how easily I was
able to trash a test system when I tried to verify the flaw).
I didn't post the details of the exploit here because I am pretty sure
that if I did, a lot of systems would get hosed within a few minutes of
my post (especially in the academic world).
If you admin a vulnerable system, you should go to an appropriate,
legitimate source of security advisories immediately, find the correct
advisory, and decide for yourself whether or not it is worth applying
this fix. If you admin a system that is mission critical or that is
subject to regulatory validation requirements, I think that I can
predict which path of action you will choose. |
|
| Back to top |
|
|
Toni Grass
*nix forums addict
Joined: 03 May 2005
Posts: 82
|
| Posted: Sun Apr 17, 2005 5:58 pm Post subject:
Re: If you admin IRIX 6.5.21 to 6.5.27...
|
|
|
josehill@canada.com wrote:
| Quote: | It's actually a little worse than a "standard security risk" because
this particular glitch with gr_osview is unusually simple to exploit
(not even script kiddie knowledge is required), and the easiest way
(trivial, actually) to exploit the flaw can result in immediate,
possibly catastrophic loss of data.
[....] |
Isn't there a fix (patchSG0005869) already?
Toni
--
I am root. If you see me laughing you better have a backup. |
|
| Back to top |
|
|
S.C.Sprong
*nix forums beginner
Joined: 21 May 2005
Posts: 36
|
| Posted: Sun Apr 17, 2005 6:25 pm Post subject:
Re: If you admin IRIX 6.5.21 to 6.5.27...
|
|
|
josehill@canada.com <josehill@canada.com> wrote:
| Quote: | It's actually a little worse than a "standard security risk" because
this particular glitch with gr_osview is unusually simple to exploit
|
I was overly terse; I meant 'standard' as in exlaiming 'Not again!',
while rolling one's eyes and banging one's head against a brick wall.
And your commendable cautiousness triggered mine, as I don't know much
yet about the inner workings of the Irix system, but do know more than
enough about Unixoids to know that setuid programs can have their place.
| Quote: | If you admin a vulnerable system, you should go to an appropriate,
legitimate source of security advisories immediately, find the correct
advisory, and decide for yourself whether or not it is worth applying
this fix. If you admin a system that is mission critical or that is
subject to regulatory validation requirements, I think that I can
predict which path of action you will choose.
|
I fully agree.
scs |
|
| Back to top |
|
|
R. Lynn Rardin
*nix forums beginner
Joined: 17 Jun 2005
Posts: 9
|
| Posted: Sun Apr 17, 2005 7:52 pm Post subject:
Re: If you admin IRIX 6.5.21 to 6.5.27...
|
|
|
In article <3cftesF6o826nU1@individual.net>,
Toni Grass <toni@fotoni.at> wrote:
| Quote: | josehill@canada.com wrote:
It's actually a little worse than a "standard security risk"
because this particular glitch with gr_osview is unusually
simple to exploit...
Isn't there a fix (patchSG0005869) already?
|
Yes, but not for Irix 6.5.22. It only applies to machines running
6.5.23 through 6.5.27. So people who administer old machines that
aren't supported by versions of Irix later than 6.5.22 are stuck
with coming up with their own solution.
--
R. Lynn Rardin |
|
| Back to top |
|
|
josehill@canada.com
*nix forums beginner
Joined: 22 May 2005
Posts: 19
|
| Posted: Sun Apr 17, 2005 9:18 pm Post subject:
Re: If you admin IRIX 6.5.21 to 6.5.27...
|
|
|
For 6.5.21 and 6.5.22, the solution is to execute the following
(assuming you have super-user privileges):
chmod u-s /usr/sbin/gr_osview
As an aside, this command-line method also solves the problem on
6.5.23-27, but patchSG0005869 is the preferred approach for those
systems, as the patch will survive OS upgrades, whereas the manual
chmod'ing might be overwritten during a system upgrade. |
|
| Back to top |
|
|
R. Lynn Rardin
*nix forums beginner
Joined: 17 Jun 2005
Posts: 9
|
| Posted: Mon Apr 18, 2005 12:02 am Post subject:
Re: If you admin IRIX 6.5.21 to 6.5.27...
|
|
|
In article <1113779936.505704.271520@f14g2000cwb.googlegroups.com>,
"josehill@canada.com" <josehill@canada.com> wrote:
| Quote: | For 6.5.21 and 6.5.22, the solution is to execute the following
(assuming you have super-user privileges):
chmod u-s /usr/sbin/gr_osview
As an aside, this command-line method also solves the problem on
6.5.23-27, but patchSG0005869 is the preferred approach for those
systems, as the patch will survive OS upgrades, whereas the manual
chmod'ing might be overwritten during a system upgrade.
|
Is removing the suid root bit the only impact of applying
patchSG0005869? That seems to be what you're implying. If
that's the case, why didn't SGI see fit to release the patch
for 6.5.22?
--
R. Lynn Rardin |
|
| Back to top |
|
|
josehill@canada.com
*nix forums beginner
Joined: 22 May 2005
Posts: 19
|
| Posted: Mon Apr 18, 2005 4:25 am Post subject:
Re: If you admin IRIX 6.5.21 to 6.5.27...
|
|
|
R. Lynn Rardin wrote:
| Quote: | Is removing the suid root bit the only impact of applying
patchSG0005869? That seems to be what you're implying. If
that's the case, why didn't SGI see fit to release the patch
for 6.5.22?
|
I implied nothing, but you seem to have inferred something. ;-)
To answer your question, however:
At any given moment, SGI only develops and tests patches against the
current IRIX release and the three prior quarterly releases. Any
release more than one year old is considered to be in "Retired" mode,
or, in other words, is "out of warranty."
You can consult the SGI Software Support Policy at
http://support.sgi.com/ for more details. |
|
| Back to top |
|
|
R. Lynn Rardin
*nix forums beginner
Joined: 17 Jun 2005
Posts: 9
|
| Posted: Mon Apr 18, 2005 8:54 am Post subject:
Re: If you admin IRIX 6.5.21 to 6.5.27...
|
|
|
In article <1113805548.197373.227070@l41g2000cwc.googlegroups.com>,
"josehill@canada.com" <josehill@canada.com> wrote:
| Quote: | R. Lynn Rardin wrote:
Is removing the suid root bit the only impact of applying
patchSG0005869? That seems to be what you're implying. If
that's the case, why didn't SGI see fit to release the patch
for 6.5.22?
I implied nothing, but you seem to have inferred something. ;-)
To answer your question, however:
At any given moment, SGI only develops and tests patches against
the current IRIX release and the three prior quarterly releases.
Any release more than one year old is considered to be in
"Retired" mode, or, in other words, is "out of warranty."
|
For what it's worth, "retired" is not how 6.5.22 (or any 6.5.x
version of Irix) was flagged in the message distributed by SGI
regarding this matter. I understand their policies regarding
support of older versions of the OS, but sometimes exceptions
are made to rules. All I'm saying is that if the action of the
patch is as simple as you're suggesting (or I'm inferring), how
much testing would've been necessary to make it available for
6.5.22, the terminal version of Irix for several classes of
hardware? The need to drop support for older versions of an OS
is understandable from a cost perspective, but this vunlerability
is serious enough that it might have been worth SGI's seemingly
small amount of effort to extend the patch to 6.5.22.
--
R. Lynn Rardin |
|
| Back to top |
|
|
josehill@canada.com
*nix forums beginner
Joined: 22 May 2005
Posts: 19
|
| Posted: Mon Apr 18, 2005 12:16 pm Post subject:
Re: If you admin IRIX 6.5.21 to 6.5.27...
|
|
|
|
No disagreement here. |
|
| Back to top |
|
|
R. Lynn Rardin
*nix forums beginner
Joined: 17 Jun 2005
Posts: 9
|
| Posted: Tue Apr 26, 2005 10:58 am Post subject:
Re: If you admin IRIX 6.5.21 to 6.5.27...
|
|
|
In article <d4lcuo$e5h$1@appleseed.escomposlinux.org>,
"J.A. Gutierrez" <spd@daphne.cps.unizar.es> wrote:
| Quote: | R. Lynn Rardin <rardin@orion.rose.brandeis.edu> wrote:
...Anyway, patchSG0005869 includes only a
/usr/sbin/gr_osview executable, which still is setuid
root, but which gives "Permission denied" if you try
the known exploit.
: that's the case, why didn't SGI see fit to release the
: patch for 6.5.22?
Get the patch, extract the file, and replace the old one.
It works (at least on 6.5.22f running on IP22).
|
Thanks for the info. I may give it a shot.
--
R. Lynn Rardin |
|
| Back to top |
|
|
R. Lynn Rardin
*nix forums beginner
Joined: 17 Jun 2005
Posts: 9
|
| Posted: Tue Apr 26, 2005 11:04 am Post subject:
Re: If you admin IRIX 6.5.21 to 6.5.27...
|
|
|
In article <d4lcuo$e5h$1@appleseed.escomposlinux.org>,
"J.A. Gutierrez" <spd@daphne.cps.unizar.es> wrote:
| Quote: | ...Anyway, patchSG0005869 includes only a
/usr/sbin/gr_osview executable, which still is
setuid root, but which gives "Permission denied" if
you try the known exploit.
: that's the case, why didn't SGI see fit to release
: the patch for 6.5.22?
Get the patch, extract the file, and replace the old
one. It works (at least on 6.5.22f running on IP22).
|
The more I think about this, the less sense it makes to me.
SGI still releases patches every now and then for Irix 6.5.22.
There must be some reason they chose not to release this
specific patch for 6.5.22. Could it be that the patched
gr_osview opens up a new vulnerability under 6.5.22, but
not under 6.5.23+?
--
R. Lynn Rardin |
|
| Back to top |
|
|
J.A. Gutierrez
*nix forums beginner
Joined: 25 Mar 2003
Posts: 25
|
| Posted: Tue Apr 26, 2005 12:42 pm Post subject:
Re: If you admin IRIX 6.5.21 to 6.5.27...
|
|
|
R. Lynn Rardin <rardin@orion.rose.brandeis.edu> wrote:
: Is removing the suid root bit the only impact of applying
: patchSG0005869? That seems to be what you're implying. If
It seems is not.
In that case, I guess you will lose the remote monitorization
feature (since it uses rsh protocol).
Anyway, patchSG0005869 includes only a /usr/sbin/gr_osview
executable, which still is setuid root, but which gives
"Permission denied" if you try the known exploit.
: that's the case, why didn't SGI see fit to release the patch
: for 6.5.22?
Get the patch, extract the file, and replace the old one.
It works (at least on 6.5.22f running on IP22).
--
PGP and other useless info at \
http://webdiis.unizar.es/~spd/ \
finger://daphne.cps.unizar.es/spd \ Timeo Danaos et dona ferentes
ftp://ivo.cps.unizar.es/pub/ \ (Virgilio) |
|
| Back to top |
|
|
Google
|
|
| Back to top |
|
|
|
|
The time now is Thu Jan 08, 2009 9:30 am | All times are GMT
|
|
Bankruptcy | Credit Cards | Magic the Gathering | Secured Loans | Car Finance
|
|
Copyright © 2004-2005 DeniX Solutions SRL
|
|
|
|
Other DeniX Solutions sites:
Unix/Linux blog |
electronics forum |
medicine forum |
science forum |
|
|
Privacy Policy
|
Powered by phpBB © 2001, 2005 phpBB Group
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
Forum index
»
*nix
»
SGI/IRIX
»
admin
