From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 16 Jan 2005 10:53:15 +0200
Subject: [UNIX] SGI IRIX inpview Design Error Vulnerability
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20050116095925.E158257D7@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
SGI IRIX inpview Design Error Vulnerability
------------------------------------------------------------------------
SUMMARY
The inpview program is "a setuid root application that is included in the
InPerson networked multimedia conferencing tool. InPerson networked
multimedia conferencing tool is included in SGI IRIX".
Local exploitation of a design error vulnerability in the inpview command
included in multiple versions of Silicon Graphics Inc.'s IRIX could allow
for arbitrary code execution as the root user.
DETAILS
Vulnerable Systems:
* SGI IRIX version 6.5.9 (feature) and version 6.5.22 (maintenance)
The vulnerability specifically exists due to the fact that inpview trusts
the user environment and does not drop privileges. When the environment
variable SUN_TTSESSION_CMD is something such as "cp /bin/jsh
/tmp/jsh;chmod 6755 /tmp/jsh;killall -9 inpview," the chain of commands
will be executed with root permissions, thus allowing a regular user to
drop a setuid and setgid shell to /tmp.
Analysis:
All that is required to exploit this vulnerability is a local account and
an open X display, which could be the attacker's home machine or another
compromised system. Exploitation does not require any knowledge of
application internals, making privilege escalation trivial, even for
unskilled attackers.
Workaround:
Only allow trusted users local access to security critical systems.
Alternately, remove the setuid bit from inpview:
chmod u-s /usr/lib/InPerson/inpview
Vendor response:
Support for the InPerson product did not extend beyond 02/2002 as noted in
the following publication:
<http://techpubs.sgi.com/library/manuals/4000/007-4526-001/pdf/007-4526-001.pdf>; http://techpubs.sgi.com/library/manuals/4000/007-4526-001/pdf/007-4526-001.pdf
As a result, no patch will be issued for this vulnerability.
Disclosure Timeline:
01/06/2005 - Initial vendor notification
01/07/2005 - Initial vendor response
01/13/2005 - Public disclosure
ADDITIONAL INFORMATION
The information has been provided by
<mailto:idlabs-advisories@idefense.com.> iDEFENSE.
The original article can be found at:
<http://www.idefense.com/application/poi/display?id=182&type=vulnerabilities>; http://www.idefense.com/application/poi/display?id=182&type=vulnerabilities
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
