From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 10 Apr 2005 17:58:55 +0200
Subject: [UNIX] SGI IRIX gr_osview Multiple Vulnerabilities
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20050410154738.0C5E857C6@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
SGI IRIX gr_osview Multiple Vulnerabilities
------------------------------------------------------------------------
SUMMARY
The gr_osview application is a setuid root application that provides a
graphical display of usage of certain types of operating system resources.
Local exploitation of a file overwrite vulnerability in the gr_osview
command included in multiple versions of Silicon Graphics Inc.'s IRIX
operating system could allow for the overwriting of arbitrary files,
regardless of permissions. gr_osview is also vulnerable to sensitive
information disclosure.
DETAILS
Vulnerable Systems:
* iDEFENSE has confirmed the existence of this vulnerability in SGI IRIX
version 6.5.22 (maintenance). It is suspected that previous and later
versions of both the feature and maintenance revisions of IRIX 6.5 are
also vulnerable. The gr_osview is installed by default under multiple
versions of IRIX 6.
Arbitrary File Overwrite Vulnerability:
The vulnerability specifically exists in the way that gr_osview opens user
specified files without dropping privileges. When a file is specified
using the "-s" option, it will be opened regardless of permissions, and
operating system usage information will be written into it.
CVE Information:
The Common Vulnerabilities and Exposures (CVE) project has assigned the
names <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0465>;
CAN-2005-0465
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0464>;
CAN-2005-0464 to these issues. This is a candidate for inclusion in the
CVE list (http://cve.mitre.org), which standardizes names for security
problems.
Example:
user@irix$ gr_osview -s /etc/shadow
After execution of that command, the system shadow file will be
overwritten with system usage information. With a damaged shadow file,
users will no longer be able to log on remotely or locally.
This vulnerability has been addressed in SGI BUG 930890.
Information Disclosure Vulnerability:
The vulnerability specifically exists in the way that gr_osview opens
user-specified description files without dropping privileges. When this is
combined with the debug option, it is possible to dump a line from an
arbitrary file, regardless of its protection. An example is as follows:
user@irix$ gr_osview -d -D /etc/shadow
sgets: waiting for string
*SR> read <root:PASSWDHASHHERE:2051::::::>
gr_osview: description file format error on line 1
To elevate privileges, the attacker would then have to crack the root
password using the acquired hash.
This vulnerability has been addressed in SGI BUG 930892.
All that is required to exploit these vulnerabilities is a local account
and an open X display, which could be the attacker's home machine or
another compromised computer. Exploitation does not require any knowledge
of application internals, making exploitation trivial, even for unskilled
attackers.
Workaround:
Only allow trusted users local access to security-critical systems.
Alternately, remove the setuid bit from inpview using:
chmod u-s /usr/sbin/gr_osview
Vendor Status:
Related security advisories are available at:
<http://www.sgi.com/support/security/advisories.html>;
http://www.sgi.com/support/security/advisories.html
Related patches are available at:
<http://www.sgi.com/support/security/patches.html>;
http://www.sgi.com/support/security/patches.html
<ftp://patches.sgi.com/support/free/security/patches/>;
ftp://patches.sgi.com/support/free/security/patches/
Disclosure Timeline:
02/18/2005 - Initial vendor notification
02/23/2005 - Initial vendor response
04/07/2005 - Coordinated public disclosure
ADDITIONAL INFORMATION
The information has been provided by
<mailto:idlabs-advisories@idefense.com.> iDEFENSE.
The original article can be found at:
<http://www.idefense.com/application/poi/display?id=225&type=vulnerabilities>; http://www.idefense.com/application/poi/display?id=225&type=vulnerabilities
And:
<http://www.idefense.com/application/poi/display?id=226&type=vulnerabilities>; http://www.idefense.com/application/poi/display?id=226&type=vulnerabilities
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
