| Title: | SGI IRIX login/scheme Buffer Overrun Vulnerability |
| Date Issued: | May 28, 1997 |
| Last Modified: | September 16, 1997 |
| Code: | AA-97.22 |
| Source: | AusCERT |
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AA-97.22 AUSCERT Advisory
SGI IRIX login/scheme Buffer Overrun Vulnerability
28 May 1997
Last Revised: 16 September 1997
Added vendor patch and bulletin information to Section 3.
A complete revision history is at the end of this file.
- ---------------------------------------------------------------------------
AUSCERT has received information that a vulnerability exists in login(1),
distributed under IRIX 6.2. Other versions (including IRIX 5.x) may also
be vulnerable.
This vulnerability may allow local users to gain root privileges.
Exploit information involving this vulnerability has been made publicly
available.
Vendor patches have been released addressing this vulnerability.
AUSCERT recommends that sites take the steps outlined in section 3 as soon
as possible.
This advisory will be updated as more information becomes available.
- ---------------------------------------------------------------------------
1. Description
login(1) is a program used at the beginning of each terminal session
that allows users to identify themselves to the session. Under current
versions of IRIX this functionality is supplied by the program
/usr/lib/iaf/scheme. The login program is a symbolic link to
/usr/lib/iaf/scheme.
Due to insufficient bounds checking on arguments which are supplied
by users, it is possible to overwrite the internal stack space of the
scheme program while it is executing. By supplying a carefully designed
argument to the scheme program, intruders may be able to force scheme to
execute arbitrary commands. As scheme is setuid root, this may allow
intruders to run arbitrary commands with root privileges.
The login program is installed in /usr/bin/login. Under default
configurations this is a symbolic link to /usr/lib/iaf/scheme.
% ls -l /usr/bin/login
lrwxr-xr-x 1 root sys 17 Nov 22 1994 /usr/bin/login ->
../lib/iaf/scheme
% ls -l /usr/lib/iaf/scheme
-rwsr-xr-x 1 root sys 65832 Nov 22 1994 /usr/lib/iaf/scheme
Exploit information involving this vulnerability has been made publicly
available.
Although AUSCERT has only verified this vulnerability under IRIX 6.2,
this vulnerability is believed to affect other versions of IRIX,
including IRIX 5.x.
2. Impact
This vulnerability may allow local users to gain root privileges.
3. Workarounds/Solution
Official vendor patches have been released by Silicon Graphics which
address this vulnerability (Section 3.3).
If the patches recommended by Silicon Graphics cannot be applied,
AUSCERT recommends that sites prevent the exploitation of this
vulnerability by immediately applying the workaround given in Section
3.1. To maintain the functionality of login/scheme, AUSCERT recommends
applying the workaround given in Section 3.2.
3.1 Remove setuid and non-root execute permissions
To prevent the exploitation of the vulnerability described in this
advisory, AUSCERT recommends that the setuid permissions be removed
from the scheme program immediately.
# ls -l /usr/lib/iaf/scheme
-rwsr-xr-x 1 root sys 58324 Nov 28 1996 /usr/lib/iaf/scheme
# chmod 500 /usr/lib/iaf/scheme
# ls -l /usr/lib/iaf/scheme
-r-x------ 1 root sys 58324 Nov 28 1996 /usr/lib/iaf/scheme
3.2 Install scheme wrapper
AUSCERT has developed a wrapper to help prevent programs from being
exploited using the vulnerability described in this advisory. Sites
which have a C compiler can obtain the source, compile and install
the wrapper. Please contact AUSCERT directly if pre-compiled wrapper
binaries are required.
The source for the wrapper, including installation instructions, can
be found at:
ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper/
overflow_wrapper.c
This wrapper replaces the scheme program and checks the length of the
command line arguments which are passed to it. If an argument exceeds
a certain predefined value (MAXARGLEN), the wrapper exits without
executing the scheme command. The wrapper program can also be configured
to syslog any failed attempts to execute scheme with arguments exceeding
MAXARGLEN. For further instructions on using this wrapper, please
read the comments at the top of overflow_wrapper.c.
When compiling overflow_wrapper.c for use with scheme, AUSCERT recommends
defining MAXARGLEN to be 32.
The MD5 checksum for the current version of overflow_wrapper.c can be
retrieved from:
ftp://ftp.auscert.org.au/pub/auscert/tools/overflow_wrapper/CHECKSUM
The CHECKSUM file has been digitally signed using the AUSCERT PGP key.
3.3 Install vendor patches
Silicon Graphics has released security bulletin 19970508-02-PX "IRIX
LOCKOUT and login/scheme Buffer Overrun" which addresses the
vulnerability described in this advisory, including patch information.
AUSCERT recommends that sites apply these patches as soon as possible.
This SGI security advisory is available from:
ftp://sgigate.sgi.com/security/19970508-02-PX
- ---------------------------------------------------------------------------
AUSCERT thanks Ian Farquhar for his assistance in the production of
this advisory. Thanks also to the Prentice Centre, University of
Queensland, for providing test equipment.
- ---------------------------------------------------------------------------
The AUSCERT team have made every effort to ensure that the information
contained in this document is accurate. However, the decision to use the
information described is the responsibility of each user or organisation.
The appropriateness of this document for an organisation or individual
system should be considered before application in conjunction with local
policies and procedures. AUSCERT takes no responsibility for the
consequences of applying the contents of this document.
If you believe that your system has been compromised, contact AUSCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
AUSCERT is located at The University of Queensland within the Prentice
Centre. AUSCERT is a full member of the Forum of Incident Response and
Security Teams (FIRST).
AUSCERT maintains an anonymous FTP service which is found on:
ftp://ftp.auscert.org.au/pub/. This archive contains past SERT and AUSCERT
Advisories, and other computer security information.
AUSCERT also maintains a World Wide Web service which is found on:
http://www.auscert.org.au/.
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 4477
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AUSCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
Postal:
Australian Computer Emergency Response Team
Prentice Centre
Brisbane
Qld. 4072.
AUSTRALIA
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Revision History
16 Sep 1997 Silicon Graphics has released a security bulletin,
addressing the vulnerability described in this advisory.
Section 3 has been modified to include this information.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBNB6kSih9+71yA2DNAQF3gwP/W7jn4a6V/f4T5crR49/TSL7278bc02oR
buXAhkLQhtagOn1cvOoOA4JRrEl/8gOJ58tFw6DvxnJzx4oLL53H2UJV3T6NlGcU
Qdd2ir/WrNPww1Ok6QK7+72DwgBcQpDeW6fyPhwcRyGu/j+whQ3cDg5X46J/eZQh
pk4Z7HxYFMU=
=Tm2C
-----END PGP SIGNATURE-----