 | ||||||
| << Previous | INDEX | Search | src | Set bookmark | Go to bookmark | Next >> |
| ||||||
| |||||||||||||||||||||
From: SecuriTeam <support@securiteam.com.> To: list@securiteam.com Date: 10 Apr 2005 17:58:55 +0200 Subject: [UNIX] SGI IRIX gr_osview Multiple Vulnerabilities Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20050410154738.0C5E857C6@mail.tyumen.ru.> X-Virus-Scanned: antivirus-gw at tyumen.ru The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com - - promotion The SecuriTeam alerts list - Free, Accurate, Independent. Get your security news from a reliable source. http://www.securiteam.com/mailinglist.html - - - - - - - - - SGI IRIX gr_osview Multiple Vulnerabilities ------------------------------------------------------------------------ SUMMARY The gr_osview application is a setuid root application that provides a graphical display of usage of certain types of operating system resources. Local exploitation of a file overwrite vulnerability in the gr_osview command included in multiple versions of Silicon Graphics Inc.'s IRIX operating system could allow for the overwriting of arbitrary files, regardless of permissions. gr_osview is also vulnerable to sensitive information disclosure. DETAILS Vulnerable Systems: * iDEFENSE has confirmed the existence of this vulnerability in SGI IRIX version 6.5.22 (maintenance). It is suspected that previous and later versions of both the feature and maintenance revisions of IRIX 6.5 are also vulnerable. The gr_osview is installed by default under multiple versions of IRIX 6. Arbitrary File Overwrite Vulnerability: The vulnerability specifically exists in the way that gr_osview opens user specified files without dropping privileges. When a file is specified using the "-s" option, it will be opened regardless of permissions, and operating system usage information will be written into it. CVE Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the names <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0465>; CAN-2005-0465 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0464>; CAN-2005-0464 to these issues. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Example: user@irix$ gr_osview -s /etc/shadow After execution of that command, the system shadow file will be overwritten with system usage information. With a damaged shadow file, users will no longer be able to log on remotely or locally. This vulnerability has been addressed in SGI BUG 930890. Information Disclosure Vulnerability: The vulnerability specifically exists in the way that gr_osview opens user-specified description files without dropping privileges. When this is combined with the debug option, it is possible to dump a line from an arbitrary file, regardless of its protection. An example is as follows: user@irix$ gr_osview -d -D /etc/shadow sgets: waiting for string *SR> read <root:PASSWDHASHHERE:2051::::::> gr_osview: description file format error on line 1 To elevate privileges, the attacker would then have to crack the root password using the acquired hash. This vulnerability has been addressed in SGI BUG 930892. All that is required to exploit these vulnerabilities is a local account and an open X display, which could be the attacker's home machine or another compromised computer. Exploitation does not require any knowledge of application internals, making exploitation trivial, even for unskilled attackers. Workaround: Only allow trusted users local access to security-critical systems. Alternately, remove the setuid bit from inpview using: chmod u-s /usr/sbin/gr_osview Vendor Status: Related security advisories are available at: <http://www.sgi.com/support/security/advisories.html>; http://www.sgi.com/support/security/advisories.html Related patches are available at: <http://www.sgi.com/support/security/patches.html>; http://www.sgi.com/support/security/patches.html <ftp://patches.sgi.com/support/free/security/patches/>; ftp://patches.sgi.com/support/free/security/patches/ Disclosure Timeline: 02/18/2005 - Initial vendor notification 02/23/2005 - Initial vendor response 04/07/2005 - Coordinated public disclosure ADDITIONAL INFORMATION The information has been provided by <mailto:idlabs-advisories@idefense.com.> iDEFENSE. The original article can be found at: <http://www.idefense.com/application/poi/display?id=225&type=vulnerabilities>; http://www.idefense.com/application/poi/display?id=225&type=vulnerabilities And: <http://www.idefense.com/application/poi/display?id=226&type=vulnerabilities>; http://www.idefense.com/application/poi/display?id=226&type=vulnerabilities
This bulletin is sent to members of the SecuriTeam mailing list. To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
| |||||||||||||||||||||
|
|
|
