'SGI Security Advisory 19960802-01 - Vulnerability in expreserve'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    SGI Security Advisory 19960802-01 - Vulnerability in expreserve
From:       SGI Security Coordinator <agent99 () boytoy ! csd ! sgi ! com>
Date:       1996-08-26 10:39:01
[Download RAW message or body]

RELEASE RESTRICTIONS - NONE - FOR PUBLIC RELEASE



-----BEGIN PGP SIGNED MESSAGE-----

______________________________________________________________________________
                Silicon Graphics Inc. Security Advisory

        Title:   Vulnerability in expreserve
        Title:   CERT(sm) Advisory CA-96.19
        Number:  19960802-01-I
        Date:    October 23, 1996
______________________________________________________________________________

Silicon Graphics provides this information freely to the SGI user community
for its consideration, interpretation, implementation and use.   Silicon
Graphics recommends that this information be acted upon as soon as possible.

Silicon Graphics  will  not  be  liable  for any  indirect, special, or
consequential damages arising from the use of, failure to use or improper
use of any of the instructions or information in this Security Advisory.
______________________________________________________________________________


- -------------------
- --- Description ---
- -------------------

In CERT(sm) Advisory CA-96.19, titled "Vulnerability in expreserve",
a security vulnerability in the expreserve program is discussed.
According to the CERT(sm) advisory, the expreserve program has
setuid root privileges which creates a vulnerability that allows
users to overwrite any file on the system.


- --------------
- --- Impact ---
- --------------

As reported by the CERT(sm) Advisory, when exploited, this vulnerability
could allow users with access to an account on the system to gain root
privileges.

Impact for Silicon Graphics IRIX systems is different and very limited,
see "Solution" section.


- ----------------
- --- Solution ---
- ----------------

SGI has investigated the expreserve issue and provides the following
information.

The Silicon Graphics implementation of expreserv is setgid sys and
not setuid root as reported in the CERT(sm) advisory.   As such this
redefines the exposure to a setgid sys issue.  Exploit would have to
occur on group sys writable files, however, on a default configured
IRIX system there are no system critical files that are group sys
writable and therefore exposure and exploit does not exist.

Silicon Graphics will not be releasing a patch for this issue,
however, the issue will be corrected in future releases of IRIX.

If desired, the setgid permission of the expreserv could be removed
however, this will disable the recovery functions of the vi(1) and
ex(1) editors.   This functionality could be fixed by manually
creating directories for each user in /var/preserve directory.


- ------------------------
- --- Acknowledgments ---
- ------------------------

Silicon Graphics wishes to thank the CERT Coordination Center and
the FIRST organization for their assistance in this matter.



- -----------------------------------------
- --- SGI Security Information/Contacts ---
- -----------------------------------------

Past SGI Advisories and security patches can be obtained via
anonymous FTP from sgigate.sgi.com or its mirror, ftp.sgi.com.
These security patches and advisories are provided freely to
all interested parties.   For issues with the patches on the
FTP sites, email can be sent to cse-security-alert@csd.sgi.com.

For assistance obtaining or working with security patches, please
contact your SGI support provider.

If there are questions about this document, email can be sent to
cse-security-alert@csd.sgi.com.

Silicon Graphics provides a free security mailing list service. The
wiretap service allows interested parties to self-subscribe to receive
(via email) all SGI Security Advisories when released.

     mail wiretap-request@sgi.com

     [BODY of
             "subscribe wiretap YourEmailAddress"
             "end"
     ]

For reporting *NEW* SGI security issues, email can be sent to
security-alert@sgi.com or contact your SGI support provider.  A
support contract is not required for submitting a security report.




-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQCVAwUBMiHfdrQ4cFApAP75AQEXlQP9H+b8uaTwecnP3qCHM5CNDNOLg+blWKX4
CEnE1lmzT2liOZ04BOoTY4DxoQjcbBXSwT/PZCQ51/lu0n5/y2g0pKzJhFQqvgl0
N6rncqK4RAoQfcJAGVKEPrMXSaTFTRwqNy+uYWR6BpHSwcTq6VEYzS2ZUzP9p05Y
xLME1oTb1j4=
=LYR3
-----END PGP SIGNATURE-----

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic