If you admin IRIX 6.5.21 to 6.5.27...

If you admin IRIX 6.5.21 to 6.5.27...

Post by josehil » Sun, 10 Apr 2005 08:46:06


...be sure to remove the setuid bit from gr_osview (for example, chmod
u-s /usr/sbin/gr_osview ) if you run 6.5.21 or 6.5.22...

or, install SGI IRIX Patch # 5869 if you run 6.5.23 through 6.5.27.

Seriously. Stop what you are doing, and get this one done.
 
 
 

If you admin IRIX 6.5.21 to 6.5.27...

Post by S.C.Spron » Wed, 13 Apr 2005 22:56:18


I know what the setuid bit in a Unix 98 system does, so please
explain or provide a pointer to an explanation why it should be
unset in this case?

scs

 
 
 

If you admin IRIX 6.5.21 to 6.5.27...

Post by Atro Tossa » Thu, 14 Apr 2005 01:44:57

"S.C.Sprong" < XXXX@XXXXX.COM > writes:


There is a programming error in gr_osview. The fact that the application
is installed setuid by default means that if it is possible to exploit
the programming error, and apparently it is, it becomes possible to gain
root access if you're able to run gr_osview in the target system as a
normal user.

--
Atro Tossavainen (Mr.) / The Institute of Biotechnology at
Systems Analyst, Techno-Amish & / the University of Helsinki, Finland,
+358-9-19158939 UNIX Dinosaur / employs me, but my opinions are my own.
< URL : http : / / www . helsinki . fi / %7E atossava / > NO FILE ATTACHMENTS
 
 
 

If you admin IRIX 6.5.21 to 6.5.27...

Post by S.C.Spron » Thu, 14 Apr 2005 02:15:45


[ removing setuid bit from /usr/sbin/gr_osview ]


Ah, a standard security risk, then. Thanks.

scs
 
 
 

If you admin IRIX 6.5.21 to 6.5.27...

Post by josehil » Tue, 19 Apr 2005 04:31:28

It's actually a little worse than a "standard security risk" because
this particular glitch with gr_osview is unusually simple to exploit
(not even script kiddie knowledge is required), and the easiest way
(trivial, actually) to exploit the flaw can result in immediate,
possibly catastrophic loss of data.

It's the simplicity of the hack coupled with the potentially severe
consequences which grabbed my attention (I've been admin'ing IRIX
systems for a decade, and I'll admit I was stunned at how easily I was
able to trash a test system when I tried to verify the flaw).

I didn't post the details of the exploit here because I am pretty sure
that if I did, a lot of systems would get hosed within a few minutes of
my post (especially in the academic world).

If you admin a vulnerable system, you should go to an appropriate,
legitimate source of security advisories immediately, find the correct
advisory, and decide for yourself whether or not it is worth applying
this fix. If you admin a system that is mission critical or that is
subject to regulatory validation requirements, I think that I can
predict which path of action you will choose.
 
 
 

If you admin IRIX 6.5.21 to 6.5.27...

Post by Toni Gras » Tue, 19 Apr 2005 04:58:20


[....]

Isn't there a fix (patchSG0005869) already?

Toni
--
I am root. If you see me laughing you better have a backup.
 
 
 

If you admin IRIX 6.5.21 to 6.5.27...

Post by S.C.Spron » Tue, 19 Apr 2005 05:25:11


I was overly terse; I meant 'standard' as in exlaiming 'Not again!',
while rolling one's eyes and banging one's head against a brick wall.

And your commendable cautiousness triggered mine, as I don't know much
yet about the inner workings of the Irix system, but do know more than
enough about Unixoids to know that setuid programs can have their place.


I fully agree.

scs
 
 
 

If you admin IRIX 6.5.21 to 6.5.27...

Post by R. Lynn Ra » Tue, 19 Apr 2005 06:52:51

In article < XXXX@XXXXX.COM >,




Yes, but not for Irix 6.5.22. It only applies to machines running
6.5.23 through 6.5.27. So people who administer old machines that
aren't supported by versions of Irix later than 6.5.22 are stuck
with coming up with their own solution.

--

R. Lynn Rardin
 
 
 

If you admin IRIX 6.5.21 to 6.5.27...

Post by josehil » Tue, 19 Apr 2005 08:18:56

For 6.5.21 and 6.5.22, the solution is to execute the following
(assuming you have super-user privileges):

chmod u-s /usr/sbin/gr_osview

As an aside, this command-line method also solves the problem on
6.5.23-27, but patchSG0005869 is the preferred approach for those
systems, as the patch will survive OS upgrades, whereas the manual
chmod'ing might be overwritten during a system upgrade.
 
 
 

If you admin IRIX 6.5.21 to 6.5.27...

Post by R. Lynn Ra » Tue, 19 Apr 2005 11:02:44

In article < XXXX@XXXXX.COM >,



Is removing the suid root bit the only impact of applying
patchSG0005869? That seems to be what you're implying. If
that's the case, why didn't SGI see fit to release the patch
for 6.5.22?

--

R. Lynn Rardin
 
 
 

If you admin IRIX 6.5.21 to 6.5.27...

Post by josehil » Tue, 19 Apr 2005 15:25:48


I implied nothing, but you seem to have inferred something. ;-)

To answer your question, however:

At any given moment, SGI only develops and tests patches against the
current IRIX release and the three prior quarterly releases. Any
release more than one year old is considered to be in "Retired" mode,
or, in other words, is "out of warranty."

You can consult the SGI Software Support Policy at
http://www.yqcomputer.com/
 
 
 

If you admin IRIX 6.5.21 to 6.5.27...

Post by R. Lynn Ra » Tue, 19 Apr 2005 19:54:47

In article < XXXX@XXXXX.COM >,




For what it's worth, "retired" is not how 6.5.22 (or any 6.5.x
version of Irix) was flagged in the message distributed by SGI
regarding this matter. I understand their policies regarding
support of older versions of the OS, but sometimes exceptions
are made to rules. All I'm saying is that if the action of the
patch is as simple as you're suggesting (or I'm inferring), how
much testing would've been necessary to make it available for
6.5.22, the terminal version of Irix for several classes of
hardware? The need to drop support for older versions of an OS
is understandable from a cost perspective, but this vunlerability
is serious enough that it might have been worth SGI's seemingly
small amount of effort to extend the patch to 6.5.22.

--

R. Lynn Rardin
 
 
 

If you admin IRIX 6.5.21 to 6.5.27...

Post by josehil » Tue, 19 Apr 2005 23:16:55

No disagreement here.
 
 
 

If you admin IRIX 6.5.21 to 6.5.27...

Post by J.A. Gutie » Wed, 27 Apr 2005 21:42:00


: Is removing the suid root bit the only impact of applying
: patchSG0005869? That seems to be what you're implying. If

It seems is not.
In that case, I guess you will lose the remote monitorization
feature (since it uses rsh protocol).

Anyway, patchSG0005869 includes only a /usr/sbin/gr_osview
executable, which still is setuid root, but which gives
"Permission denied" if you try the known exploit.

: that's the case, why didn't SGI see fit to release the patch
: for 6.5.22?

Get the patch, extract the file, and replace the old one.
It works (at least on 6.5.22f running on IP22).


--
PGP and other useless info at \
http://www.yqcomputer.com/ ~spd/ \
finger://daphne.cps.unizar.es/spd \ Timeo Danaos et dona ferentes
ftp://ivo.cps.unizar.es/pub/ \ (Virgilio)
 
 
 

If you admin IRIX 6.5.21 to 6.5.27...

Post by R. Lynn Ra » Wed, 27 Apr 2005 21:58:06

In article <d4lcuo$e5h$ XXXX@XXXXX.COM >,




Thanks for the info. I may give it a shot.

--

R. Lynn Rardin