Bugtraq mailing list archives
SGI Security Advisory 19960802-01 - Vulnerability in expreserve
From: agent99 () boytoy csd sgi com (SGI Security Coordinator)
Date: Mon, 26 Aug 1996 10:39:01 -0700
RELEASE RESTRICTIONS - NONE - FOR PUBLIC RELEASE -----BEGIN PGP SIGNED MESSAGE----- ______________________________________________________________________________ Silicon Graphics Inc. Security Advisory Title: Vulnerability in expreserve Title: CERT(sm) Advisory CA-96.19 Number: 19960802-01-I Date: October 23, 1996 ______________________________________________________________________________ Silicon Graphics provides this information freely to the SGI user community for its consideration, interpretation, implementation and use. Silicon Graphics recommends that this information be acted upon as soon as possible. Silicon Graphics will not be liable for any indirect, special, or consequential damages arising from the use of, failure to use or improper use of any of the instructions or information in this Security Advisory. ______________________________________________________________________________ - ------------------- - --- Description --- - ------------------- In CERT(sm) Advisory CA-96.19, titled "Vulnerability in expreserve", a security vulnerability in the expreserve program is discussed. According to the CERT(sm) advisory, the expreserve program has setuid root privileges which creates a vulnerability that allows users to overwrite any file on the system. - -------------- - --- Impact --- - -------------- As reported by the CERT(sm) Advisory, when exploited, this vulnerability could allow users with access to an account on the system to gain root privileges. Impact for Silicon Graphics IRIX systems is different and very limited, see "Solution" section. - ---------------- - --- Solution --- - ---------------- SGI has investigated the expreserve issue and provides the following information. The Silicon Graphics implementation of expreserv is setgid sys and not setuid root as reported in the CERT(sm) advisory. As such this redefines the exposure to a setgid sys issue. Exploit would have to occur on group sys writable files, however, on a default configured IRIX system there are no system critical files that are group sys writable and therefore exposure and exploit does not exist. Silicon Graphics will not be releasing a patch for this issue, however, the issue will be corrected in future releases of IRIX. If desired, the setgid permission of the expreserv could be removed however, this will disable the recovery functions of the vi(1) and ex(1) editors. This functionality could be fixed by manually creating directories for each user in /var/preserve directory. - ------------------------ - --- Acknowledgments --- - ------------------------ Silicon Graphics wishes to thank the CERT Coordination Center and the FIRST organization for their assistance in this matter. - ----------------------------------------- - --- SGI Security Information/Contacts --- - ----------------------------------------- Past SGI Advisories and security patches can be obtained via anonymous FTP from sgigate.sgi.com or its mirror, ftp.sgi.com. These security patches and advisories are provided freely to all interested parties. For issues with the patches on the FTP sites, email can be sent to cse-security-alert () csd sgi com. For assistance obtaining or working with security patches, please contact your SGI support provider. If there are questions about this document, email can be sent to cse-security-alert () csd sgi com. Silicon Graphics provides a free security mailing list service. The wiretap service allows interested parties to self-subscribe to receive (via email) all SGI Security Advisories when released. mail wiretap-request () sgi com [BODY of "subscribe wiretap YourEmailAddress" "end" ] For reporting *NEW* SGI security issues, email can be sent to security-alert () sgi com or contact your SGI support provider. A support contract is not required for submitting a security report. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBMiHfdrQ4cFApAP75AQEXlQP9H+b8uaTwecnP3qCHM5CNDNOLg+blWKX4 CEnE1lmzT2liOZ04BOoTY4DxoQjcbBXSwT/PZCQ51/lu0n5/y2g0pKzJhFQqvgl0 N6rncqK4RAoQfcJAGVKEPrMXSaTFTRwqNy+uYWR6BpHSwcTq6VEYzS2ZUzP9p05Y xLME1oTb1j4= =LYR3 -----END PGP SIGNATURE-----
Current thread:
- Re: Vulnerability in the Xt library Warner Losh (Aug 25)
- Re: Vulnerability in the Xt library Casper Dik (Aug 26)
- r00t advisory -- Sunny Day Virus Gregory Hull (Aug 26)
- r00t advisroy -- sol2.5 at(1) vunerability Gregory Hull (Aug 26)
- r00t advisory -- workman vunerability Gregory Hull (Aug 26)
- r00t advisory -- sol2.5 su(1M) vunerability Gregory Hull (Aug 26)
- SGI Security Advisory 19960802-01 - Vulnerability in expreserve SGI Security Coordinator (Aug 26)
- Privileges (was libresolv+ bug) Paul McNabb (Aug 26)
- [BUG] Vulnerability in PINE Sean B. Hamor (Aug 26)
- Tired of /tmp? Here's a proposed solution Igor Chudov @ home (Aug 26)
- Re: Tired of /tmp? Here's a proposed solution Guido M. Witmond (Aug 27)
- Re: Tired of /tmp? Here's a proposed solution Thomas Koenig (Aug 28)
- Re: Tired of /tmp? Here's a proposed solution Sean B. Hamor (Aug 28)
- Re: Tired of /tmp? Here's a proposed solution mdr () vodka sse att com (Aug 28)
- Rlogin vulnerabilty Gabriele Avosani (Aug 28)
- Tired of /tmp? Here's a proposed solution Igor Chudov @ home (Aug 26)
- Re: Tired of /tmp? Here's a proposed solution Matthew J Brown (Aug 28)
- ftpbounce-0.1.tar.gz Rune Braathen (Aug 27)