Bugtraq mailing list archives
Performance Copilot for IRIX 6.5
From: mgnsclb () ROCKVAX ROCKEFELLER EDU (Marcelo Magnasco)
Date: Wed, 12 Apr 2000 19:16:24 -0400
Hi All, I found a vulnerability in the Performance Copilot for IRIX 6.5 * Summary: /usr/etc/pmcd has a fail-open security model, allowing anyone to perform queries by default. This exposes potentially sensitive information (ps -efl, df, etc) to anyone on the net. pmcd will accept garbage connections and grow large heaps not released upon tearing down the connection, thus permitting a DoS. I sent this information to SGI on March 17. I hear SGI is actively working on the issue and will probably release a proper patch. A workaround is provided below. * Background: Our current installation of IRIX 6.5.6 (varsity program) installed by default a product called "Performance Copilot" (PCP), a large and complex piece of software to collect performance metrics systemwide and find nice ways to analyze them. The product is installed and self-configured by default. On comes /usr/etc/pmcd, a demon that sits and listens on tcp port 4321 waiting for requests to tell the users of the PCP about stuff going on. We never configured the product, and in fact were not aware that it was being installed or what it was for: it was included in the default Varsity 6.5.6 installation. I discovered it by portscanning my own machines for open ports. pcp_eoe Performance Co-Pilot Execution Only Environment, 2.1 Software Product Performance Co-Pilot Version 2.1 Product Codes SC4-PCP-2.1 and SC4-IRIX6.5 System Software Requirements IRIX 6.2, 6.3, 6.4 or 6.5.5 * The Problem. /var/adm/pcplog/pmcd.log contains in our systems the following rather scary message: Host access list empty: access control turned off Thus the access control is fail open: if you fail to configure it, it will allow anyone to connect. Our configuration files had no ACLs. So presumably this is the case for everyone else. I've tried various machines on campus: all 6.5 machines have pmcd running and have enabled me to list their processes, disk mount points, etc. [Note: this has been fixed by now, so don't bother with us!]. What does /usr/etc/pmcd expose to the world??? % pminfo -f -h sgi.victim.com filesys.mountdir lists all disks and their mount points, for instance. % pmem -h sgi.victim.com will return something looking much like a ps -efl: all processes with their owners and long argument lists. % perl -e 'print " a" x 92834244,"\n";'' | telnet sgi.victim.com 4321 makes an excellent DOS. The pmcd process grew to 600 megabytes in my system and STAYED that size after the connection was ctrl-c'ed. Notice that pminfo -f -h sgi.victim.com swap will tell you all about swap, so you can calculate how much to request... Finally, trying the perl bit AGAIN results in a broken pipe, and an ominous message in the logs: unix: ALERT: pmcd [744] - out of logical swap space during brk/sbrk - see swap(1M) In fact, after the first garbage connection, any further connection transmitting more than 4095 bytes will cause this message to appear in the syslog, suggesting that there is a 4096 somewhere in there. Left as an exercise for the reader. * Workaround. To close the process to outside access, append the following to /etc/pmcd.conf [access] allow localhost: all ; disallow * : all; or, better yet, chkconfig pmcd off and shut it off entirely unless you specifically need it.
Current thread:
- Back Door in Commercial Shopping Cart Joe (Apr 11)
- Performance Copilot for IRIX 6.5 Marcelo Magnasco (Apr 12)
- Microsoft Security Bulletin (MS00-024) Microsoft Product Security (Apr 12)
- Re: Back Door in Commercial Shopping Cart Luciano Ramos (Apr 13)
- [TL-Security-Announce] PAM and usermode TLSA2000009-1 Katie Moussouris (Apr 14)
- Re: Back Door in Commercial Shopping Cart Luciano Ramos (Apr 14)
- Re: Back Door in Commercial Shopping Cart [Stormer Hosting] Dan Kaminsky (Apr 14)
- New DOS on Interscan NT/3.32 Alain Thivillon (Apr 17)
- Re: Back Door in Commercial Shopping Cart [RESOLVED] Dan Kaminsky (Apr 17)
- Re: Back Door in Commercial Shopping Cart Pete Holsberg (Apr 13)
- Re: Back Door in Commercial Shopping Cart Anik (Apr 13)
- more problems with that POS dansie cart software! tombow (Apr 14)