Bugtraq mailing list archives
Re: IRIX rpc.passwd vulnerability
From: "Frank Bures" <lisfrank () chem toronto edu>
Date: Fri, 07 Jun 2002 13:58:14 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 FYI: Installation of this patch leads to arbitrarily changed permissions of the /tmp directory. On my various IRIX boxes, some permissions remained correct (1777), some were changed to 777, some even to 755. On Tue, 4 Jun 2002 15:47:28 -0700 (PDT), SGI Security Coordinator wrote:
_____________________________________________________________________________ SGI Security Advisory Title: rpc.passwd vulnerability Number: 20020601-01-P Date: June 4, 2002 Reference: CAN-2002-0357 _____________________________________________________________________________ ----------------------- --- Issue Specifics --- ----------------------- It's been reported that /usr/etc/rpc.passwd has a vulnerability which could allow a user to compromise root. SGI has investigated the issue and recommends the following steps for neutralizing the exposure. It is HIGHLY RECOMMENDED that these measures be implemented on ALL vulnerable SGI systems. These issues have been corrected with patches and in future releases of IRIX. -------------- --- Impact --- -------------- The rpc.passwd binary is not installed by default on IRIX 6.5 systems. It is part of the optional subsystem "nfs.sw.nis". To see if rpc.passwd is installed, execute the following command: # versions nfs.sw.nis I = Installed, R = Removed Name Date Description I nfs 03/26/2002 Network File System, 6.5.16m I nfs.sw 03/26/2002 NFS Software I nfs.sw.nis 03/26/2002 NIS (formerly Yellow Pages) Support If the line containing "nfs.sw.nis" is returned, then it is installed and the system is potentially vulnerable. This vulnerability applies only to systems that are configured as YP masters ("chkconfig yp" shows "on", and "ps -ef | grep rpc.passwd" shows that rpc.passwd is running). To determine the version of IRIX you are running, execute the following command: # uname -R That will return a result similar to the following: # 6.5 6.5.15f The first number ("6.5") is the release name, the second ("6.5.15f" in this case) is the extended release name. The extended release name is the "version" we refer to throughout this document. This vulnerability was assigned the following CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0357 ---------------------------- --- Temporary Workaround --- ---------------------------- SGI understands that there are times when upgrading the operating system or installing patches are inconvenient or not possible. In those instances, we recommend the following workaround, although it may have a negative impact on the functionality of the system: Disable the rpc.passwd binary by issuing the following command: # chmod 444 /usr/etc/rpc.passwd # killall rpc.passwd After doing this, it will be necessary to run the "passwd" program on the NIS master in order to cause NIS password changes. Instead of using this workaround, SGI recommends either upgrading to IRIX 6.5.16 when released, or installing the appropriate patch from the listing below. We recommend this course of action because IRIX 6.5.16 and the patch also fix other non security-related issues with rpc.passwd. ---------------- --- Solution --- ---------------- SGI has provided a series of patches for these vulnerabilities. Our recommendation is to upgrade to IRIX 6.5.16 when available, or install the appropriate patch. OS Version Vulnerable? Patch # Other Actions ---------- ----------- ------- ------------- IRIX 3.x unknown Note 1 IRIX 4.x unknown Note 1 IRIX 5.x unknown Note 1 IRIX 6.0.x unknown Note 1 IRIX 6.1 unknown Note 1 IRIX 6.2 unknown Note 1 IRIX 6.3 unknown Note 1 IRIX 6.4 unknown Note 1 IRIX 6.5 yes Notes 2 & 3 IRIX 6.5.1 yes Notes 2 & 3 IRIX 6.5.2 yes Notes 2 & 3 IRIX 6.5.3 yes Notes 2 & 3 IRIX 6.5.4 yes Notes 2 & 3 IRIX 6.5.5 yes Notes 2 & 3 IRIX 6.5.6 yes Notes 2 & 3 IRIX 6.5.7 yes Notes 2 & 3 IRIX 6.5.8 yes Notes 2 & 3 IRIX 6.5.9 yes Notes 2 & 3 IRIX 6.5.10 yes Notes 2 & 3 IRIX 6.5.11 yes Notes 2 & 3 IRIX 6.5.12 yes 4588 Note 4 IRIX 6.5.13 yes 4588 Note 4 IRIX 6.5.14 yes 4589 Note 4 IRIX 6.5.15 yes 4589 Note 4 IRIX 6.5.16 no Note 4 NOTES 1) This version of the IRIX operating has been retired. Upgrade to an actively supported IRIX operating system. See http://support.sgi.com/irix/news/index.html#policy for more information. 2) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact your SGI Support Provider or URL: http://support.sgi.com/irix/swupdates/ 3) Upgrade to IRIX 6.5.16m or 6.5.16f. 4) Note that these patches (and IRIX 6.5.16) address other rpc.passwd issues not related to the specific security issue being reported in this bulletin. See the release notes for details. ##### Patch File Checksums ####
Frank Bures, Dept. of Chemistry, University of Toronto, M5S 3H6 fbures () chem toronto edu http://www.chem.utoronto.ca/general/itelec.html PGP public key: http://wwwkeys.pgp.net:11371/pks/lookup?op=index&search=Frank+Bures -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0 OS/2 for non-commercial use Comment: PGP 5.0 for OS/2 Charset: cp850 wj8DBQE9AOYmih0Xdz1+w+wRApnwAKCrQlAxnTRYueeKQFMsbxz2EaM7ewCg/lyb cMqg9wCrLSqj0YwHaVz++RU= =ihq9 -----END PGP SIGNATURE-----
Current thread:
- IRIX rpc.passwd vulnerability SGI Security Coordinator (Jun 04)
- Re: IRIX rpc.passwd vulnerability Frank Bures (Jun 07)
- <Possible follow-ups>
- Re: IRIX rpc.passwd vulnerability David Foster (Jun 07)