Bugtraq mailing list archives
Re: IRIX rpc.passwd vulnerability
From: "Frank Bures" <lisfrank () chem toronto edu>
Date: Fri, 07 Jun 2002 13:58:14 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 FYI: Installation of this patch leads to arbitrarily changed permissions of the /tmp directory. On my various IRIX boxes, some permissions remained correct (1777), some were changed to 777, some even to 755. On Tue, 4 Jun 2002 15:47:28 -0700 (PDT), SGI Security Coordinator wrote:
_____________________________________________________________________________
SGI Security Advisory
Title: rpc.passwd vulnerability
Number: 20020601-01-P
Date: June 4, 2002
Reference: CAN-2002-0357
_____________________________________________________________________________
-----------------------
--- Issue Specifics ---
-----------------------
It's been reported that /usr/etc/rpc.passwd has a vulnerability which
could allow a user to compromise root.
SGI has investigated the issue and recommends the following steps for
neutralizing the exposure. It is HIGHLY RECOMMENDED that these measures be
implemented on ALL vulnerable SGI systems.
These issues have been corrected with patches and in future releases of
IRIX.
--------------
--- Impact ---
--------------
The rpc.passwd binary is not installed by default on IRIX 6.5 systems. It is
part of the optional subsystem "nfs.sw.nis".
To see if rpc.passwd is installed, execute the following command:
# versions nfs.sw.nis
I = Installed, R = Removed
Name Date Description
I nfs 03/26/2002 Network File System, 6.5.16m
I nfs.sw 03/26/2002 NFS Software
I nfs.sw.nis 03/26/2002 NIS (formerly Yellow Pages) Support
If the line containing "nfs.sw.nis" is returned, then it is installed and
the system is potentially vulnerable. This vulnerability applies only to
systems that are configured as YP masters ("chkconfig yp" shows "on", and
"ps -ef | grep rpc.passwd" shows that rpc.passwd is running).
To determine the version of IRIX you are running, execute the following
command:
# uname -R
That will return a result similar to the following:
# 6.5 6.5.15f
The first number ("6.5") is the release name, the second ("6.5.15f" in this
case) is the extended release name. The extended release name is the
"version" we refer to throughout this document.
This vulnerability was assigned the following CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0357
----------------------------
--- Temporary Workaround ---
----------------------------
SGI understands that there are times when upgrading the operating system or
installing patches are inconvenient or not possible. In those instances, we
recommend the following workaround, although it may have a negative impact
on the functionality of the system:
Disable the rpc.passwd binary by issuing the following command:
# chmod 444 /usr/etc/rpc.passwd
# killall rpc.passwd
After doing this, it will be necessary to run the "passwd" program on the
NIS master in order to cause NIS password changes.
Instead of using this workaround, SGI recommends either upgrading to IRIX
6.5.16 when released, or installing the appropriate patch from the listing
below. We recommend this course of action because IRIX 6.5.16 and the patch
also fix other non security-related issues with rpc.passwd.
----------------
--- Solution ---
----------------
SGI has provided a series of patches for these vulnerabilities. Our
recommendation is to upgrade to IRIX 6.5.16 when available, or install the
appropriate patch.
OS Version Vulnerable? Patch # Other Actions
---------- ----------- ------- -------------
IRIX 3.x unknown Note 1
IRIX 4.x unknown Note 1
IRIX 5.x unknown Note 1
IRIX 6.0.x unknown Note 1
IRIX 6.1 unknown Note 1
IRIX 6.2 unknown Note 1
IRIX 6.3 unknown Note 1
IRIX 6.4 unknown Note 1
IRIX 6.5 yes Notes 2 & 3
IRIX 6.5.1 yes Notes 2 & 3
IRIX 6.5.2 yes Notes 2 & 3
IRIX 6.5.3 yes Notes 2 & 3
IRIX 6.5.4 yes Notes 2 & 3
IRIX 6.5.5 yes Notes 2 & 3
IRIX 6.5.6 yes Notes 2 & 3
IRIX 6.5.7 yes Notes 2 & 3
IRIX 6.5.8 yes Notes 2 & 3
IRIX 6.5.9 yes Notes 2 & 3
IRIX 6.5.10 yes Notes 2 & 3
IRIX 6.5.11 yes Notes 2 & 3
IRIX 6.5.12 yes 4588 Note 4
IRIX 6.5.13 yes 4588 Note 4
IRIX 6.5.14 yes 4589 Note 4
IRIX 6.5.15 yes 4589 Note 4
IRIX 6.5.16 no Note 4
NOTES
1) This version of the IRIX operating has been retired. Upgrade to an
actively supported IRIX operating system. See
http://support.sgi.com/irix/news/index.html#policy for more
information.
2) If you have not received an IRIX 6.5.X CD for IRIX 6.5, contact your
SGI Support Provider or URL: http://support.sgi.com/irix/swupdates/
3) Upgrade to IRIX 6.5.16m or 6.5.16f.
4) Note that these patches (and IRIX 6.5.16) address other rpc.passwd
issues not related to the specific security issue being reported in
this bulletin. See the release notes for details.
##### Patch File Checksums ####
Frank Bures, Dept. of Chemistry, University of Toronto, M5S 3H6 fbures () chem toronto edu http://www.chem.utoronto.ca/general/itelec.html PGP public key: http://wwwkeys.pgp.net:11371/pks/lookup?op=index&search=Frank+Bures -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0 OS/2 for non-commercial use Comment: PGP 5.0 for OS/2 Charset: cp850 wj8DBQE9AOYmih0Xdz1+w+wRApnwAKCrQlAxnTRYueeKQFMsbxz2EaM7ewCg/lyb cMqg9wCrLSqj0YwHaVz++RU= =ihq9 -----END PGP SIGNATURE-----
Current thread:
- IRIX rpc.passwd vulnerability SGI Security Coordinator (Jun 04)
- Re: IRIX rpc.passwd vulnerability Frank Bures (Jun 07)
- <Possible follow-ups>
- Re: IRIX rpc.passwd vulnerability David Foster (Jun 07)