Bugtraq mailing list archives
comp.sys.sgi.bugs: YET another security alert (sigh)
From: art () KETHER GLOBAL-ONE NO (Arthur Hagen)
Date: Mon, 4 Aug 1997 12:15:41 +0300
From: art () kether global-one no (Arthur Hagen) Subject: YET another security alert (sigh) Newsgroups: comp.sys.sgi.bugs,comp.sys.sgi.admin To: security-alert () sgi com Cc: support () oslo sgi com Date: 1 Aug 1997 04:40:27 GMT Organization: Global One Reply-To: art () broomstick com Path: kronos.fmi.fi!news.funet.fi!news.cs.hut.fi!news.clinet.fi!uunet!in2.uu.net!198.82.160.249!solaris.cc.vt.edu!newsgate.duke.edu!nntprelay.mathworks.com!howland.erols.net!newsfeed.nacamar.de!news-feed.inet.tele.dk!uninett.no!news.global-one.no!kether!art Lines: 48 Message-ID: <5rrpbr$l88$4 () bone global-one no> NNTP-Posting-Host: kether.global-one.no Xref: kronos.fmi.fi comp.sys.sgi.bugs:3905 comp.sys.sgi.admin:49554 I just discovered that I can gain access to any IRIX 6.3 (and probably 6.4) machine by making a cgi script emulating the .tdf files in /usr/sysadm. The principle is simple - you make the cgi script use a mime type similar to an .edf or .tdf file (application/x-sgi-exec or application/x-sgi-task), and make the file name contain spaces and look quite similar to SaAddUserTask.tdf (or even SaModifyMyPassword.tdf), with the only difference being it containing the arguments too. If writing a cgi script to do this is too awkward, you can do this hack by simply installing a different web server than Netscape and modify the file type. Apache works fine. Basically, you make the server give one of the application types described above, and instruct it to execute one of the *legal* commands in /usr/sysadm when someone connects, with arguments enough to make it lethal. Then make a link to it (with the spaces in the link - %20 is a space in HTML) from another page. Then you just wait for someone with an SGI to access that file. Now, what I ask myself is: Is that *huge* security hole, which is much like ActiveX a deliberate thing from SGI, or didn't the people who made it know that SGI users could access web pages beyond the local trusted LAN? Was /usr/sysadm/* made by the same people who made the (now thankfully obsolete) objectserver? To everyone with IRIX 6.3+: To feel a BIT safer, open the "General Preferences" in Netscape, and change the actions for "x-sgi-task" and "x-sgi-exec" to "Unknown - prompt user". This means you won't be able to use some of the sysadm pages on the server at port 2077, but that's no big worry. You can do everything from root anyhow, and the 2077 server is by default running with access allowed from the whole world with root access, so it's a security bug in itself. So call do the above mods (preferably to the file /usr/local/lib/netscape/mailcap as well), then "chkconfig webface off", and even better, "chkconfig privileges off", and then call SGI and tell them what you think about their Mickey Mouse attitude towards security. (It took me almost 40 minutes to hack root with a .tdf file. I'm thick, so it took me a while to figure out how. I'm sure someone else can do better. To my knowledge, it does work for ANY 6.3+ client with a privileged user accessing a remote web page set up for hacking SGI's.) I *do* hope that SGI takes this seriously, and issues a warning that people who are accessing the internet (or anything outside the trusted LAN) should NOT run webface or privileges. Even if it means losing face for some SGI developers. Regards, -- *Art
Current thread:
- Re: Small problem in AIX write command: Executes shell David Hedley (Aug 01)
- <Possible follow-ups>
- Small problem in AIX write command: Executes shell DI. Dr. Klaus Kusche (Aug 01)
- Re: Small problem in AIX write command: Executes shell David Holland (Aug 01)
- comp.sys.sgi.bugs: YET another security alert (sigh) Arthur Hagen (Aug 04)
- comp.sys.sgi.bugs: Re: YET another security alert (sigh) Forwarded by Kari Hurtta (Aug 05)
- CPSR #8: identd Denial of Service Corinne Posse Releases (Aug 04)
- Re: CPSR #8: identd Denial of Service Curt Sampson (Aug 04)
- Re: Small problem in AIX write command: Executes shell David Holland (Aug 01)
- INND causes cancer in laboratory rats (fwd) Dan Fleisher (Aug 01)
- Re: INND causes cancer in laboratory rats (fwd) thoth () PURPLEFROG COM (Aug 01)
- Bugs in Debian Linux's ircd package Matt (Aug 01)
- SSH LocalForward Kristof Van Damme (Aug 02)
- Security hole in rusers client David Holland (Aug 02)
- SSH LocalForward Nicolas Dubee (Aug 02)
- Re: your mail Erik Troan (Aug 10)