[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[irix-security] IRIX fsr_xfs vulnerability

To: irix-security@sfu.ca
Subject: [irix-security] IRIX fsr_xfs vulnerability
From: Martin Siegert <siegert@sfu.ca>
Date: Wed, 5 Jun 2002 20:14:30 -0700
User-Agent: Mutt/1.2.5.1i

Topic
=====
bugs in XFS filesystem reorganizer fsr_xfs can lead to root compromise

Problem Description
====================
The fsr_xfs (XFS filesystem reorganizer) program can, under certain
circumstances, be manipulated by someone with malicious intent into causing
critical system files to be overwritten.  This could potentially lead to a
root exploit.
These vulnerabilities may not be exploited by a remote user, a local account
is required.


Affected Systems
================
The fsr_xfs binary is installed by default on IRIX 6.5 systems as part of
eoe.sw.base.

This vulnerability has been fixed in IRIX 6.5.11 and later versions of IRIX.

To determine the version of IRIX you are running, execute the following
command:

  # uname -R

That will return a result similar to the following:

    # 6.5 6.5.15f

The first number ("6.5") is the release name, the second ("6.5.15f" in this
case) is the extended release name.  The extended release name is the
"version" we refer to throughout this document.

Workaround
==========
Change root's crontab to run fsr_xfs with the -f option and point at a
directory that normal users can't write to, such as /var/adm.

To set up this workaround, follow these steps:

1) Become the superuser

   $ su -

2) Use vi or your favorite text editor to edit the file
/var/spool/cron/crontabs/root

   # vi /var/spool/cron/crontabs/root

3) Look for a line that looks like this:

   0       3       *       *       0       if test -x /usr/etc/fsr; then (cd
/usr/tmp; /usr/etc/fsr) fi

4) Change it to this:

   0       3       *       *       0       if test -x /usr/etc/fsr; then (cd
/usr/tmp; /usr/etc/fsr -f /var/adm/.fsrlast) fi

5) Save the file and exit from the editor.  crond will automatically detect
the changes to the file, so it is not necessary to stop and restart crond.

Solution
========
SGI has not provided patches for this vulnerability. Our
recommendation is to upgrade to IRIX 6.5.11 or a later version of IRIX.

   OS Version     Vulnerable?
   ----------     -----------
   IRIX 6.5          yes
   IRIX 6.5.1        yes
   IRIX 6.5.2        yes
   IRIX 6.5.3        yes
   IRIX 6.5.4        yes
   IRIX 6.5.5        yes
   IRIX 6.5.6        yes
   IRIX 6.5.7        yes
   IRIX 6.5.8        yes
   IRIX 6.5.9        yes
   IRIX 6.5.10       yes
   IRIX 6.5.11       no
   IRIX 6.5.12       no
   IRIX 6.5.13       no
   IRIX 6.5.14       no
   IRIX 6.5.15       no

Prev by Date: [irix-security] IRIX Xlib vulnerability
Next by Date: [irix-security] IRIX rpc.passwd vulnerability
Prev by thread: [irix-security] IRIX rpc.passwd vulnerability
Next by thread: [irix-security] IRIX Xlib vulnerability
Index(es):
- Date
- Thread