[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[irix-security] IRIX rpc.passwd vulnerability

To: irix-security@sfu.ca
Subject: [irix-security] IRIX rpc.passwd vulnerability
From: Martin Siegert <siegert@sfu.ca>
Date: Wed, 5 Jun 2002 20:20:58 -0700
User-Agent: Mutt/1.2.5.1i

Topic
=====
rpc.passwd vulnerability allows root compromise

Problem Description
===================
It's been reported that /usr/etc/rpc.passwd has a vulnerability which
could allow a user to compromise root.

Affected Systems
================
The rpc.passwd binary is not installed by default on IRIX 6.5 systems. It is
part of the optional subsystem "nfs.sw.nis".

To see if rpc.passwd is installed, execute the following command:

  # versions nfs.sw.nis
  I = Installed, R = Removed

     Name                 Date        Description

     I  nfs                  03/26/2002  Network File System, 6.5.16m
     I  nfs.sw               03/26/2002  NFS Software
     I  nfs.sw.nis           03/26/2002  NIS (formerly Yellow Pages) Support

If the line containing "nfs.sw.nis" is returned, then it is installed and
the system is potentially vulnerable.  This vulnerability applies only to
systems that are configured as YP masters ("chkconfig yp" shows "on", and
"ps -ef | grep rpc.passwd" shows that rpc.passwd is running).

To determine the version of IRIX you are running, execute the following
command:

  # uname -R

That will return a result similar to the following:

  # 6.5 6.5.15f

The first number ("6.5") is the release name, the second ("6.5.15f" in this
case) is the extended release name.  The extended release name is the
"version" we refer to throughout this document.

Workaround
==========
Disable the rpc.passwd binary by issuing the following command:

# chmod 444 /usr/etc/rpc.passwd
# killall rpc.passwd

After doing this, it will be necessary to run the "passwd" program on the
NIS master in order to cause NIS password changes.

Solution
========
SGI has provided a series of patches for these vulnerabilities.
Upgrade to IRIX 6.5.16 when available, or install the appropriate patch.

   OS Version     Vulnerable?     Patch #
   ----------     -----------     -------
   IRIX 6.5          yes
   IRIX 6.5.1        yes
   IRIX 6.5.2        yes
   IRIX 6.5.3        yes
   IRIX 6.5.4        yes
   IRIX 6.5.5        yes
   IRIX 6.5.6        yes
   IRIX 6.5.7        yes
   IRIX 6.5.8        yes
   IRIX 6.5.9        yes
   IRIX 6.5.10       yes
   IRIX 6.5.11       yes
   IRIX 6.5.12       yes           4588
   IRIX 6.5.13       yes           4588
   IRIX 6.5.14       yes           4589
   IRIX 6.5.15       yes           4589
   IRIX 6.5.16       no

Remarks
=======
Patches 4588 and 4589 can be found at
http://www.sfu.ca/acs/security/irix/irix-patches.html
or at SGI's patch site at
ftp://patches.sgi.com/support/free/security/patches/

Prev by Date: [irix-security] IRIX fsr_xfs vulnerability
Next by Date: [irix-security] MediaMail vulnerability
Prev by thread: [irix-security] MediaMail vulnerability
Next by thread: [irix-security] IRIX fsr_xfs vulnerability
Index(es):
- Date
- Thread