[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[irix-security] CDE vulnerabilities

To: irix-security@sfu.ca
Subject: [irix-security] CDE vulnerabilities
From: Martin Siegert <siegert@sfu.ca>
Date: Thu, 17 Jan 2002 19:22:36 -0800
User-Agent: Mutt/1.2.5.1i

Topic
=====
remote root exploit possible due to buffer overflows in CDE utilities

Problem Description
===================

Several suid root CDE utilities have buffer overruns which can lead to
security compromises.  These utilities are
"dtaction", "dtprintinfo", "dtterm", "dtsession", and "dtspcd".

There is a related issue with the CDE ToolTalk "ttsession" messaging
server's usage of a weak RPC authentication mechanism. Because of this, the
ttsession process can be manipulated to execute unauthorized arbitrary
programs with the privileges of the running ttsession.

CDE is an optional product and is not installed by default.

The dtspcd and ttsession vulnerabilities can be exploited by a remote user.
The other vulnerabilities would require a local user account on the host
system in order to exploit them.

The exploitation of these vulnerabilities can lead to a root compromise.

Workaround
==========
Remove the suid bit from the relevant binaries:

       % su - root
       # cd /usr/dt/bin
       # chmod 755 dtaction
       # chmod 755 dtprintinfo
       # chmod 755 dtsession
       # chmod 755 dtterm
       # chmod 755 rpc.ttdbserverd

Furthermore, comment out the ToolTalk Database Server line in /etc/inetd.conf,
i.e., change

ttdbserverd/1   stream  rpc/tcp wait root ?/usr/etc/rpc.ttdbserverd rpc.ttdbserverd

to

#ttdbserverd/1   stream  rpc/tcp wait root ?/usr/etc/rpc.ttdbserverd rpc.ttdbserverd

and then force inetd.conf to reread its configuration file:

        # kill -HUP <pid of inetd>

where <pid of inetd> is the PID of the inetd process as listed by the
        
        # ps -ef | grep inetd

command.

Solution
========

SGI has provided a patch for CDE 5.1 which can be applied to an IRIX
6.5.x system with CDE installed.

   CDE Version     Vulnerable?     Patch #      Other Actions
   -----------     -----------     -------      -------------
   CDE 5.0           unknown                    Note 1
   CDE 5.1            yes            4416       Note 2

SGI Security Patches can be found at:
http://www.sgi.com/support/security/ and
ftp://patches.sgi.com/support/free/security/patches/

The actual patch will be a tar file patch4416.tar
Untar that file in an appropriate directory (I am using /usr/local/src/dist),
start swmgr and enter that directory name in the "Available Software" box.

Prev by Date: [irix-security] Multiple Local Sendmail Vulnerabilities
Next by Date: [irix-security] IRIX nsd vulnerability
Prev by thread: [irix-security] IRIX nsd vulnerability
Next by thread: [irix-security] Multiple Local Sendmail Vulnerabilities
Index(es):
- Date
- Thread