[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[irix-security] IRIX O2 video security flaws
- To: irix-security@sfu.ca
- Subject: [irix-security] IRIX O2 video security flaws
- From: Martin Siegert <siegert@sfu.ca>
- Date: Mon, 28 Jan 2002 14:48:08 -0800
- User-Agent: Mutt/1.2.5.1i
Topic
=====
Video setting on SGI O2 systems allow remote users to watch everything
that is displayed on the screen. Immediate action is highly recommended.
Problem Descritption
====================
There exists a severe security problem specific to video i/o on SGI O2
systems. When the vcp Default Input is set to "Output Video", a remote user
can log into the system, launch videoout and then videoin and can then see
what is happening on the screen of the remote system (reading mail, etc...).
This can be done regardless of xhosts or xauth settings on the remote
system.
SGI has investigated the issues and recommends the following steps for
neutralizing the exposure. It is HIGHLY RECOMMENDED that these measures be
implemented on ALL vulnerable SGI systems.
Workaround
==========
There is as yet no patch that addresses this issue. You can work around
the problem by adding the following to /var/X11/xdm/Xstartup:
#
# Set the permissions of /dev/mvp so only the console user has access
#
if [ -r /dev/mvp ]; then
chown $USER /dev/mvp
chmod 600 /dev/mvp
fi
Add the following to /var/X11/xdm/Xreset:
#
# Reset the permissions on /dev/mvp
#
if [ -r /dev/mvp ]; then
chown root /dev/mvp
chmod 666 /dev/mvp
fi
These modifications change the ownership of the mvp device when a user logs
in and back out. When the device is owned by the user with 600 permissions,
nobody else is able to execute vcp, videoin, or videoout. Thus nobody can
see what's on the console of the system.
The /dev/mvp device only exists on O2s, so this problem does not impact
other IRIX platforms (Octane, Onyx, etc.)
After these modifications have been made, it is also not possible to login
remotely and access other video signals.