[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[irix-security] IRIX nsd symlink vulnerability

To: irix-security@sfu.ca
Subject: [irix-security] IRIX nsd symlink vulnerability
From: Martin Siegert <siegert@sfu.ca>
Date: Wed, 5 Jun 2002 20:04:24 -0700
User-Agent: Mutt/1.2.5.1i

Topic
=====
IRIX nsd symlink vulnerability

Problem Description
===================
IRIX's nsd is not checking the permissions and ownership
of its dump file "/var/tmp/nsd.dump" prior to writing to it.

If a user was to first create a symlink from another file pointing to
/var/tmp/nsd.dump and then an already-privileged user sent a USR1 signal to
the nsd process, the file could be damaged or modified. If successfully
exploited, this could lead to a root compromise.

Affected Systems
================
The nsd daemon is installed by default on IRIX 6.5 systems as part of
eoe.sw.base.
This vulnerability may not be exploited by a remote user, a local account
is required.
This vulnerability has been fixed in IRIX 6.5.11.

Solution
========
SGI has not provided patches for this vulnerability. Our recommendation is
to upgrade to IRIX 6.5.11 or later.

   OS Version     Vulnerable?
   ----------     -----------
   IRIX 6.5          yes
   IRIX 6.5.1        yes
   IRIX 6.5.2        yes
   IRIX 6.5.3        yes
   IRIX 6.5.4        yes
   IRIX 6.5.5        yes
   IRIX 6.5.6        yes
   IRIX 6.5.7        yes
   IRIX 6.5.8        yes
   IRIX 6.5.9        yes
   IRIX 6.5.10       yes
   IRIX 6.5.11       no
   IRIX 6.5.12       no
   IRIX 6.5.13       no
   IRIX 6.5.14       no
   IRIX 6.5.15       no
   IRIX 6.5.16       no

Prev by Date: [irix-security] IRIX cpr vulnerability
Next by Date: [irix-security] IRIX Xlib vulnerability
Prev by thread: [irix-security] IRIX Xlib vulnerability
Next by thread: [irix-security] IRIX cpr vulnerability
Index(es):
- Date
- Thread