SGI IRIX cvconnect File Overwrite Vulnerability
BID:1379
Info
SGI IRIX cvconnect File Overwrite Vulnerability
| Bugtraq ID: | 1379 |
| Class: | Origin Validation Error |
| CVE: | |
| Remote: | No |
| Local: | Yes |
| Published: | Jun 20 2000 12:00AM |
| Updated: | Jun 20 2000 12:00AM |
| Credit: | First made public in SGI Security Advisory 20000601-01-P on June 20, 2000. |
| Vulnerable: |
SGI Workshop Debugger and Performance Tools 2.6 .* |
| Not Vulnerable: | |
Discussion
SGI IRIX cvconnect File Overwrite Vulnerability
SGI's WorkShop Debugger and Performance tools is a optional package for IRIX that provides tools for debugging programs. It ships with a binary that other parts of the package invoke (it is not meant to be executed by regular users) called cvconnect. cvconnect is setuid root and has a vulnerability that allows users to overwrite any files on the filesystem. This can be exploited by an attacker to gain root priviliges locally.
SGI's WorkShop Debugger and Performance tools is a optional package for IRIX that provides tools for debugging programs. It ships with a binary that other parts of the package invoke (it is not meant to be executed by regular users) called cvconnect. cvconnect is setuid root and has a vulnerability that allows users to overwrite any files on the filesystem. This can be exploited by an attacker to gain root priviliges locally.
Exploit / POC
SGI IRIX cvconnect File Overwrite Vulnerability
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected].
Solution / Fix
SGI IRIX cvconnect File Overwrite Vulnerability
Solution:
SGI suggests, as a temporary solution, to do the following (taken directly from SGI Security Advisory 20000601-01-P):
1) Become the root user on the system.
% /bin/su -
Password:
#
2) Verify a vulnerable WorkShop suite is installed.
Versions 2.6.* and lower of WorkShop are vulnerable.
# versions -b WorkShop\*
I = Installed, R = Removed
Name Date Description
I WorkShop 07/03/96 Developer Magic: WorkShop 2.6
3) Change the permissions on the vulnerable cvconnect(1M) program.
# /bin/chmod 500 /usr/lib/WorkShop/cvconnect
************
*** NOTE ***
************
Removing the permissions from the vulnerable program will
prevent non-root users from accessing cvconnect(1M).
4) Verify the new permissions on the program.
Note that the program size may be different depending on release.
# ls -l /usr/lib/WorkShop/cvconnect
-r-x------ 1 root sys 428664 Sep 11 1997 cvconnect
5) Return to previous user level.
# exit
$
Solution:
SGI suggests, as a temporary solution, to do the following (taken directly from SGI Security Advisory 20000601-01-P):
1) Become the root user on the system.
% /bin/su -
Password:
#
2) Verify a vulnerable WorkShop suite is installed.
Versions 2.6.* and lower of WorkShop are vulnerable.
# versions -b WorkShop\*
I = Installed, R = Removed
Name Date Description
I WorkShop 07/03/96 Developer Magic: WorkShop 2.6
3) Change the permissions on the vulnerable cvconnect(1M) program.
# /bin/chmod 500 /usr/lib/WorkShop/cvconnect
************
*** NOTE ***
************
Removing the permissions from the vulnerable program will
prevent non-root users from accessing cvconnect(1M).
4) Verify the new permissions on the program.
Note that the program size may be different depending on release.
# ls -l /usr/lib/WorkShop/cvconnect
-r-x------ 1 root sys 428664 Sep 11 1997 cvconnect
5) Return to previous user level.
# exit
$