COMMAND

    autofsd (automountd)

SYSTEMS AFFECTED

    IRIX 6.2, 6.3, 6.4, 6.5, 6.5.1, AIX 4.3

PROBLEM

    Following info is based on  RSI Alert Advisory.  It  was discoverd
    by Mark Zielinski.   Autofsd is an  RPC server which  answers file
    system mount and umount requests from the autofs file system.   It
    uses local files or name service maps to locate file systems to be
    mounted.   Users locally  on the  system can  send requests to the
    autofsd daemon  and execute  arbitrary commands  as the superuser.
    Note that this vulnerability  may be reproduced as  remote exploit
    too.

    Upon  receiving  a  map  argument  from  a client, the server will
    attempt  to  verify  if  it  is  executable  or  not.   If autofsd
    determines the map has an executable flag, the server will  append
    the client's key and attempt to execute it.  By sending a map name
    that  is  executable  on  the  server,  and a key beginning with a
    semicolon or a newline  followed by a command,  unprivileged users
    can  execute  arbitrary  commands  as  the superuser.  The problem
    occurs when the server appends the key to the map and attempts  to
    execute it  by calling  popen.   Since popen  executes the map and
    key you specify by  invoking a shell, it  is possible to force  it
    into executing commands that were not meant to be executed.

    To  determine  if  the  daemon  is  active on your system, run the
    following command on AIX:

        $ lssrc -s automountd

    To disable the daemon until the fix can be applied (run as root):

        # stopsrc -s automountd

SOLUTION

    If you can't apply patch, diable autofs(1M) daemon by issuing:

        chkconfig autofs off

    and reboot.  Apply following patches:

        OS Version     Vulnerable?     Patch #      Other Actions
        ----------     -----------     -------      -------------
        IRIX 6.2          yes           3392        Note 1
        IRIX 6.3          yes           3391        Note 1
        IRIX 6.4          yes           3250        Note 1
        IRIX 6.5          yes           6.5.2       Note 2
        IRIX 6.5.1        yes           6.5.2       Note 2
        IRIX 6.5.2        no                        Note 3

    NOTES
    1) This  version of  the IRIX  operating system  is in maintenance
       mode and patches  will no longer  be produced when  it retires.
       Use workaround.
    2) IRIX 6.5.2 needs to be installed to remove this vulnerability.
    3) If you have not received an IRIX 6.5.2 CD for IRIX 6.5, contact
       your  SGI  Support   Provider  or  download   the  IRIX   6.5.2
       Maintenance Release Stream from http://support.sgi.com/ or

        ftp://patches.sgi.com/support/relstream/

    Information about installing IRIX 6.5.2 can be found at:

        http://support.sgi.com/6.5/installing.html

    IBM is  working on  the following  fixes which  will be  available
    soon:

        AIX 4.3.x:  IX83752