COMMAND

    Performance Copilot

SYSTEMS AFFECTED

    IRIX

PROBLEM

    Marcelo Magnasco  found following.   He found  a vulnerability  in
    the  Performance  Copilot  for  IRIX  6.5.   /usr/etc/pmcd  has  a
    fail-open security  model, allowing  anyone to  perform queries by
    default. This exposes potentially sensitive information (ps  -efl,
    df,  etc)  to  anyone  on  the  net.  pmcd  will  accept   garbage
    connections and grow  large heaps not  released upon tearing  down
    the connection, thus permitting a DoS.

    Marcelo's  current  installation  of  IRIX 6.5.6 (varsity program)
    installed  by  default  a  product  called  "Performance  Copilot"
    (PCP),  a  large  and  complex   piece  of  software  to   collect
    performance  metrics  systemwide  and  find  nice  ways to analyze
    them.  The  product is installed  and self-configured by  default.
    On comes /usr/etc/pmcd, a demon that sits and listens on tcp  port
    4321  waiting  for  requests  to  tell  the users of the PCP about
    stuff going  on.   He never  configured the  product, and  in fact
    were not aware that it was being installed or what it was for:  it
    was  included  in  the  default  Varsity  6.5.6  installation.  He
    discovered it by portscanning my own machines for open ports.

        pcp_eoe Performance Co-Pilot Execution Only Environment, 2.1
        Software Product               Performance Co-Pilot
        Version                        2.1
        Product Codes                  SC4-PCP-2.1 and SC4-IRIX6.5
        System Software Requirements   IRIX 6.2, 6.3, 6.4 or 6.5.5

    /var/adm/pcplog/pmcd.log  contains  in  our  systems the following
    rather scary message:

         Host access list empty: access control turned off

    Thus the  access control  is fail  open: if  you fail to configure
    it, it will allow anyone  to connect. Our configuration files  had
    no  ACLs.   So  presumably  this  is  the  case for everyone else.
    Marcelo tried various  machines on campus:  all 6.5 machines  have
    pmcd running  and have  enabled me  to list  their processes, disk
    mount points, etc.  What does /usr/etc/pmcd expose to the world???

        % pminfo -f -h sgi.victim.com filesys.mountdir

    lists all disks and their mount points, for instance.

        % pmem -h sgi.victim.com

    will return something looking much  like a ps -efl: all  processes
    with their owners and long argument lists.

        % perl -e 'print " a" x 92834244,"\n";'' | telnet sgi.victim.com 4321

    makes an excellent DOS.  The pmcd process grew to 600 megabytes in
    my system and STAYED that size after the connection was ctrl-c'ed.
    Notice that  pminfo -f  -h sgi.victim.com  swap will  tell you all
    about swap, so you can calculate how much to request...

    Finally, trying the perl bit  AGAIN results in a broken  pipe, and
    an ominous message in the logs:

        unix: ALERT: pmcd [744] - out of logical swap space during brk/sbrk - see swap(1M)

    In  fact,  after  the   first  garbage  connection,  any   further
    connection  transmitting  more  than  4095  bytes  will cause this
    message to appear in the  syslog, suggesting that there is  a 4096
    somewhere in there. Left as an exercise for the reader.

SOLUTION

    Marcelo  sent  this  information  to  SGI  on  March  17.   SGI is
    actively working on the issue  and will probably release a  proper
    patch.   To  close  the  process  to  outside  access,  append the
    following to /etc/pmcd.conf

        [access]
        allow localhost: all ;
        disallow * : all;

    or, better yet, chkconfig pmcd off and shut it off entirely unless
    you specifically need it.