COMMAND
fam service
SYSTEMS AFFECTED
All SGI IRIX systems running the fam server are vulnerable.
PROBLEM
The following information is based on Secure Networks Inc.
security advisory.
IRIX workstations commonly run a service known as "fam" (file
alteration monitor). This service allows any user to obtain a
complete listing of files and directories on vulnerable systems.
The fam service, RPC program 391002, is used by other programs to
keep track of file modifications. When a program initially
connects to the fam server, it passes the fam server the name of
a file or directory to watch. If the fam server is passed a
directory, it immediately gives the client a complete list of
files and subdirectories in that directory. By passing the fam
server a request to monitor the root directory, and following
subdirectories from there, an attacker can remotely obtain a
complete list of files on the system. The fam server should
restrict access to legitimate NFS clients, and enforce access
control to prevent local users from listing each others files.
Attackers can remotely obtain a complete list of files and
directories on a Silicon Graphics IRIX system running a fam
server. To determine whether your workstation is running this
service, type:
% /usr/etc/rpcinfo -p | grep 391002
If you are vulnerable, you will see a line as follows:
391002 1 tcp 1051 sgi_fam
If no output is generated, then you are not running a fam server.
Any other type of output, such as an error message, probably
indicates that you are either specifying the wrong directory for
the rpcinfo program, or that there are no rpc services running at
all.
SOLUTION
If you do not use any programs, such as the IRIX file manager,
fm(1G), or mailbox(1), which require fam, you can disable the fam
service by commenting out the entry for it in /etc/inetd.conf,
and rebooting. The fam daemon is installed by default on all
versions of IRIX 5.X and IRIX 6.X. The fam vulnerability is
scheduled to be fixed in IRIX 6.5.8.