COMMAND
.edf & .tdf (mailcap problem)
SYSTEMS AFFECTED
IRIX 6.3, 6.4
PROBLEM
Arthur Hagen found that you can gain access to any IRIX 6.3 (and
probably 6.4) machine by making a cgi script emulating the .tdf
files in /usr/sysadm. The principle is simple - you make the cgi
script use a mime type similar to an .edf or .tdf file
(application/x-sgi-exec or application/x-sgi-task), and make the
file name contain spaces and look quite similar to
SaAddUserTask.tdf (or even SaModifyMyPassword.tdf), with the only
difference being it containing the arguments too. If writing a
cgi script to do this is too awkward, you can do this hack by
simply installing a different web server than Netscape and modify
the file type. Apache works fine. Basically, you make the
server give one of the application types described above, and
instruct it to execute one of the *legal* commands in /usr/sysadm
when someone connects, with arguments enough to make it lethal.
Then make a link to it (with the spaces in the link - %20 is a
space in HTML) from another page. Then you just wait for someone
with an SGI to access that file. This works for ANY 6.3+ client
with a privileged user accessing a remote web page set up for
hacking SGI's.
SGI advisory expanded this info. The System Manager sysmgr(1M)
provides a web-browser-like GUI interface to tasks that help you
administer an SGI workstation. sysmgr(1M) uses multiple tools to
manage its GUI interface, two of them being runtask(1M) and
runexec(1M). By mimicking the descriptor files of runtask(1M) or
runexec(1M), an SGI user browsing web pages or reading email can
inadvertently download a "trojan horse" runtask(1M) or runexec(1M)
descriptor file. The "trojan horse" descriptor file will execute a
local System Manager Task with the privileges of the user web
browsing and can lead to a local root compromise.
All IRIX 6.3/6.4 users that have Mailcap entries for x-sgi-task
and x-sgi-exec have this vulnerability. On IRIX 6.3/6.4, these
vulnerable Mailcap entries are installed by default in
/usr/local/lib/netscape/mailcap. Users can add their own Mailcap
entries in their home directories ($HOME/.mailcap) and these need
to be inspected for the vulnerable x-sgi-task and x-sgi-exec
entries.
SOLUTION
To everyone with IRIX 6.3+: To feel a BIT safer, open the
"General Preferences" in Netscape, and change the actions for
"x-sgi-task" and "x-sgi-exec" to "Unknown - prompt user". This
means you won't be able to use some of the sysadm pages on the
server at port 2077, but that's no big worry. You can do
everything from root anyhow, and the 2077 server is by default
running with access allowed from the whole world with root
access, so it's a security bug in itself. So call do the above
mods (preferably to the file /usr/local/lib/netscape/mailcap as
well), then "chkconfig webface off", and even better, "chkconfig
privileges off".
By default, SGI descripted vulnerability requires an IRIX 6.3/6.4
user to use Netscape Navigator to web browse or read email from a
malicious site and download a "trojan horse" System Manager Task
which will execute locally with the privileges of the user web
browsing. If the user is a privileged or root user, the "trojan
horse" System Manger Task will execute with root privileges and
can lead to a root compromise. Workaround:
Edit the default Mailcap file.
# vi /usr/local/lib/netscape/mailcap
Remove the following vulnerable mailcap entries:
application/x-sgi-task; /usr/sysadm/bin/runtask %s; \
description="System Administration Task"
application/x-sgi-exec; /usr/sysadm/bin/runexec %s; \
description="System Administration Executable"
Find any additional mailcap files and remove any vulnerable
entries.
Patches are:
OS Version Patch #
---------- -------
IRIX 6.3 3068
IRIX 6.4 2339