COMMAND

    /usr/sysadm/bin/runpriv

SYSTEMS AFFECTED

    IRIX 6.3, 6.4

PROBLEM

    The /usr/sysadm/bin/runpriv program is used by the System Desktop
    to allow unprivileged users to run selected privileged commands.

    Silicon Graphics  Inc. has  investigated the  issue and recommends
    the following steps for neutralizing  the exposure.  It is  HIGHLY
    RECOMMENDED that these measures be implemented on ALL SGI  systems
    running IRIX versions 6.3 and  6.4.  This issue will  be corrected
    in future releases of IRIX.

    The /usr/sysadm/bin/runpriv  program is  part of  the Indigo Magic
    System Administration subsystem  of IRIX 6.3  and 6.4.    Although
    other   IRIX   versions   will   have   similar   Desktop   System
    Administration subsystems,  only the  IRIX 6.3  and 6.4 subsystems
    have the runpriv program.   On IRIX 6.3 and 6.4, the Indigo  Magic
    System Administration subsystem is installed by default.

    A local account is required in order to exploit this vulnerability
    both locally and remotely.

    Credit for  this goes  to Joe  Bester and  Quay Ly  of Harvey Mudd
    College.

SOLUTION

    Although patches are available for this issue, it is realized that
    there may be situations  where installing the patches  immediately
    many  not  be  possible  so  it  is  rrecommanded  to  remove  the
    vulnerability by turning off the privileges capability.

    Patches:

        IRIX 6.3 .... patch number 2077
        IRIX 6.4 .... patch number 2078

    This patches can be obtained from the SGI anonymous FTP site
    which is:

        sgigate.sgi.com (204.94.209.1)
        ftp.sgi.com.