COMMAND
/usr/sbin/startmidi
SYSTEMS AFFECTED
All SGI systems running IRIX 5.2, 5.3, 6.0, 6.0.1, and 6.1 with
an IRIS Digital Media Execution Environment.
PROBLEM
During the execution of startmidi, files are created in an
insecure manner with insecure permissions. As this program
executes with root privileges, it is possible for local users to
create or truncate arbitrary files on the system. It also
possible to alter the contents of these temporary files, which
may allow users to perform a denial of service attack.
Local users may be able to create or truncate arbitrary files on
the system, which may be leveraged to gain root access. They may
also be able to change the contents of temporary files, allowing a
denial of service attack.
/usr/sbin/startmidi creates various files in /tmp. You guessed
it, it respects umask and follows symlinks. Comme ca:
% umask 0
% ln -s /blardyblar /tmp/.midipid
% startmidi -d /dev/ttyd1
% ls -l /blardyblar
-rw-rw-rw- 1 root pgrad 0 Feb 9 17:46 /blardyblar
% stopmidi -d /dev/ttyd1
%
Any existing files are trucated to zero length. New files are
created root-owned, mode 0666. You don't need imaginations to get
root from this. 'stopmidi' removes the files created by
'startmidi' so you may have to run that first if /tmp/.midipid
already exists. Credit for this goes to David Hedley
<hedley@CS.BRIS.AC.UK>
SOLUTION
You should remove setuid and execute permissions until applying
patches:
# /bin/chmod 400 /usr/sbin/startmidi
# /bin/ls -l /usr/sbin/startmidi
-r-------- 1 root sys 18608 Nov 22 1994 /usr/sbin/startmidi
or remove the MIDI Execution Environment:
# /usr/sbin/versions remove dmedia_eoe.sw.midi
Patches are:
OS Version Vulnerable? Patch #
---------- ----------- -------
IRIX 3.x no
IRIX 4.x no
IRIX 5.0.x yes not avail
IRIX 5.1.x yes not avail
IRIX 5.2 yes not avail
IRIX 5.3 yes 2563
IRIX 6.0.x yes not avail
IRIX 6.1 yes not avail
IRIX 6.2 yes 2564
IRIX 6.3 yes 2565
IRIX 6.4 yes 2291