Published:
15 October 1998
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-98.160 -- SGI Security Advisory 19981003-01-PX
IRIX Xaw library exploitable buffer overflow
16 October 1998
===========================================================================
Silicon Graphics Inc. has released the following advisory concerning a
buffer overflow vulnerability in the Xaw library installed by default on
IRIX. This vulnerability may allow local users to gain root access.
- ---------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
______________________________________________________________________________
Silicon Graphics Inc. Security Advisory
Title: Xaw library exploitable buffer overflow
Title: CERT VB-98.04
Number: 19981003-01-PX
Date: October 15, 1998
______________________________________________________________________________
Silicon Graphics provides this information freely to the SGI user community
for its consideration, interpretation, implementation and use. Silicon
Graphics recommends that this information be acted upon as soon as possible.
Silicon Graphics provides the information in this Security Advisory on
an "AS-IS" basis only, and disclaims all warranties with respect thereto,
express, implied or otherwise, including, without limitation, any warranty
of merchantability or fitness for a particular purpose. In no event shall
Silicon Graphics be liable for any loss of profits, loss of business, loss
of data or for any indirect, special, exemplary, incidental or consequential
damages of any kind arising from your use of, failure to use or improper
use of any of the instructions or information in this Security Advisory.
______________________________________________________________________________
- - -----------------------
- - --- Issue Specifics ---
- - -----------------------
The Open Group (http://www.opengroup.org/) has reported via CERT that
an exploitable buffer overflow has been discovered in Xaw library which can
lead to a root compromise.
Silicon Graphics Inc. has investigated the issue and recommends the
following steps for neutralizing the exposure. It is HIGHLY RECOMMENDED
that these measures be implemented on ALL vulnerable SGI systems.
This issue will be corrected in future releases of IRIX.
- - --------------
- - --- Impact ---
- - --------------
The Xaw library is installed by default on IRIX.
The Xaw Text widget must be used in a setuid root program in order to be
vulnerable.
A local user account on the vulnerable system is required in order to exploit
the Xaw library.
The exploitable buffer overflow vulnerability can lead to a root compromise.
This Xaw library buffer overflow vulnerability was reported by CERT VB-98.04:
http://www.cert.org/ftp/cert_bulletins/VB-98.04.xterm.Xaw
This Xaw vulnerability has been publicly discussed in Usenet newsgroups
and mailing lists.
- - --------------------------
- - --- Temporary Solution ---
- - --------------------------
Although patches are available for this issue, it is realized that
there may be situations where installing the patches immediately may
not be possible.
Only setuid root programs that use the Xaw Text widget are vulnerable
to this exploit. There is no easy detection method for determining
if a program uses the Xaw Text widget.
If you are aware of a setuid root program that uses Xaw Text widget,
the steps below can be used to remove the vulnerability by removing
the setuid permissions of that program.
1) Become the root user on the system.
% /bin/su -
Password:
#
2) Remove the setuid-root bit from the binary.
# chmod 0755 <setuid-root program that uses Xaw Text widget>
3) Return to previous level.
# exit
%
- - ----------------
- - --- Solution ---
- - ----------------
OS Version Vulnerable? Patch # Other Actions
---------- ----------- ------- -------------
IRIX 3.x no
IRIX 4.x no
IRIX 5.0.x yes Note 1 & 2
IRIX 5.1.x yes Note 1 & 2
IRIX 5.2 yes Note 1 & 2
IRIX 5.3 yes 3162
IRIX 6.0.x yes Note 1 & 2
IRIX 6.1 yes Note 1 & 2
IRIX 6.2 yes 3163
IRIX 6.3 yes 3164
IRIX 6.4 yes 3165
IRIX 6.5 yes 6.5.1 Note 3
IRIX 6.5.1 no
NOTES
1) Upgrade to currently supported IRIX operating system.
2) See "Temporary Solution" section.
3) If you have not received an IRIX 6.5.1m CD for IRIX 6.5, contact your
SGI Support Provider or download the IRIX 6.5.1 Maintenance Release
Stream from http://support.sgi.com/
Patches are available via anonymous FTP and your service/support provider.
The primary SGI anonymous FTP site for security information and patches
is sgigate.sgi.com (204.94.209.1). Security information and patches can be
found in the ~ftp/security and ~ftp/patches directories, respectively.
For security and patch management reasons, ftp.sgi.com (mirror of sgigate) lags
behind and does not do a real-time update of ~ftp/security and ~ftp/patches
##### Patch File Checksums ####
The actual patch will be a tar file containing the following files:
Filename: README.patch.3162
Algorithm #1 (sum -r): 62760 15 README.patch.3162
Algorithm #2 (sum): 52641 15 README.patch.3162
MD5 checksum: B8F950CFFA015AEE80BDDF7D71941997
Filename: patchSG0003162
Algorithm #1 (sum -r): 29527 3 patchSG0003162
Algorithm #2 (sum): 16855 3 patchSG0003162
MD5 checksum: 483B3714A2DBCF085FB4430E60AFADB5
Filename: patchSG0003162.idb
Algorithm #1 (sum -r): 63388 4 patchSG0003162.idb
Algorithm #2 (sum): 4333 4 patchSG0003162.idb
MD5 checksum: 4E6E083D81345A44ECF9B81DF37936D0
Filename: patchSG0003162.x_dev_sw
Algorithm #1 (sum -r): 10817 1841 patchSG0003162.x_dev_sw
Algorithm #2 (sum): 53139 1841 patchSG0003162.x_dev_sw
MD5 checksum: 9496B25ECC3E96A8D61E2F61AB7CC444
Filename: patchSG0003162.x_eoe_sw
Algorithm #1 (sum -r): 39327 3232 patchSG0003162.x_eoe_sw
Algorithm #2 (sum): 13525 3232 patchSG0003162.x_eoe_sw
MD5 checksum: D42A84EF3F076A58D33F19F52A819673
Filename: README.patch.3163
Algorithm #1 (sum -r): 23654 18 README.patch.3163
Algorithm #2 (sum): 25734 18 README.patch.3163
MD5 checksum: 756076D4B042CD3B821051B3146C2451
Filename: patchSG0003163
Algorithm #1 (sum -r): 32763 18 patchSG0003163
Algorithm #2 (sum): 46144 18 patchSG0003163
MD5 checksum: 9D8CF5AF49F89003D333E84E6D3300C6
Filename: patchSG0003163.idb
Algorithm #1 (sum -r): 16114 13 patchSG0003163.idb
Algorithm #2 (sum): 38740 13 patchSG0003163.idb
MD5 checksum: 757BF2A5882658173ECFF63F892C46A8
Filename: patchSG0003163.x_dev_sw
Algorithm #1 (sum -r): 26703 1871 patchSG0003163.x_dev_sw
Algorithm #2 (sum): 4990 1871 patchSG0003163.x_dev_sw
MD5 checksum: 4E89925EA5679B21BF8FC765CB79A8BB
Filename: patchSG0003163.x_dev_sw32
Algorithm #1 (sum -r): 28764 2195 patchSG0003163.x_dev_sw32
Algorithm #2 (sum): 46025 2195 patchSG0003163.x_dev_sw32
MD5 checksum: DF71C67366E29B0F9CEF5B10A0EE3BD0
Filename: patchSG0003163.x_dev_sw64
Algorithm #1 (sum -r): 10893 2353 patchSG0003163.x_dev_sw64
Algorithm #2 (sum): 47599 2353 patchSG0003163.x_dev_sw64
MD5 checksum: A307C6DB70BD37A31D1F9D4D858C4004
Filename: patchSG0003163.x_eoe_sw
Algorithm #1 (sum -r): 26523 4258 patchSG0003163.x_eoe_sw
Algorithm #2 (sum): 2943 4258 patchSG0003163.x_eoe_sw
MD5 checksum: 0CD66C2493A3667D1C68D2E2EE3DB187
Filename: patchSG0003163.x_eoe_sw32
Algorithm #1 (sum -r): 44792 3969 patchSG0003163.x_eoe_sw32
Algorithm #2 (sum): 30141 3969 patchSG0003163.x_eoe_sw32
MD5 checksum: 91B0F609DCF4B10814C7623669A1193D
Filename: patchSG0003163.x_eoe_sw64
Algorithm #1 (sum -r): 36394 4235 patchSG0003163.x_eoe_sw64
Algorithm #2 (sum): 15018 4235 patchSG0003163.x_eoe_sw64
MD5 checksum: A751597CA40C154D855F1BA4CE111AE6
Filename: README.patch.3164
Algorithm #1 (sum -r): 04525 12 README.patch.3164
Algorithm #2 (sum): 63555 12 README.patch.3164
MD5 checksum: F949A9F818F578F9209DD453A713EDE9
Filename: patchSG0003164
Algorithm #1 (sum -r): 45150 7 patchSG0003164
Algorithm #2 (sum): 23540 7 patchSG0003164
MD5 checksum: 5EB26E7B577ADD63AD2A7E31E8E818FB
Filename: patchSG0003164.idb
Algorithm #1 (sum -r): 62231 11 patchSG0003164.idb
Algorithm #2 (sum): 39482 11 patchSG0003164.idb
MD5 checksum: 608679BE467AD0FF7B0044F08CFBA5F7
Filename: patchSG0003164.x_dev_sw
Algorithm #1 (sum -r): 00282 1861 patchSG0003164.x_dev_sw
Algorithm #2 (sum): 51321 1861 patchSG0003164.x_dev_sw
MD5 checksum: AA403DA6F7934786C8B1138B6419EDF9
Filename: patchSG0003164.x_dev_sw32
Algorithm #1 (sum -r): 40105 2188 patchSG0003164.x_dev_sw32
Algorithm #2 (sum): 43711 2188 patchSG0003164.x_dev_sw32
MD5 checksum: 20D889F2721D867301F1F49C7F0F9FDE
Filename: patchSG0003164.x_dev_sw64
Algorithm #1 (sum -r): 05154 2341 patchSG0003164.x_dev_sw64
Algorithm #2 (sum): 35806 2341 patchSG0003164.x_dev_sw64
MD5 checksum: 975B64D7781501F1428382C38EF8E33E
Filename: patchSG0003164.x_eoe_sw
Algorithm #1 (sum -r): 40472 3285 patchSG0003164.x_eoe_sw
Algorithm #2 (sum): 19365 3285 patchSG0003164.x_eoe_sw
MD5 checksum: 7130465ECBEA6961DE898BC6B03BC6EC
Filename: patchSG0003164.x_eoe_sw32
Algorithm #1 (sum -r): 24036 3552 patchSG0003164.x_eoe_sw32
Algorithm #2 (sum): 62299 3552 patchSG0003164.x_eoe_sw32
MD5 checksum: CF227E33123A6B4C83B957BE7481E594
Filename: patchSG0003164.x_eoe_sw64
Algorithm #1 (sum -r): 01544 3763 patchSG0003164.x_eoe_sw64
Algorithm #2 (sum): 32019 3763 patchSG0003164.x_eoe_sw64
MD5 checksum: 33DAD3890A6EE445BABAA9299C6DE485
Filename: README.patch.3165
Algorithm #1 (sum -r): 05925 12 README.patch.3165
Algorithm #2 (sum): 9430 12 README.patch.3165
MD5 checksum: F8F8C76CF0D6401153F34E606E000703
Filename: patchSG0003165
Algorithm #1 (sum -r): 40739 10 patchSG0003165
Algorithm #2 (sum): 64635 10 patchSG0003165
MD5 checksum: E9F01F8B784EFB2360F96E1C111BC868
Filename: patchSG0003165.eoe_sw
Algorithm #1 (sum -r): 44998 7 patchSG0003165.eoe_sw
Algorithm #2 (sum): 42468 7 patchSG0003165.eoe_sw
MD5 checksum: 948C51F29D9B18C71211551F2A9E2786
Filename: patchSG0003165.idb
Algorithm #1 (sum -r): 08151 12 patchSG0003165.idb
Algorithm #2 (sum): 9229 12 patchSG0003165.idb
MD5 checksum: C377B369F49EC7BE07B43C4B1A3AE7C8
Filename: patchSG0003165.x_dev_sw
Algorithm #1 (sum -r): 20931 5115 patchSG0003165.x_dev_sw
Algorithm #2 (sum): 57869 5115 patchSG0003165.x_dev_sw
MD5 checksum: 201472A518AD6573742D18E1B94EFD7B
Filename: patchSG0003165.x_dev_sw64
Algorithm #1 (sum -r): 15326 2378 patchSG0003165.x_dev_sw64
Algorithm #2 (sum): 5558 2378 patchSG0003165.x_dev_sw64
MD5 checksum: 885049D822B3B277576E2C4AB54B91C4
Filename: patchSG0003165.x_eoe_sw
Algorithm #1 (sum -r): 63988 7594 patchSG0003165.x_eoe_sw
Algorithm #2 (sum): 15222 7594 patchSG0003165.x_eoe_sw
MD5 checksum: 129346F08874CF9A56B6497BF4AA3B32
Filename: patchSG0003165.x_eoe_sw64
Algorithm #1 (sum -r): 25380 4118 patchSG0003165.x_eoe_sw64
Algorithm #2 (sum): 24205 4118 patchSG0003165.x_eoe_sw64
MD5 checksum: 34980EFCE4E39EBFEC55FA279E7F1957
- - ------------------------
- - --- Acknowledgments ---
- - ------------------------
Silicon Graphics wishes to thank the CERT Coordination Center and the users
of the Internet Community at large for their assistance in this matter.
- - -----------------------------------------------------------
- - --- Silicon Graphics Inc. Security Information/Contacts ---
- - -----------------------------------------------------------
If there are questions about this document, email can be sent to
cse-security-alert@sgi.com.
------oOo------
Silicon Graphics provides security information and patches for
use by the entire SGI community. This information is freely
available to any person needing the information and is available
via anonymous FTP and the Web.
The primary SGI anonymous FTP site for security information and patches
is sgigate.sgi.com (204.94.209.1). Security information and patches
are located under the directories ~ftp/security and ~ftp/patches,
respectively. The Silicon Graphics Security Headquarters Web page is
accessible at the URL http://www.sgi.com/Support/security/security.html.
For issues with the patches on the FTP sites, email can be sent to
cse-security-alert@sgi.com.
For assistance obtaining or working with security patches, please
contact your SGI support provider.
------oOo------
Silicon Graphics provides a free security mailing list service
called wiretap and encourages interested parties to self-subscribe
to receive (via email) all SGI Security Advisories when they are
released. Subscribing to the mailing list can be done via the Web
(http://www.sgi.com/Support/security/wiretap.html) or by sending email
to SGI as outlined below.
% mail wiretap-request@sgi.com
subscribe wiretap <YourEmailAddress>
end
^d
In the example above, <YourEmailAddress> is the email address that you
wish the mailing list information sent to. The word end must be on a
separate line to indicate the end of the body of the message. The
control-d (^d) is used to indicate to the mail program that you are
finished composing the mail message.
------oOo------
Silicon Graphics provides a comprehensive customer World Wide Web site.
This site is located at http://www.sgi.com/Support/security/security.html.
------oOo------
For reporting *NEW* SGI security issues, email can be sent to
security-alert@sgi.com or contact your SGI support provider. A
support contract is not required for submitting a security report.
______________________________________________________________________________
This information is provided freely to all interested parties and may
be redistributed provided that it is not altered in any way, Silicon
Graphics is appropriately credited and the document retains and
includes its valid PGP signature.
- -----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBNiZgZbQ4cFApAP75AQFNawP9EhlJX0vTsSxr/rngAmU1wr46efbxzd5P
Mz1Nvqvqk01CWpW7PcDwlxhBheT/hHnGEfCuj0NeuE0+D4ISDF0piChEopm/ubYT
uKl1/Tp3jKnX7qrrXNRsNirFHsG7JSKp1JULmcjOa0b+RzE9OH8wWXRN0A/cRZt5
TqDo2OygiOY=
=ItwP
- -----END PGP SIGNATURE-----
- ---------------------------END INCLUDED TEXT--------------------
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to use any or all of this information is
the responsibility of each user or organisation, and should be done so in
accordance with site policies and procedures.
NOTE: This is only the original release of the security bulletin. It will
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the original authors to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/Information/advisories.html
If you believe that your system has been compromised, contact AusCERT or
your representative in FIRST (Forum of Incident Response and Security
Teams).
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for emergencies.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3i
Charset: noconv
Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key
iQCVAwUBNisZ+Ch9+71yA2DNAQFk1gP+N+wcPNomDns9YKwFJEHvWB2unjIJo+1W
eM+y+NvVlxjQlGE3GwQSligoceUlKlFbx3rELxkvp347Yd+FW0rnSSpYBFVbWz+N
UV8/wpMVipxtcnKyOZbtu9AutXtwKnivM/kbsbqGJqhMgSEuA3KhR8cwGEEYl64m
uoIborgXo5I=
=TQlF
-----END PGP SIGNATURE-----