Another stupid SGI hole

Summary

Description:	By default SGIs (IRIX 6.3, probably 6.4) will take files of type application/x-sgi-exec or application/x-sgi-task and allow them to run /sr/sysadm commands. Thus you can put a malicous file on your web page and hack root on SGI boxes that connect to it.
Author:	Arthur Hagen <art@kether.global-one.no>
Compromise:	Trojan a webpage to gain access to the accounts of SGI users who visit it.
Vulnerable Systems:	SGI IRIX 6.3, probably 6.4
Date:	1 August 1997

Details

Date: Mon, 4 Aug 1997 12:15:41 +0300
From: "Arthur Hagen (Forwarded by Kari Hurtta)" <art@KETHER.GLOBAL-ONE.NO>
To: BUGTRAQ@NETSPACE.ORG
Subject: comp.sys.sgi.bugs: YET another security alert (sigh)

  [ Part 1: "Included Message" ]

Date: 1 Aug 1997 04:40:27 GMT
From: Arthur Hagen <art@kether.global-one.no>
To: security-alert@sgi.com
Cc: support@oslo.sgi.com
Newsgroups: comp.sys.sgi.bugs, comp.sys.sgi.admin
Subject: YET another security alert (sigh)

I just discovered that I can gain access to any IRIX 6.3 (and probably 6.4)
machine by making a cgi script emulating the .tdf files in /usr/sysadm.
The principle is simple - you make the cgi script use a mime type
similar to an .edf or .tdf file (application/x-sgi-exec or
application/x-sgi-task), and make the file name contain spaces and
look quite similar to SaAddUserTask.tdf (or even SaModifyMyPassword.tdf),
with the only difference being it containing the arguments too.
If writing a cgi script to do this is too awkward, you can do this hack
by simply installing a different web server than Netscape and modify
the file type.  Apache works fine.  Basically, you make the server
give one of the application types described above, and instruct it
to execute one of the *legal* commands in /usr/sysadm when someone
connects, with arguments enough to make it lethal.  Then make a link
to it (with the spaces in the link - %20 is a space in HTML) from
another page.  Then you just wait for someone with an SGI to access that
file.  Now, what I ask myself is:
Is that *huge* security hole, which is much like ActiveX a deliberate
thing from SGI, or didn't the people who made it know that SGI users
could access web pages beyond the local trusted LAN?
Was /usr/sysadm/* made by the same people who made the
(now thankfully obsolete) objectserver?

To everyone with IRIX 6.3+:  To feel a BIT safer, open the "General
Preferences" in Netscape, and change the actions for "x-sgi-task" and
"x-sgi-exec" to "Unknown - prompt user".
This means you won't be able to use some of the sysadm pages on the
server at port 2077, but that's no big worry.  You can do everything
from root anyhow, and the 2077 server is by default running with access
allowed from the whole world with root access, so it's a security bug
in itself.  So call do the above mods (preferably to the file
/usr/local/lib/netscape/mailcap as well), then "chkconfig webface off",
and even better, "chkconfig privileges off", and then call SGI and tell
them what you think about their Mickey Mouse attitude towards security.

(It took me almost 40 minutes to hack root with a .tdf file.  I'm thick,
so it took me a while to figure out how.  I'm sure someone else can do
better.  To my knowledge, it does work for ANY 6.3+ client with a
privileged user accessing a remote web page set up for hacking SGI's.)

I *do* hope that SGI takes this seriously, and issues a warning that
people who are accessing the internet (or anything outside the trusted
LAN) should NOT run webface or privileges.  Even if it means losing
face for some SGI developers.

Regards,
--
*Art

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:

All OS's	Linux	Solaris/SunOS	Micro$oft
*BSD	Macintosh	AIX	IRIX
ULTRIX/Digital UNIX	HP/UX	SCO	Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: