irix.midikeys.txt

`Date: Wed, 19 May 1999 11:25:59 -0400  
From: Larry W. Cashdollar <[email protected]>  
To: [email protected]  
Subject: IRIX midikeys root exploit.  
  
Aleph1,  
Please forgive me if this has already been on this list. I searched  
geek-girl with no luck. I have been auditing our IRIX boxes and found what I  
believe to be a new vulnerability.  
  
On IRIX 6.5 systems (IRIX Release 6.5 IP28 )  
# uname -a  
IRIX64 devel 6.5 05190004  
  
The setuid root binary midikeys can be used to read any file on the  
system using its gui interface. It can also be used to edit anyfile on the  
system. I was able to get from guest account access to root access using the  
following procedure.  
  
  
1) Choose an unpassworded account and telnet in. I like guest or lp.  
  
devel 25% id  
uid=998 gid=998(guest)  
  
  
2) Execute the midikeys application with display set to your host.  
  
devel 26% ./midikeys  
devel 27% Xlib: extension "GLX" missing on display "grinch:0.0".  
Xlib: extension "GLX" missing on display "grinch:0.0".  
  
  
3) under the midikeys window click sounds and then midi songs. This will   
open a file manager type interface.  
  
4) You can enter the path and filename of files you which to read.  
including root owned with group/world read/write permissions unset.  
  
5) If you select a file like "/usr/share/data/music/README" it will  
appear in a text editor. Use the text editor to open /etc/passwd and  
make modifications at will. Save and enjoy.  
  
So I removed the '*' from sysadm...  
  
$ su sysadm  
# id  
uid=0(root) gid=0(sys)  
  
devel 28% ls -l /usr/sbin/midikeys  
-rwsr-xr-x 1 root root 218712 Jan 10 17:19 /usr/sbin/midikeys  
  
  
I have tested this on 2 IRIX 6.5 hosts with success. A patch exists for  
startmidi and stopmidi buffer overflows.  
  
More info on previous patch:  
ftp://sgigate.sgi.com/security/19980301-01-PX).  
  
However, I didnt find any for midikeys.  
  
  
-- Larry W. Cashdollar  
UNIX/Security Operations.  
Computer Sciences Corporation.  
  
---------------------------------------------------------------------------------  
  
Date: Thu, 20 May 1999 11:49:11 +0200  
From: Erik Mouw <[email protected]>  
To: [email protected]  
Subject: Re: IRIX midikeys root exploit.  
  
Larry W. Cashdollar wrote:  
> Please forgive me if this has already been on this list. I searched  
> geek-girl with no luck. I have been auditing our IRIX boxes and found what I  
> believe to be a new vulnerability.  
>  
> On IRIX 6.5 systems (IRIX Release 6.5 IP28 )  
> # uname -a  
> IRIX64 devel 6.5 05190004  
>  
> The setuid root binary midikeys can be used to read any file on the  
> system using its gui interface. It can also be used to edit anyfile on the  
> system. I was able to get from guest account access to root access using the  
> following procedure.  
>  
>  
> 1) Choose an unpassworded account and telnet in. I like guest or lp.  
>  
> devel 25% id  
> uid=998 gid=998(guest)  
  
Unpassworded account? That's a known (and documented) feature on IRIX  
systems. First thing you do when you unpack an IRIX box: set a root  
password and disable the open accounts (EZsetup, OutOfBox, lp, guest,  
4Dgifts, sgiweb). There's even an entry in the "System manager" to do it.  
  
You just need an account to gain root priviliges; it's not limited to the  
unpassworded accounts, any normal user could use this exploit.  
  
> 2) Execute the midikeys application with display set to your host.  
>  
> devel 26% ./midikeys  
> devel 27% Xlib: extension "GLX" missing on display "grinch:0.0".  
> Xlib: extension "GLX" missing on display "grinch:0.0".  
>  
>  
> 3) under the midikeys window click sounds and then midi songs. This will  
> open a file manager type interface.  
>  
> 4) You can enter the path and filename of files you which to read.  
> including root owned with group/world read/write permissions unset.  
>  
> 5) If you select a file like "/usr/share/data/music/README" it will  
> appear in a text editor. Use the text editor to open /etc/passwd and  
> make modifications at will. Save and enjoy.  
>  
> So I removed the '*' from sysadm...  
>  
> $ su sysadm  
> # id  
> uid=0(root) gid=0(sys)  
>  
> devel 28% ls -l /usr/sbin/midikeys  
> -rwsr-xr-x 1 root root 218712 Jan 10 17:19 /usr/sbin/midikeys  
>  
>  
> I have tested this on 2 IRIX 6.5 hosts with success. A patch exists for  
> startmidi and stopmidi buffer overflows.  
  
Verified to work on an O2 running IRIX 6.3:  
uname -aR  
IRIX o2 6.3 O2 R10000 12161207 IP32  
  
And on an Octane running IRIX 6.5.3:  
uname -aR  
IRIX64 octane 6.5 6.5.3m 01221553 IP30  
  
Editor was XEmacs, but that doesn't really matter.  
  
  
Erik  
(strictly speaking for myself)  
  
--  
J.A.K. (Erik) Mouw, Information and Communication Theory Group, Department  
of Electrical Engineering, Faculty of Information Technology and Systems,  
Delft University of Technology, PO BOX 5031, 2600 GA Delft, The Netherlands  
Phone: +31-15-2785859 Fax: +31-15-2781843 Email [email protected]  
WWW: http://www-ict.its.tudelft.nl/~erik/  
  
---------------------------------------------------------------------------  
  
Date: Fri, 21 May 1999 10:56:33 -0400  
From: Larry W. Cashdollar <[email protected]>  
To: [email protected]  
Subject: IRIX midikeys vulnerability list.  
  
I am attempting to compile a list of vulnerable systems for this exploit. I would like  
to provide as much information to SGI as possible. Here is what I have found so  
far.  
  
Erik Mouw Email [email protected] |  
---------------------------------------------|  
Verified to work on an O2 running IRIX 6.3: |  
uname -aR  
IRIX o2 6.3 O2 R10000 12161207 IP32  
  
And on an Octane running IRIX 6.5.3:  
uname -aR  
IRIX64 octane 6.5 6.5.3m 01221553 IP30  
  
Larry W. Cashdollar [email protected] |   
----------------------------------------------|  
Verified on an ONYX/2 running IRIX 6.5.  
uname -aR  
IRIX64 onyx 6.5 05190003 IP27  
  
Verified on an Indigo running IRIX 6.5.   
uname -aR  
IRIX64 flier 6.5 05190004 IP28  
  
I was unable to test this on our IRIX 6.2 box.  
/usr/sbin/midikeys does exist and it is setuid  
root however.  
  
Anthony C . Zboralski [email protected] |  
----------------------------------------------|   
It works on latest 6.5.4 maintenance release: |  
IRIX ra 6.5 04151556 IP32 mips  
  
  
  
Larry W. Cashdollar  
  
Unix Administrator  
Computer Security Operations  
  
---------------------------------------------------------------------------  
  
Date: Thu, 20 May 1999 19:08:44 -0600  
From: Philipp Schott <[email protected]>  
To: [email protected]  
Subject: Re: IRIX midikeys root exploit.  
  
On May 20, 11:49am, Erik Mouw wrote:  
> Subject: Re: IRIX midikeys root exploit.  
>  
> Verified to work on an O2 running IRIX 6.3:  
> uname -aR  
> IRIX o2 6.3 O2 R10000 12161207 IP32  
>  
> And on an Octane running IRIX 6.5.3:  
> uname -aR  
> IRIX64 octane 6.5 6.5.3m 01221553 IP30  
>  
> Erik  
> (strictly speaking for myself)  
>  
  
how's the package called, that includes "midikeys"??  
on all boxes (5.3, 6.3, 6.4, 6.5.2) i've checked there is no such program.  
but there is start-/stopmidi.  
  
philipp  
  
--  
===============================================================  
Philipp M. W. Schott  
Institute for Applied Mathematics Fon: +49 (0)761/203-5626  
Hermann-Herder-Str. 10 Fax: +49 (0)761/203-5632  
Freiburg University smtp: [email protected]  
D-79104 Freiburg http: www.pmws.de  
===============================================================  
  
---------------------------------------------------------------------------  
  
Date: Fri, 21 May 1999 08:55:01 +0200  
From: "[ISO-8859-1] Björn Torkelsson" <[email protected]>  
To: [email protected]  
Subject: Re: IRIX midikeys root exploit.  
  
Erik Mouw <[email protected]> writes:  
  
> > I have tested this on 2 IRIX 6.5 hosts with success. A patch exists for  
> > startmidi and stopmidi buffer overflows.  
>  
> Verified to work on an O2 running IRIX 6.3:  
> uname -aR  
> IRIX o2 6.3 O2 R10000 12161207 IP32  
>  
> And on an Octane running IRIX 6.5.3:  
> uname -aR  
> IRIX64 octane 6.5 6.5.3m 01221553 IP30  
  
Verified to work on an O2 running IRIX 6.5.3.  
  
After a chmod u-s midikeys, midikeys still works, at least after a very  
quick test. Does anybody know why midikeys is setuid root?  
  
Is this reported to SGI?  
  
/torkel  
  
---------------------------------------------------------------------------  
  
Date: Fri, 21 May 1999 09:04:47 -0700  
From: Steve Allen <[email protected]>  
To: [email protected]  
Subject: Re: IRIX midikeys root exploit.  
  
On May 20, 7:08pm, Philipp Schott wrote:  
>how's the package called, that includes "midikeys"??  
>on all boxes (5.3, 6.3, 6.4, 6.5.2) i've checked there is no such program.  
>but there is start-/stopmidi.  
  
  
dmedia_eoe.sw.synth  
  
  
teve  
  
  
--  
Steven R. Allen - [email protected] -- SGI Admin Weenie  
http://www.eskimo.com/~wormey/ ICQ# 6709819  
Contrary to popular belief, Unix is user friendly.  
It just happens to be selective about who it makes friends with.  
  
---------------------------------------------------------------------------  
  
Date: Fri, 21 May 1999 21:26:22 GMT  
From: SGI Security Coordinator <[email protected]>  
Reply-To: [email protected]  
To: [email protected]  
Subject: IRIX midikeys Vulnerability  
  
-----BEGIN PGP SIGNED MESSAGE-----  
  
______________________________________________________________________________  
SGI Security Advisory  
  
Title: IRIX midikeys Vulnerability  
Number: 19990501-01-A  
Date: May 21, 1999  
______________________________________________________________________________  
  
SGI provides this information freely to the SGI user community for its  
consideration, interpretation, implementation and use. SGI recommends  
that this information be acted upon as soon as possible.  
  
SGI provides the information in this Security Advisory on an "AS-IS" basis  
only, and disclaims all warranties with respect thereto, express, implied  
or otherwise, including, without limitation, any warranty of merchantability  
or fitness for a particular purpose. In no event shall SGI be liable for  
any loss of profits, loss of business, loss of data or for any indirect,  
special, exemplary, incidental or consequential damages of any kind arising  
>from your use of, failure to use or improper use of any of the instructions  
or information in this Security Advisory.  
______________________________________________________________________________  
  
  
SGI acknowledges the publicly reported IRIX midikeys vulnerability and is  
currently investigating.  
  
For the protection of all our customers, SGI does not disclose, discuss  
or confirm vulnerabilities until a full investigation has occurred and  
any necessary patch(es) or release streams are available for all vulnerable  
and supported Unicos and IRIX operating systems.  
  
Until SGI has more definitive information to provide, customers  
are encouraged to assume all security vulnerabilities as exploitable and take  
appropriate steps according to local site security policies and requirements.  
  
Steps to remove setuid on the IRIX midikeys program are found in the  
Temporary Solution section below. No further information is available at  
this time.  
  
As further information becomes available, additional advisories will be  
issued via the normal SGI security information distribution methods  
including the wiretap mailing list.  
  
  
- ----------------------------  
- ----- Temporary Solution ---  
- ----------------------------  
  
The steps below can be used to remove setuid from the IRIX midikeys(1)  
program.  
  
================  
**** NOTE ****  
================  
  
Removal of the setuid permission disables functionality that  
is not implemented or utilized at this time.  
  
1) Verify midikeys(1) is installed on the system.  
It is installed by default on IRIX 6.2 and higher.  
Note that the program size may vary depending on IRIX release.  
  
% ls -la /usr/sbin/midikeys  
-rwsr-xr-x 1 root sys 218712 Mar 8 14:57 /usr/sbin/midikeys  
  
2) Become the root user on the system.  
  
% /bin/su -  
Password:  
#  
  
3) Change the permissions on the program.  
  
# /bin/chmod 555 /usr/sbin/midikeys  
  
4) Verify the new permissions on the program.  
  
# ls -la /usr/sbin/midikeys  
-r-xr-xr-x 1 root sys 218712 May 20 13:57 /usr/sbin/midikeys  
  
4) Return to previous level.  
  
# exit  
%  
  
  
- -----------------------------------------  
- --- SGI Security Information/Contacts ---  
- -----------------------------------------  
  
If there are questions about this document, email can be sent to  
[email protected].  
  
------oOo------  
  
SGI provides security information and patches for use by the entire  
SGI community. This information is freely available to any person  
needing the information and is available via anonymous FTP and the Web.  
  
The primary SGI anonymous FTP site for security information and patches  
is sgigate.sgi.com (204.94.209.1). Security information and patches  
are located under the directories ~ftp/security and ~ftp/patches,  
respectively. The SGI Security Headquarters Web page is accessible at  
the URL http://www.sgi.com/Support/security/security.html .  
  
For issues with the patches on the FTP sites, email can be sent to  
[email protected].  
  
For assistance obtaining or working with security patches, please  
contact your SGI support provider.  
  
------oOo------  
  
SGI provides a free security mailing list service called wiretap and  
encourages interested parties to self-subscribe to receive (via email) all  
SGI Security Advisories when they are released. Subscribing to the mailing  
list can be done via the Web (http://www.sgi.com/Support/security/wiretap.html)  
or by sending email to SGI as outlined below.  
  
% mail [email protected]  
subscribe wiretap <YourEmailAddress>  
end  
^d  
  
In the example above, <YourEmailAddress> is the email address that you  
wish the mailing list information sent to. The word end must be on a  
separate line to indicate the end of the body of the message. The  
control-d (^d) is used to indicate to the mail program that you are  
finished composing the mail message.  
  
  
------oOo------  
  
SGI provides a comprehensive customer World Wide Web site. This site is  
located at http://www.sgi.com/Support/security/security.html .  
  
------oOo------  
  
For reporting *NEW* SGI security issues, email can be sent to  
[email protected] or contact your SGI support provider. A  
support contract is not required for submitting a security report.  
  
______________________________________________________________________________  
This information is provided freely to all interested parties and  
may be redistributed provided that it is not altered in any way,  
SGI is appropriately credited and the document retains and includes  
its valid PGP signature.  
  
-----BEGIN PGP SIGNATURE-----  
Version: 2.6.2  
  
iQCVAwUBN0XOZ7Q4cFApAP75AQFAXQP/XPq9JyXVm8xiPDjxF327yZ8QAF3u1OF6  
27Z+wIW01G6XKo0Hfu1mPVV0DNQnuKA8NQHST6iQ8F3CnwMI8Ue2RxMMDursQ19Q  
X9FkoIJCHveDWlJwExwR99Gek/rG/pRT4ZizqvaT87ac4yLqK/4IGzo/WUJXxJT1  
zhD9saxG/Z8=  
=QQ8H  
-----END PGP SIGNATURE-----  
  
---------------------------------------------------------------------------  
  
Date: Fri, 21 May 1999 16:39:18 -0700  
From: Aleph One <[email protected]>  
To: [email protected]  
Subject: Re: IRIX midikeys vulnerability list.  
  
This is a summary of some of the responses to this thread. It seems  
that whether or not you use a vi or some other editor makes a difference.  
Would the people that reported it as not working please repeat their  
test using a different editor? Thank you.  
  
  
>From Jean-Francois Malouin <[email protected]>:  
  
dmedia_eoe.sw.synth ( at least on IRIX 6.5.3m).  
  
Following the aforementionned recipe, I tried to modify some system files  
on an Octane IP30 running 6.5.3m but to no avail. hmmmm, I see that same  
system as being reported vulnerable...  
  
# uname -Ra  
# IRIX64 6.5 6.5.3m 01221553 IP30  
  
>From Jeremy Hinegardner <[email protected]>:  
  
I have tested the exploit on a couple of Octanes, and  
it seems to be fixed in the IRIX 6.5.3 feature stream.  
  
Our machines using 6.5.3f were not vulnerable.  
Both the filemanager and the editor ran as the user  
no root.  
  
Verified to work on Octane running IRIX 6.4  
uname -aR  
IRIX64 octane 6.4 S2MP+OCTANE 02121744 IP30  
  
Verified to NOT work on Octane running IRIX 6.5.3f  
uname -aR  
IRIX64 octane 6.5 6.5.3f 01221643 IP30  
  
The IRIX 6.5.4 streams is available for download,  
anyone try them?  
  
>From J.A. Gutierrez <[email protected]>:  
  
* verified:  
  
IRIX64 IRIX 6.5.3f  
(editor (jot) runs as root)  
|-+------- 1147467 root midikeys  
| \-+----- 1150492 root dirview /usr/share/data/music  
| \----- 1152654 root fmserv sgonyx.ita.es:1.0  
  
  
* Didn't work at first  
  
IRIX 6.2 where midikeys is from dmedia_eoe.sw.synth  
(editor (vi) runs as user)  
  
But if you open an X11 editor (gvim), it will run as root,  
and you will be able to edit anything, again...  
  
>From eLement <[email protected]>:  
  
The vulnerability is verified to work on  
  
uname -aR  
IRIX eLement 6.3 O2 R10000 12161207 IP32  
  
>From Klaus <[email protected]>  
  
The machine on my desk:  
  
IRIX grimlock 6.5 6.5.2m 11051733 IP32  
  
didn't seem to be vulnerable, but I don't have nedit installed; vi didn't  
preserve my setuid from midikeys.  
  
However, on a machine -with- nedit,  
  
IRIX jazz 6.5 6.5.2m 11051733 IP32  
  
I was able to replicate it. I was also able to replicate the exploit using  
jot (another window based text editor).  
  
So the exploit seems to revolve around the use of an editor that doesn't  
require a terminal device; opening a tty to run the editor (although I'm  
not 100% on how gvim works in that respect) seems to reset the effective  
UID.  
  
  
--  
Aleph One / [email protected]  
http://underground.org/  
KeyID 1024/948FD6B5  
Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01  
  
---------------------------------------------------------------------------  
  
Date: Thu, 27 May 1999 14:20:50 -0400  
From: Pawel K. Peczak <[email protected]>  
To: [email protected]  
Subject: Re: IRIX midikeys Vulnerability  
  
As a comment on Aleph's recent summary of the responses to the IRIX  
midikeys vulnerability (http://www.geek-girl.com/bugtraq/1999_2/0518.html)  
let me add my own observation.  
  
It turns out that one does not need any particular text editor  
to exploit the vulnerability. That's because of a nice "feature" of  
the desktop environment variable WINEDITOR that can be set to any system  
command, e.g., "/bin/chmod 4755 /tmp/bsh" (where /tmp/bsh is just  
a root-owned copy of Bourne shell).  
  
This can be done on both irix 6.2 (e.g., using toolchest -> Desktop  
-> Customize ->Desktop ->Default Editor: Other...) and on  
irix 6.5 (toolchest -> Desktop -> Customize -> Utilities -> Text Editor:  
Other...). After setting WINEDITOR (which can be verified by inspecting  
~/.desktop-hostname/desktopenv) the exploit follows the well-known path  
by running midikeys, opening a file manager, etc.  
  
Using this method I was able to gain root access (via a local account)  
on two systems running irix 6.2 and 6.5.3m. I suspect that any system  
running irix 6.2 or higher with suid midikeys program may be vulnerable.  
  
To remove the vulnerability one should immediately remove suid from  
the IRIX midikeys program, as suggested in the recent SGI Security  
Advisory 19990501-01-A.  
  
  
Pawel Peczak [email protected]  
  
`