(ISS Issues Advisory) Re: SGI's IRIX Allows Remote Users to Execute Arbitrary Code on the Server with Root-Level Privileges Using the Embedded Support Partner (ESP) Application (Installed By Default on IRIX Systems)
SecurityTracker Alert ID: 1001547|
SecurityTracker URL: http://securitytracker.com/id/1001547
(Links to External Site)
Date: May 15 2001
Execution of arbitrary code via network, Root access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 6.5.5 6.5.8|
Internet Security Systems released an advisory for SGI's IRIX Embedded Support Partner application, warning that it contains a buffer overflow and can allow remote users to execute arbitrary code with root level privileges on the server.|
A buffer overflow is reported in the rpc.espd component of the Embedded Support Partner (ESP) subsystem. ESP is apparently installed and enabled by default on all current SGI IRIX installations.
ESP is an application used for managing multiple SGI devices on a network.
A remote user can execute arbitrary code with root level privileges on the server, thereby gaining root level access to the server.|
SGI recommends immediately disabling rpc.espd to prevent exposure before patches can be applied. SGI has made security patch 4123 available to address this vulnerability. See the Vendor URL for information on the patch.|
Vendor URL: www.sgi.com/support/security/ (Links to External Site)
|Underlying OS: UNIX (SGI/IRIX)|
This archive entry is a follow-up to the message listed below.|
Source Message Contents
Subject: ISS Advisory: Remote Buffer Overflow Vulnerability in IRIX Embedded Support Partner Infrastructure|
-----BEGIN PGP SIGNED MESSAGE-----
Internet Security Systems Security Advisory
May 9, 2001
Remote Buffer Overflow Vulnerability in IRIX Embedded Support Partner
of the Embedded Support Partner (ESP) subsystem. ESP is installed and
enabled by default on all current SGI IRIX installations.
to execute arbitrary commands on a vulnerable host. A local account is
not required to exploit this vulnerability.
ESP was developed by SGI to address the concerns of many system
administrators who needed to manage large-scale SGI environments. ESP
allows administrators better access to information regarding the state
of all SGI devices on a network. It integrates and correlates system
configuration management, event management, resource management,
reporting, statistics generation and analysis as well as many other
ESP was first introduced in IRIX version 6.5.5. The ESP daemon,
rpc.espd, contains a buffer overflow condition that may allow remote
attackers to execute arbitrary commands with super user privileges on
the target server.
SGI recommends immediately disabling rpc.espd to prevent exposure before
patches can be applied. To disable rpc.espd:
1. Become the root user on the system.
% /bin/su -
2. Change the permissions on the rpc.espd daemon.
# /bin/chmod -x /usr/etc/rpc.espd
3. Restart inetd to kill any vulnerable running daemons.
# /etc/killall -HUP inetd
4. Return to previous level.
SGI has made security patch 4123 available to address this
vulnerability. SGI security patches can be found at:
ISS X-Force recommends that all unused daemons or services be disabled
to prevent exposure to both known and unknown vulnerabilities.
security assessment system, Internet Scanner, will have signatures
available for this vulnerability in upcoming X-Press Updates.
SGI Services and Support website:
SGI Services and Support, Security homepage:
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2001-0331 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
This vulnerability was discovered and researched by Mark Dowd of ISS
X-Force. Internet Security Systems would like to thank SGI for their
response and handling of this vulnerability.
About Internet Security Systems (ISS)
Internet Security Systems (ISS) is a leading global provider of security
management solutions for the Internet. By providing industry-leading
SAFEsuite security software, remote managed security services, and
strategic consulting and education offerings, ISS is a trusted security
provider to its customers, protecting digital assets and ensuring safe
and uninterrupted e-business. ISS' security management solutions protect
more than 5,500 customers worldwide including 21 of the 25 largest U.S.
commercial banks, 10 of the largest telecommunications companies and
over 35 government agencies. Founded in 1994, ISS is headquartered in
Atlanta, GA, with additional offices throughout North America and
international operations in Asia, Australia, Europe, Latin America and
the Middle East. For more information, visit the Internet Security
Systems web site at www.iss.net or call 888-901-7477.
Copyright (c) 2001 Internet Security Systems, Inc.
Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express
consent of the X-Force. If you wish to reprint the whole or any part of
this Alert in any other medium excluding electronic medium, please
e-mail firstname.lastname@example.org for permission.
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.
X-Force PGP Key available at: http://xforce.iss.net/sensitive.php
as well as on MIT's PGP key server and PGP.com's key server.
Please send suggestions, updates, and comments to: X-Force
email@example.com of Internet Security Systems, Inc.
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----