SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Performance Co-Pilot (PCP) Vendors:   SGI (Silicon Graphics)
(Information on Vulnerable SuSE Versions is Provided) Re: SGI's Performance Co-Pilot (PCP) Suite Lets Local Users Obtain Root Level Privileges on the Server
SecurityTracker Alert ID:  1001786
SecurityTracker URL:  http://securitytracker.com/id/1001786
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 20 2001
Impact:   Execution of arbitrary code via local system
Vendor Confirmed:  Yes  

Description:   A vulnerability has been reported in SGI's Performance Co-Pilot (PCP) system management framework that allows local users to get root level privileges.

The SuSE vendor notes that the pmpost binary is contained in the package "pcp", as shipped with the distributions SuSE-7.0, 7.1 and 7.2.

The vendor also reports that in the distribution 7.0, /usr/share/pcp/bin/pmpost is not installed setuid root. In 7.1 and 7.2, pmpost _is_ setuid root and therefore exploitable.

For details of the vulnerability, see the Message History.

Impact:   A local user can obtain root level privileges on the host.
Solution:   No solution was available at the time of this entry, however, SuSE is working on a fix for SuSE distributions. A workaround is described in the Source Message.
Vendor URL:  oss.sgi.com/projects/pcp/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (SuSE)
Underlying OS Comments:  tested on SuSE 7.1

Message History:   This archive entry is a follow-up to the message listed below.
Jun 19 2001 SGI's Performance Co-Pilot (PCP) Suite Lets Local Users Obtain Root Level Privileges on the Server



 Source Message Contents

Subject:  Re: pmpost - another nice symlink follower


Hi Paul,

> From: Paul Starzetz <paul@starzetz.de>
> To: "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>
> Date: Mon, 18 Jun 2001 19:11:20 +0200
> Subject: pmpost - another nice symlink follower
>
> Hi,
>
> there is a symlink handling problem in the pcp suite from SGI. The
> binary pmpost will follow symlinks, if setuid root this leads to instant
> root compromise, as found on SuSE 7.1 (I doubt that this a default SuSE
> package, though).
>
> Attached a simple C source to demonstrate this (gcc pm.c -o pm  then
> ./pm)

If you like, you can send me your phone number and I will call you during
the day to privately discuss things like vendor notification. Key for
encryption is appended.


The pmpost binary is contained in the package "pcp", as shipped with the
distributions SuSE-7.0, 7.1 and 7.2.

In the distribution 7.0, /usr/share/pcp/bin/pmpost is not installed setuid
root. In 7.1 and 7.2, pmpost _is_ setuid root and therefore exploitable.

The pcp package is not installed by default in any of the distributions.

As a temporary and permanent workaround, remove the setuid bits from the
two programs /usr/share/pcp/bin/pmpost and /usr/share/pcp/bin/pmkstat by
using the following command (as root):
  chmod a-s /usr/share/pcp/bin/*
A change to /etc/permissions* is not necessary because the two binaries
are not listed there. Users of the package might want to change ownerships
to make the functionality of the pmpost program available again.
Alternatively, users may want to delete the package if it is not used:
  rpm --nodeps -e pcp
There will be update packages on the ftp server shortly that have exactly
this "fix" applied.

Further details:

The source in src/libpcp/src/config.c reads
            if ((p = getenv(var)) != NULL)
                val = p;
 for configuration items from /etc/pcp.conf and therefore trusts user
input/environment. The same applies for the environment variable PCP_CONF
that specifies the configuration file. This attitude towards treating user
input does not qualify for privileged execution. The actual open(2) call
in src/pmpost/pmpost.c (near "umask(022); /* is this just paranoid? */)
can't be fixed without completely ignoring the user-supplied environment
since open(2) can't guarantee that a path segment leading to the file is
not a symlink.

Thanks,
SuSE Security.
-- 
 -                                                                      -
  SuSE GmbH - Security           Phone: //       not enable user to fly."
 -                                                                      -


-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S1H5Fiyh7HKPEUBAVcOB/9b
yHYji1/+4Xc2GhvXK0FSJN0MGgeXgW47yxDL7gmR4mNgjlIOUHZj0PEpVjWepOJ7
tQS3L9oP6cpj1Fj/XxuLbkp5VCQ61hpt54coQAvYrnT9rtWEGN+xmwejT1WmYmDJ
xG+EGBXKr+XP69oIUl1E2JO3rXeklulgjqRKos4cdXKgyjWZ7CP9V9daRXDtje63
Om8gwSdU/nCvhdRIWp/Vwbf7Ia8iZr9OJ5YuQl0DBG4qmGDDrvImgPAFkYFzwlqo
choXFQ9y0YVCV41DnR+GYhwl2qBd81T8aXhihEGPIgaw3g8gd8B5o6mPVgl+nJqI
BkEYGBusiag2pS6qwznZiQEVAwUQNuEtBHey5gA9JdPZAQFtOAf+KVh939b0J94u
v/kpg4xs1LthlhquhbHcKNoVTNspugiC3qMPyvSX4XcBr2PC0cVkS4Z9PY9iCfT+
x9WM96g39dAF+le2CCx7XISk9XXJ4ApEy5g4AuK7NYgAJd39PPbERgWnxjxir9g0
Ix30dS30bW39D+3NPU5Ho9TD/B7UDFvYT5AWHl3MGwo3a1RhTs6sfgL7yQ3U+mvq
MkTExZb5mfN1FeaYKMopoI4VpzNVeGxQWIz67VjJHVyUlF20ekOz4kWVgsxkc8G2
saqZd6yv2EwqYTi8BDAduweP33KrQc4KDDommQNDOXxaKOeCoESIdM4p7Esdjq1o
L0oixF12CohGBBARAgAGBQI7HmHDAAoJEJ5A4xAACqukTlQAoI4QzP9yjPohY7OU
F7J3eKBTzp25AJ42BmtSd3pvm5ldmognWF3Trhp+GZkBogQ6PkmGEQQArE12Iaqt
f+wQjaoH5EeZ4ZdyQFXAvb5tZJ43I2jXprLZvtHAsf2zHDWemjaSCPBsOU27pzP2
+DxD10d7Ig1Zvqx2AIuZ28GKsdMThIHmDB6UYlzrWu94Y7I2eafcT5Qo3evUDG0T
NRlFK1ZUeMpvsOdLxyNTSkq5Ngs5wF6JaksAoNMBk58wBX14qt3AjMeEQ2FE/jBL
A/43uC4QaQw0Qq5/6fgqw3LavuTfbkNZfs0fFGeuzByuhZaAvC199iQszS9K2aIX
lZ63LNtP/dmFOW02X8CpB+1xnizjDlNkhhw5iRzNFuuwfN7HxmYhEFkz1pze0vwg
7VZIQTlDYWqaXHtpwW346H8bPS3bF+cLoL7yxtzKeGCWxgP/a4rr9q9Hz8s1D7RD
dNmorkNvWV3CWjiPaNcw6pLuYH0N3f7L+mad/2DBHn0kclX569rKN9aScHOWuQoA
zrFjJmw0pSLKXrV9Iyo5qSIy8cBzOU9LSdZ5794hW5Jz5Ydqqp0gbUaVSCyzA0v8
gJNnGscYzA9VWkFI0d5KhLIRtKW0IlJvbWFuIERyYWh0bXVlbGxlciA8ZHJhaHRA
c3VzZS5kZT6IVwQTEQIAFwUCOj5JhgULBwoDBAMVAwIDFgIBAheAAAoJEJ5A4xAA
Cqukv9MAoLVnjtaHIejgC5r473/QNtU3FEysAJ4hz1dxV54icImNEvoZ0dcFJEro
0YhGBBARAgAGBQI6Pk5GAAoJEMZi4eocmHdOZ1UAoK7iTgth6GndgbYQSnu4nUoz
6CUHAJ9+IxOfKT+GoISQ2oRBeTiG9a3Jt4hGBBARAgAGBQI7Hf1VAAoJEMdSqjKw
3/eAcVwAoIAK4ctu9+EsUmBKyb0JTB8I2BR/AJ49sFNK9bZMh4C7rY/AP6P6w1YW
UIkBFQMFEDseX7x3suYAPSXT2QEBufkH/3l46NEp/Rd+8wsElBuXdcH6sq6fxrp5
WEnPnZf6WjdmPp/ltdt99jBEvN0Ail3Dj4sbKdMJZoSVRjYop6G72WCc3+N4JK3w
3nuRSD8VGRjZwh9JoqeI2f3y7EEFyAM60FMmOA7DdDm3vzVEy0PAWFn2Y1ozwS4M
dPeBoySz3jIyEsFhEqb4SDehbWeHvbWhRHzSM8g4jhByy0VkUt2/PAZSHwwqAgdf
6osKcuypxtPN9K3Yl98rJgMG2Z5i3c/pRf31cBbR/UmMdTBgtCeImdgyLXThygeV
FDh5ykAOh/QoAyXVXeez9Q88hKvTojdjM5ayZ2hBkUci2bctqJsUvCKIRgQQEQIA
BgUCOx5kdQAKCRB2ijSz6Eh6OTybAJ9oYaORzmV0a3XlBEmqW/d3JU6VrgCfS5hb
KEpgyO4Fd30HigVRFboLUUeIRgQQEQIABgUCOx5wsAAKCRD8o9aEVh9DsUScAJ4q
7DFM0xqOP7FMr/LhK0F0/Lz3uwCdFVpr14vXgFcdEBYyBJw2sjCS7s25AQ0EOj5J
iRAEAKDOLWP9f3BE1i32IPD0fzFJEEiDA/h5TzBrN1/JG/BCOq4WfATAU2/z0dvq
OqRd7Mu0fFEX9VC4ahCJrY881BjMC7hXr9AEJKtLHauRavzLjp80syJ7lyG25Ae8
9ZP9D7x88qaA7LGnnI4IChOI8LPqd66zWB6NzZLYN/JZaB0vAAMHA/9bbtmuy9MM
rx4gEi17uWRFsx8SDNgCdZrNWHqbxNY7L3gX0NWLAGcO5gR+80PN+kpqxbM+yu1Z
G/oqhNyx73hkxuGXSq5XE/L/bLn0EqQUmtQ3+iDDmVcxYpTM3HL800jIIBkSbCd/
WDymjENnW8zYpqszNocf1HLV/9Po2yr2ZohGBBgRAgAGBQI6PkmJAAoJEJ5A4xAA
CqukGAsAn3qRlEIQpNvBLdfa8/joYRy/L8ncAKC1zMtZh5BKBaI/nhhMLVRnjs/h
pA==
=KuAY
-----END PGP PUBLIC KEY BLOCK-----



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC