Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Generic)  >   Performance Co-Pilot (PCP) Vendors:   SGI (Silicon Graphics)
(CIAC Issues Advisory L-099) Re: SGI's Performance Co-Pilot (PCP) Suite Lets Local Users Obtain Root Level Privileges on the Server
SecurityTracker Alert ID:  1001841
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 27 2001
Impact:   Execution of arbitrary code via local system
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability has been reported in SGI's Performance Co-Pilot (PCP) system management framework that allows local users to get root level privileges.

The vulnerability is reportedly a symlink handling problem in the pmpost utility, designed to manage text messages. The pmpost utility will reportedly follow symlinks. If the linked file is configured with setuid root privileges, this will allow a local user to obtain root level privileges.

A demonstration exploit script is provided in the Source Message.

Impact:   A local user can obtain root level privileges on the host.
Solution:   The vendor has released a fix. See the Source Message for the CIAC advisory (which requires you to visit the CIAC web site for the bulletin contents).
Vendor URL: (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any)
Underlying OS Comments:  tested on SuSE 7.1

Message History:   This archive entry is a follow-up to the message listed below.
Jun 19 2001 SGI's Performance Co-Pilot (PCP) Suite Lets Local Users Obtain Root Level Privileges on the Server

 Source Message Contents

Subject:  CIAC Bulletin L-099: SGI PCP Pmpost Symlink Vulnerability

[For Public Release]


                       The U.S. Department of Energy
                     Computer Incident Advisory Center
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___

                             INFORMATION BULLETIN

                     SGI  PCP Pmpost  Symlink Vulnerability

                     [SGI Security Advisory 20010601-01-A]

June 25, 2001 21:00 GMT                                           Number L-099
PROBLEM:       The pmpost command of the Performance Co-Pilot (PCP) suite has 
               a symlink handling vulnerability. If this runs in root context 
               (i.e., setuid root), this could result in root compromise. 
PLATFORM:      IRIX, Linux: PCP suite versions 2.1.11-5 and before. 
DAMAGE:        Depending on configuration, this could result in root 
SOLUTION:      Apply the described workaround. Pmpost appends the text message 
               to the end of the PCP notice board file (IRIX: 
               /var/adm/pcplog/NOTICES, Linux: /var/adm/pcp/NOTICES), so 
               changing the permissions as described in the workaround will 
               prevent non-root processes from appending to this file. 
VULNERABILITY  MEDIUM to HIGH, depending on configuration. This can be a 
ASSESSMENT:    remotely exploitable root compromise, if pmpost runs in root 

[******  Start SGI Advisory ******]

[******  End SGI Advisory ******]


CIAC wishes to acknowledge the contributions of SGI  for the 
information contained in this bulletin.

CIAC, the Computer Incident Advisory Center, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:
   Anonymous FTP:

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

L-089: Windows Unchecked Buffer in Media Player .ASX Processor
L-090: Cisco 11000 Series Switch, Web Management Vulnerability
L-091: Microsoft Exchange Server Outlook Web Access Flaw
L-092: Microsoft Predictable Name Pipes In Telnet
L-093: HP-UX kmmodreg Vulnerability
L-094: BIND Inadvertent Local Exposure of HMAC-MD5 (TSIG) Keys
L-095: Microsoft SQL Query Method Vulnerability
L-096: Red Hat LPRng Vulnerability
L-097: Cisco 6400 NRP2 telnet Vulnerability
L-098: Microsoft Index Server ISAPI Extension Buffer Overflow

Version: 4.0 Business Edition


This message was posted through the FIRST mailing list server.  If you
wish to unsubscribe from this mailing list, send the message body of
"unsubscribe first-info" to first-majordomo@FIRST.ORG


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, LLC