[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IRIX :fam vulnerability



-----BEGIN PGP SIGNED MESSAGE-----

                     ######    ##   ##    ######
                     ##        ###  ##      ##
                     ######    ## # ##      ##
                         ##    ##  ###      ##
                     ###### .  ##   ## .  ######.

                         Secure Networks Inc.

                          Security Advisory

                            July 14, 1997

                  Silicon Graphics IRIX fam service


This advisory describes a vulnerability present in the IRIX operating
system which allows non-local users to obtain directory listings
on remote filesystems.


Problem Description
~~~~~~~~~~~~~~~~~~~

IRIX workstations commonly run a service known as "fam" (file alteration
monitor).  This service allows any user to obtain a complete listing of
files and directories on vulnerable systems.


Technical Details
~~~~~~~~~~~~~~~~~

The fam service, RPC program 391002, is used by other programs to keep
track of file modifications.  When a program initially connects to the
fam server, it passes the fam server the name of a file or directory to
watch.  If the fam server is passed a directory, it immediately gives
the client a complete list of files and subdirectories in that directory.
By passing the fam server a request to monitor the root directory, and
following subdirectories from there, an attacker can remotely obtain a
complete list of files on the system.

The fam server should restrict access to legitimate NFS clients, and
enforce access control to prevent local users from listing each others
files.


Impact
~~~~~~

Attackers can remotely obtain a complete list of files and directories on
a Silicon Graphics IRIX system running a fam server.


Vulnerable Systems
~~~~~~~~~~~~~~~~~~

All Silicon Graphics IRIX systems running the fam server are vulnerable.
To determine whether your workstation is running this service, type:

% /usr/etc/rpcinfo -p | grep 391002

If you are vulnerable, you will see a line as follows:

    391002    1   tcp   1051  sgi_fam

If no output is generated, then you are not running a fam server.  Any
other type of output, such as an error message, probably indicates that
you are either specifying the wrong directory for the rpcinfo program,
or that there are no rpc services running at all.


Fix information
~~~~~~~~~~~~~~~

If you do not use any programs, such as the IRIX file manager, fm(1G),
or mailbox(1), which require fam, you can disable the fam service by
commenting out the entry for it in /etc/inetd.conf, and rebooting.

Silicon Graphics has been notified of this problem and recommends
that sites concerned about security disable the fam service.


Additional Information
~~~~~~~~~~~~~~~~~~~~~~

Information about Silicon Graphics and IRIX can be found at
http://www.sgi.com.

Vulnerability information was determined using IRIX 6.2.

For more information about Secure Networks, and for past advisories,
please see http://www.secnet.com

If you have any questions, feel free to mail sni@secnet.com.
Our pgp public key is:

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: 2.6.3ia

mQCNAzLaFzIAAAEEAKsVzPR7Y6oFN5VPE/Rp6Sm82oE0y6Mkuof8QzERV6taihn5
uySb31UeNJ4l6Ud9alOPT/0YdeOO9on6eD1iU8qumFxzO3TLm8nTAdZehQSAQfoa
rWmpwj7KpXN/3n+VyBWvhpBdKxe08SQN4ZjvV5HXy4YIrE5bTbgIhFKeVQANAAUR
tCVTZWN1cmUgTmV0d29ya3MgSW5jLiA8c25pQHNlY25ldC5jb20+iQCVAwUQM1yd
EB/bLKAOe7p9AQFptAQAiYpaZCpSmGgr05E698Z3t5r5BPAKUEtgvF53AvZUQLxz
ZsYsVU5l5De0qKWJOQ/9LiDyWu1lvKhlTphbLy2RatWD4kO3oQL9v3TpSXm2WQhU
uIzyZvj7S5ENodNnKn+gCDIvbou6OMot+7dRbWWgN2oabbru4CSlOxbG++yaTz+J
AJUDBRAzTefbtOXez5VgyLkBAd0bA/43eGEgvPOFK+HHWCPpkSWCwtrtDU/dxOVz
9erHnT/CRxeojCI+50f71Qe+kvx9Q1odz2Jl/fLxhnPQdbPnpWblIbu4F8H+Syrj
HTilDrl1DWa/nUNgK8sb27SMviELczP1a8gwA1eo5SUCG5TWLLTAzjWOgTxod2Ha
OwseUHmqVIkAlQMFEDNOVsr/d6Iw8NVIbQEBxM0D/14XRfgSLwszgJcVbslMHm/B
fF6tHoWYojzQle3opOuMYHNN8GsMZRkc1qQ8QuNA9Aj5+qDqEontGjV5IvhBu1fY
FM77AhagskaFCZxwqV64Qrk328WDO89NGSd+RuovVNruDdn20TxNCEVuPTHjI0UA
8H+E6FW9jexg6RTHhPXYtCVTZWN1cmUgTmV0d29ya3MgPHNlY3VyaXR5QHNlY25l
dC5jb20+iQCVAwUQMtqTKB/bLKAOe7p9AQFw5wQAgUwqJ+ZqfEy/lO1srU3nzxLA
X0uHGHrMptRy/LFo8swD6G1TtWExUc3Yv/6g2/YK09b5WmplEJ+Q09maQIw+RU/s
cIY+EsPauqIq4JTGh/Nm0Z4UDl2Y1x4GNtm0YqezxUPS0P0A3LHVLJ3Uo5og0G8O
gPNrfbVz5ieT14OSCWCJAJUDBRAy2hd2/3eiMPDVSG0BAVNhBACfupfAcNhhnQaq
aI03DOOiZSRjvql1xw4V+pPhM+IksdSK3YNUZVJJtANacgDhBT+jAPRaYbBWI3A5
ZMdcSNM8aTG0LWMLIOiOYEm6Lgd3idRBFN0Js08eyITl8mhZ33mDe4I0KQri9UiV
ZcPYTbb9CWM6Hv2cMbt6S6kLnFziqIkAlQMFEDLaF0+4CIRSnlUADQEBCLoEAJwt
UofDgvyZ4nCDx1KKAPkkXBRaPMWBp46xeTVcxaYiloZfwHfpk1h2mEJAxmAsvizl
OtIppHl4isUxcGi/E2mLCLMvis22/IQP/9obPahPvgNaMLVtZljO1Nv3QFEkNciL
FEUTNJHR1ko7ibCxkBs4cOpirFuvTMDvWnNaXAf8
=DchE
-----END PGP PUBLIC KEY BLOCK-----

You can subscribe to our security advisory mailing list by sending
mail to majordomo@secnet.com, containing the single line
subscribe sni-advisories

You can find Secure Networks papers at ftp://ftp.secnet.com/pub/papers
and advisories at ftp://ftp.secnet.com/advisories


Copyright Notice
~~~~~~~~~~~~~~~~
The contents of this advisory are Copyright (C) 1997 Secure Networks Inc,
and may be distributed freely provided that no fee is charged for
distribution, and that proper credit is given.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBM8pvP7gIhFKeVQANAQFZBAQAkfi/Aj4QT2PyPIdXcRPMZA4MXjE6uIlC
2CLkryCXrcGoIsdnxchbI+RbpTymKDMdaecYJmIi3w3zAS8MZByWqStCD3GRoFjP
C364loopSID/VRh7eKCG/WvXLAOaXjtv8TI9OcgwagVfccymrjU+w4Ki7nhcyjxU
6USpDUWOeDU=
=K+33
-----END PGP SIGNATURE-----