OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Performance Copilot for IRIX 6.5
From: Marcelo Magnasco (mgnsclbROCKVAX.ROCKEFELLER.EDU)
Date: Wed Apr 12 2000 - 18:16:24 CDT


Hi All, I found a vulnerability in the Performance Copilot for IRIX 6.5

* Summary: /usr/etc/pmcd has a fail-open security model, allowing
anyone to perform queries by default. This exposes potentially sensitive
information (ps -efl, df, etc) to anyone on the net. pmcd will accept
garbage connections and grow large heaps not released upon tearing down
the connection, thus permitting a DoS.

I sent this information to SGI on March 17. I hear SGI is actively working
on the issue and will probably release a proper patch. A workaround is
provided below.

* Background: Our current installation of IRIX 6.5.6 (varsity program)
installed
by default a product called "Performance Copilot" (PCP), a large and complex
piece of software to collect performance metrics systemwide and find
nice ways to analyze them. The product is installed and self-configured
by default. On comes /usr/etc/pmcd, a demon that sits and listens on
tcp port 4321 waiting for requests to tell the users of the PCP about
stuff going on. We never configured the product, and in fact were
not aware that it was being installed or what it was for: it was
included in the default Varsity 6.5.6 installation. I discovered
it by portscanning my own machines for open ports.

pcp_eoe Performance Co-Pilot Execution Only Environment, 2.1
Software Product Performance Co-Pilot
Version 2.1
Product Codes SC4-PCP-2.1 and SC4-IRIX6.5
System Software Requirements IRIX 6.2, 6.3, 6.4 or 6.5.5

* The Problem.
/var/adm/pcplog/pmcd.log contains in our systems the following
rather scary message:

 Host access list empty: access control turned off

Thus the access control is fail open: if you fail to configure it, it
will allow anyone to connect. Our configuration files had no ACLs. So
presumably this is the case for everyone else. I've tried various
machines on campus: all 6.5 machines have pmcd running and have enabled
me to list their processes, disk mount points, etc. [Note: this
has been fixed by now, so don't bother with us!].

What does /usr/etc/pmcd expose to the world???

% pminfo -f -h sgi.victim.com filesys.mountdir
lists all disks and their mount points, for instance.

% pmem -h sgi.victim.com
will return something looking much like a ps -efl: all processes with
their owners and long argument lists.

% perl -e 'print " a" x 92834244,"\n";'' | telnet sgi.victim.com 4321

makes an excellent DOS. The pmcd process grew to 600 megabytes in my
system and STAYED that size after the connection was ctrl-c'ed. Notice
that pminfo -f -h sgi.victim.com swap will tell you all about swap,
so you can calculate how much to request...

Finally, trying the perl bit AGAIN results in a broken pipe, and
an ominous message in the logs:

unix: ALERT: pmcd [744] - out of logical swap space during brk/sbrk - see
swap(1M)

In fact, after the first garbage connection, any further connection
transmitting more than 4095 bytes will cause this message to appear in
the syslog, suggesting that there is a 4096 somewhere in there. Left as
an exercise for the reader.

* Workaround.
To close the process to outside access, append the following to
/etc/pmcd.conf

[access]
allow localhost: all ;
disallow * : all;

or, better yet, chkconfig pmcd off and shut it off entirely unless
you specifically need it.