This is a repost from a few months ago. It apparently got lost in the shuffle. === Stardot Networks / Security vulnerability [SDN-2-sgi-videoframer] The VideoFramer development package on Silicon Graphics systems is subject to several security holes. This package is installed as vfr.sw.vfr. Though most SGIs I found did not have the installation, nevertheless the package was available for exploitation from a NFS mounted partition that contained the complete IRIX distribution. A VideoFramer/VLAN board is not required for program exploitation. The specific problem which I describe below involves the program sb_encode, which allows off-line frame encoding in VideoFramer format. The result of poor IRIX security checking is that any user can overwrite-to-destroy an arbitrary file. It appears that many files in the installation were improperly permissioned as setuid. PROGRAM. sb_encode (from vfr.sw.vfr) AFFECTS. at least SGI IRIX 5.x REQUIRED. Account on server RISK. denial of service AUTHOR. Tung-Hui Hu <hhui@stardot.net> --- PROBLEM. sb_encode is installed setuid in /usr/video/vfr/bin and does not check for permissions/ownership. sb_encode takes an IRIS RGB-format image file and spits out a VideoFramer format file (.vfr). REPEAT BY: /usr/video/vfr/bin/sb_encode -o [file-to-overwrite] [iris-image] --- PROBLEM. Many setuid scripts exist in /usr/video/vfr/bin. Though setuid scripts are turned off by default, they may pose a potential security risk. --- TEMPORARY FIX. # chmod -s /usr/video/vfr/* --- DISCUSSION. I assume it is practically impossible to "meaningfully exploit" a VideoFramer-encoded format. The videoframer setup utility also exploded when I tried to create a peculiarly-named device (e.g. ;id). Then again, setup exploded while doing most things ;) Can the preferences .vfr_setup be exploited somehow? I haven't done more than a cursory check. === Tung-Hui Hu Comparative literature, princeton university hhui@stardot.net http://www.stardot.net/~hhui