Info

Disclosure

May 06, 1997

Discovery

Unknown

Dates

Exploit

May 06, 1997

Solution

Unknown

Description

IRIX contains a flaw that may allow remote command execution. The issue is triggered when a malicious attacker utilizes the Webdist script (webdist.cgi) of the Out Box Environment Subsystem. The remote command execution occurs with the privileges of the httpd daemon. This flaw may lead to a loss of integrity.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Public
Disclosure: OSVDB Verified
OSVDB: Web Related

Solution

Upgrade to version 6.5 or higher, as it has been reported to fix this vulnerability. Also, Silicon Graphics, Inc. has released a patch to address this issue. It is also possible to correct the flaw by implementing the following workaround: #/bin/chmod 400 /var/www/cgi-bin/webdist.cgi #/bin/chmod 400 /var/www/cgi-bin/handler #/bin/chmod 400 /var/www/cgi-bin/wrap

Products

Silicon Graphics, Inc.	IRIX	5.3
		6.0.x
		6.1
		6.2
		6.3
		6.4

References

CVE ID: 1999-0039 (see also: NVD)
ISS X-Force ID: 333
Bugtraq ID: 374
CERT: CA-1997-12
Vendor Specific Advisory URL: ftp://patches.sgi.com/support/free/security/advisories/19970501-01-A ftp://patches.sgi.com/support/free/security/advisories/19970501-02-PX
Vendor Specific Solution URL: ftp://patches.sgi.com/support/free/security/patches/
Mail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=87602167420919&w=2
Vendor URL: http://www.sgi.com

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/235