Title: SGI Performance Co-Pilot pmpost Symbolic Link Vulnerability
Severity: MODERATE
Description:
Performance Co-Pilot (PCP) is a set of services to support system-level performance monitoring developed by SGI. It has traditionally been an IRIX product, however SGI has made it open source and it is now available for Linux systems.
One of the utilities that ships with PCP is called 'pmpost'. It is often installed setuid root by default.
When 'pmpost' is executed by a user, it logs the command line parameter to a tempfile ('NOTICES') in the log directory. The location of the log directory can be specified via the 'PCP_LOG_DIR' environment variable.
Because environment variables are user supplied, a local user can choose an arbitrary log directory. When writing to the 'NOTICES' file in the log directory, 'pmpost' will follow symbolic links. Since the data written is user-supplied (the command-line arguments), it is possible to gain superuser privileges if 'pmpost' is setuid root.
An attacker may exploit this vulnerabilty by setting the log directory to one under their control, containing a symbolic link called 'NOTICES' pointing to a critical system file (such as '/etc/passwd'). The attacker could overwrite the contents of this file with arbitrary data.
Note: This vulnerability affects both binary versions for IRIX and the open source distribution of PCP. S.u.S.E. has made PCP packages available for their linux distribution. PCP is not installed as part of S.u.S.E. Linux by default. The PCP packages for S.u.S.E. Linux 7.0 do not install 'pmpost' setuid root. Versions 7.1 and 7.2 do, and are vulnerable if PCP is installed.
It has been reported that not all versions of PCP for IRIX are vulnerable. To determine whether you are vulnerable, run this command:
strings /usr/pcp/bin/pmpost | grep PCP_LOG_DIR
If the string 'PCP_LOG_DIR' appears, it is most likely that the version of 'pmpost' installed is vulnerable.
It is not yet known which other Linux vendors may ship with PCP as either an optional package or installed by default.
Affected Products:
- SGI Performance Co-Pilot 2.1.1
- SGI Performance Co-Pilot 2.1.10
- SGI Performance Co-Pilot 2.1.11
- SGI Performance Co-Pilot 2.1.2
- SGI Performance Co-Pilot 2.1.3
- SGI Performance Co-Pilot 2.1.4
- SGI Performance Co-Pilot 2.1.5
- SGI Performance Co-Pilot 2.1.6
- SGI Performance Co-Pilot 2.1.7
- SGI Performance Co-Pilot 2.1.8
- SGI Performance Co-Pilot 2.1.9
- SGI Performance Co-Pilot 2.2.0
References:
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
