Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: Various Flavours :: misc4882.htm

Cray Unicos NQSD format string vulnerability



28th Nov 2001 [SBWID-4882]
COMMAND

	Cray Unicos NQSD format string vulnerability

SYSTEMS AFFECTED

	All versions

PROBLEM

	In Mickey Mouse Hacking Squadron Advisory #1 :
	

	The NQS, or  Network  Queueing  System,  is  a  popular  batch  software
	processor which is  used  to  perform  job  control  and  leveraging  in
	supercomputing  environments  which  require   heavy   symmetric   multi
	processing. The controlling daemon, which looks like it appears below
	 

	   37152 ?     0:00 nqsdaemon

	   57415 ?     0:00 nqsdaemon

	

	runs as root  in  order  to  properly  schedule  and  timeslice  batched
	process. The Mickey Mouse Hacking Squadron has discovered a  format  bug
	vulnerbility by which any unprivileged user on a system running NQS  can
	gain root access. This involves  creating  a  batch  with  a  name  that
	contains special formatting characters, which is processed by an  unsafe
	function taking a variable argument  list.  In  order  to  exploit  this
	vulnerability, the user must be able to submit  the  job  with  qsub  in
	such a way that it triggers this vulnerability.
	

	 DESCRIPTION

	

	      The qsub command submits a file that contains a shell script as       

	      a batch request to the Network Queuing System (NQS).  For an

	      introduction to the use of NQS, see the Network Queuing System

	     (NQS)User\'s Guide, publication SG-2105.

	

	This vulnerability has been exploited successfully  by  the  MMHS  in  a
	RISC environment, using ALPHA processors,  in  a  way  similar  to  bugs
	exploited successfully on Digital UNIX by SeungHyun Seo, also posted  to
	the Bugtraq mailing list. The  exploitation  on  vectorized  processors,
	such as  the  Y-MP  series,  has  proved  to  be  much  more  difficult,
	especially due to large 64 bit addressing and a  large  number  of  NULL
	bytes in the process address space.  This  should  also  prove  easy  to
	exploit on PowerPC and SPARC environments.

SOLUTION

	These products have been retired, and SGI will not be providing a  patch
	for these vulnerabilities. SGI\'s recommendation  is  to  uninstall  the
	product.
	

	To determine if the product is installed, run the following command:
	

	   # versions -b | grep NQE

	

	If the output returned by the command looks similar to this:
	

	   I  NQE33015_Client_only 10/28/1999  N Q E 3.3.0.15 Client only

	   I  NQE33015_Components_and_Client  10/28/1999  N Q E 3.3.0.15 Components

	

	...then NQE is installed and the system is vulnerable.
	

	To uninstall the product, run the following command:
	

	   # versions remove NQE*

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH