IRIX 5.3 chost vulnerability

Summary
Description:IRIX 5.3 chost apparently fails to drip privileges sufficiently when an invalid root password is entered
Author:Grant Kaufmann (gkaufman@cs.uct.ac.za)
Compromise: root (local)
Vulnerable Systems:IRIX 5.3 with vulnerable chost.
Date:6 August 1996
Notes:The SGI patch may not always plug the hole!
Details

Exploit:


From: Bill Nickless (nickless@MCS.ANL.GOV)
Date: Wed, 14 Aug 1996 13:08:14 -0500 

I did a little experimentation and found that there's another precondition
for this cadmin exploit to work.  You cannot have a desktopManager process
already running as you when you start the process.

First, verification that we're running the right patch levels and such:

flying% uname -a
IRIX flying 5.3 11091811 IP19 mips
flying% versions -b | cut -c35-199 | grep Patch
Patch SG0000172
Patch SG0000197
Patch SG0000426
Patch SG0000813: Provide icrash on 5.3
Patch SG0000852: SCSI roll up for 5.3 without XFS
Patch SG0000870: 5.3 EFS rollup patch for all 5.3 non-XFS releases
Patch SG0000900: rev 3.17 io4prom patch
Patch SG0000918: RE OpenGL Extensions, Aux Buffers, and Bug Fix Rollup
Patch SG0001020: Security fix for login and telnetd
Patch SG0001092: networking rollup, fixes for hangs on socket data, new mrouted
Patch SG0001096: Objectsystem & Removable Media Software roll up
Patch SG0001102: NFS roll-up
Patch SG0001116: 5.3/5.3XFS combined kernel roll up patch
Patch SG0001128: CERT VU 15781
Patch SG0001146: sendmail security bug in queue management
Patch SG0001157: Change hinv to recognize all IMPACT gfx
Patch SG0001324: Fix for security loophole in the desktop permissions panel
flying% cd /usr/Cadmin/bin
flying% ls -l cimport
-rwsr-xr-x    1 root     sys       161896 Apr  9 00:29 cimport
flying% sum cimport
62654 317 cimport
flying% df | grep nfs
cavesound:/usr/tmp          nfs 3052196 2725027  327169  89%  /mnt

Now for the exploit, run as a regular non-root user:

1. From any shell prompt: killall -9 desktopManager
2. From /usr/Cadmin/bin, run ./cadmin.
3. Click on "New" as if you were going to create a new NFS mount point.
4. A dialog window will appear asking for the root password.  Enter something
   other than the root password into the password field.  Click on "OK".
5. An error dialong window will appear warning that you have entered an
   incorrect password.  Click on "OK".
6. You are then returned to the root password-requesting dialong window.
   Click on "Cancel."
7. Doubleclick on the folder icon of the previously-mounted NFS filesystem.
   This will start a desktopManager process, ostensibly running as you the
   user, but actually running with some root priveleges.
8. In the top of the desktopManager window, replace the pathname of the
   previously-mounted NFS filesystem with /etc
9. Scroll down to passwd, doubleclick, and edit to your heart's content
   in the jot window that gets created.

Once again, the workaround shell script fragment than eliminates this exposure:

#!/bin/sh
# Exploit from http://www.eecs.nwu.edu/~jmeyers/bugtraq/1099.html
# will work even with the patches installed as of 13 August 1996.
# Accordingly, turning off the suid bits on the Cadmin programs.

for p in cexport cformat chaltsys chost chostInfo cimport clogin \
        cmidi configClogin cpeople cports cpuView csetup cswap \
        diskView tapeView videoView
do
        /bin/chmod u-s /usr/Cadmin/bin/$p
done
--
Bill Nickless              nickless@mcs.anl.gov               +1 630 252 7390
PGP 2.6.2 Key fingerprint =  0E 0F 16 80 C5 B1 69 52  E1 44 1A A5 0E 1B 74 F7
                 http://www.mcs.anl.gov/people/nickless



More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]