IRIX's default crontab contains some bad stuff. Like find that execs rm. Check the bugtrac archives for ways to leverage this to delete anything from the filesystem.
Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU>
Delete any files on the (probably root) filesystem. You should be able to leverage root access from this.
IRIX, probably 5.3, 6.2, and 6.3
7 May 1997
te: Wed, 7 May 1997 05:48:00 -0500
From: Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU>
Subject: Irix: misc
3. root crontab
Though suid programs are the most common source of exploits, there're
places to look. root's crontab on Irix contains various items. For
example, it has several entries that do recursive find+rm. The dangers of
this were discussed on Bugtraq a while back. As far as I remember, it
allows to remove arbitrary files on the system by exploiting race
in find in connection with symlinks. Also, cron runs /usr/etc/fsr weekly
Sun morning. fsr is disk defragmentation tool, it writes positions where
left off to file /usr/tmp/.fsrlast. It's merely a DOS threat because of
contents of the file, I can't see any easy way to get root out of it. Fix
is simple: edit root's crontab and add -f /var/adm/.fsrlast option to fsr.
This problem is not particularly dangerous because /usr/tmp is never
up, so .fsrlast, once written, will stay there forever, effectively
preventing people from replacing it with symlink. But on brand new boxes
may cause bad things. Some interesting results may be obtained by feeding
properly constructed .fsrlast to fsr, but I didn't look closely at it.
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces: