inpview is part of a video conferencing package. Wow, in 1997 we've got a system() without absolute path vulnerability. Haven't seen something that pathetic in a while, except for the M$ OOB problem.
Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU>
IRIX, presumably 5.3, 6.2, and 6.3
7 May 1997
te: Wed, 7 May 1997 05:48:00 -0500
From: Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU>
Subject: Irix: misc
inpview is part of InPerson desktop video conferencing package. It's
root-owned/suid and is written in a classic SGI suid-programming style,
in the course of execution inpview, without dropping euid=0, starts
ttsession, using system() and without bothering to use absolute path. So
it's pretty much like suid shell sitting around, in case you forget root
password. It does all kinds of other dangerous stuff as well, e.g.
predictable tmp files.
Obvious fix is to strip suid bit, which is most likely to break it. I
know why it's necessary to be root to establish non-authentificated
connection between two machines, but I guess SGI guys know better. If you
do need InPerson badly, consider restricting execution privileges to the
trusted group of users, or putting a standard wrapper around it, kind of
AUSCERT usually supplies with their advisories. Such a wrapper should
critical environment variables (PATH, HOME, LOGNAME, etc.), check command
line for unwanted characters (shell metacharacters, see sh(1) manpage),
checks command line and may be few environment variables for length. It
doesn't protect you from all evils, notably nothing can be done about
tmp files, but it's better than nothing.
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces: