IRIX inpview hole

Summary
Description:inpview is part of a video conferencing package. Wow, in 1997 we've got a system() without absolute path vulnerability. Haven't seen something that pathetic in a while, except for the M$ OOB problem.
Author:Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU>
Compromise: root (local)
Vulnerable Systems:IRIX, presumably 5.3, 6.2, and 6.3
Date:7 May 1997
Details

te: Wed, 7 May 1997 05:48:00 -0500
From: Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU>
To: BUGTRAQ@NETSPACE.ORG
Subject: Irix: misc

[...]
1. /usr/lib/InPerson/inpview

inpview is part of InPerson desktop video conferencing package.  It's
root-owned/suid and is written in a classic SGI suid-programming style, 
i.e.
in the course of execution inpview, without dropping euid=0, starts 
program
ttsession, using system() and without bothering to use absolute path.  So
it's pretty much like suid shell sitting around, in case you forget root
password.  It does all kinds of other dangerous stuff as well, e.g.
predictable tmp files.

Obvious fix is to strip suid bit, which is most likely to break it.  I 
don't
know why it's necessary to be root to establish non-authentificated
connection between two machines, but I guess SGI guys know better.  If you
do need InPerson badly, consider restricting execution privileges to the
trusted group of users, or putting a standard wrapper around it, kind of 
what
AUSCERT usually supplies with their advisories.  Such a wrapper should 
reset
critical environment variables (PATH, HOME, LOGNAME, etc.), check command
line for unwanted characters (shell metacharacters, see sh(1) manpage),
checks command line and may be few environment variables for length.  It
doesn't protect you from all evils, notably nothing can be done about
tmp files, but it's better than nothing.



More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault