IRIX sadc symlink vulnerability

Summary
Description:the IRIX program /usr/lib/sa/sadc is sgid sys and writes to /tmp/sa.adrfl, even if that is a symlink.
Author:Well known, but Jaechul Choe <poison@COSMOS.KAIST.AC.KR> posted this warning that IRIX is still vulnerable.
Compromise:GID sys
Vulnerable Systems:IRIX 5.3, 6.2
Date:9 May 1997
Details

te: Fri, 9 May 1997 06:33:46 +0900
From: Jaechul Choe <poison@COSMOS.KAIST.AC.KR>
To: BUGTRAQ@NETSPACE.ORG
Subject: Re: Irix: misc

[. . .]

And one more, as addressed in [8lgm]-Advisory-11.UNIX.sadc.07-Jan-1992
and SGI security FAQ, there is a hole in /usr/lib/sa/sadc.
That's both on IRIX 5.3 and 6.2.
The tmp file to link to target is /tmp/sa_adrfl
(
114mS stat(/tmp/sa.adrfl, 0x10042dd8) errno = 2 (No such file or 
directory)
115mS umask(0) = 0
116mS open(/tmp/sa.adrfl, O_RDWR|O_CREAT|O_TRUNC, 0664) = 3
)
sadc is sgid sys in IRIX so the hole may be minor
but won't it be of help to get root in conjunction with another program?
I was surprised to find the hole still existed in IRIX 6.2 then
SGI might be indifferent enough


More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault