Exploit world!

Irix Section

Compiled by Fyodor fyodor@insecure.org
on Thu Jan 13 21:41:31 UTC 2000

[Back] to Fyodor's Playhouse


Xaw and Xterm vulnerabilities
Description:There are a number of vulnerabilities in X11R6 xterm(1) and Xaw(3c) libraries. They are mostly all overflows
Author:Pavel Kankovsky <peak@kerberos.troja.mff.cuni.cz> and the exploit was written by alcuin
Compromise: root (local)
Vulnerable Systems:Those running Xterm or X apps linked to vulnerable Xaw. Virtually all versions of X are vulnerable to the *Keymap hole and the others are mostly X11R6 specific (which virtually everyone uses anyway). Thus it is likely that many Solaris, Linux, HP/UX, and perhaps IRIX and AIX boxes are vulnerable.
Date:4 May 1998
Notes:I have also included an exploit sent to me by "M.C.Mar" <emsi@it.com.pl>. This exploit works against Xaw and neXtaw even WITH Solar Designer's non-executable stack patch applied. Check it out!
Exploit & full info:Available here


Overflow in kppp -c option
Description:Standard overflow
Author:"|[TDP]|" <tdp@psynet.net>
Compromise: root (local)
Vulnerable Systems:Those running kppp version < 1.1.3 suid root. This comes with the KDE system (which is pretty neat -- www.kde.org) and runs on Solaris, Linux, IRIX, and HP/UX
Date:29 April 1998
Notes:The hole was fixed a while prior to this posting so the (then) current version was not vulnerable.
Exploit & full info:Available here


Major holes in IRIX IPX tools
Description:Sigh, IRIX was trivial to root before, but now thanks to their IPX tools it is even easier. We are talking blatant system() calls here! The story in this message is rather pathetic.
Author:Fabrice Planchon <fabrice@MATH.PRINCETON.EDU>
Compromise: root (local)
Vulnerable Systems:IRIX 6.3, perhaps earlier versions.
Date:8 April 1998
Exploit & full info:Available here


Yet another SGI pfdispaly CGI hole
Description:As has been demonstrated many times, SGI CANNOT write secure CGI scripts. Nor can they write secure setuid programs. They fixed the last pfdisplay.cgi hole, but the new version is still quite buggy -- as this post demonstrates.
Author:"J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES>
Compromise:run arbitrary commands remotely as the UID running the webserver
Vulnerable Systems:SGI IRIX 6.2 using the performer_tools CGIs.
Date:7 April 1998
Notes:I honestly believe default SGI security is as bad as default Windows NT security. That is sad.
Exploit & full info:Available here


Majordomo tmpfile bug
Description:Standard tmpfile problem
Author:Karl G - NOC Admin <ovrneith@tqgnet.com>
Compromise:Any user on a system running majordomo can append arbitrary data to any file owned by the majordomo account.
Vulnerable Systems:Those running majordomo. This runs on a ton of systems (Solaris, Linux, IRIX, etc.).
Date:26 March 1998
Exploit & full info:Available here


Irix pfdispaly CGI hole
Description:Standard .. read-any-file CGI exploit.
Author:"J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES>
Compromise:Read any file (remotely) that user nobody (or whatever web server runs as) can read.
Vulnerable Systems:IRIX 6.2 with performer_tools.sw.webtools (Performer API Search Tool 2.2) installed, check for /var/www/cgi-bin/pfdispaly.cgi.
Date:17 March 1998
Exploit & full info:Available here


routed trace file exploit
Description:routed has the ability to have trace mode turned on remotely using any arbitrary filename. Thus you can append stuff to arbitrary files remotely.
Author:Rootshell
Compromise:You should be able to leverage this to root remote access.
Vulnerable Systems:Redhat linux; IRIX 5.2-5.3-6.2 is vulnerable, NetBSD 1.2 is vulnerable.
Date:8 January 1998
Exploit & full info:Available here


ARP and ICMP redirection games
Description:This excellent article/code from Yuri points out a number of (mostly known) problems with the ARP and ICMP protocols/implementations
Author:Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU>
Compromise:spoof as a trusted host, redirect trafic through your host, DoS
Vulnerable Systems:Many versions of Linux, numerous hubs/routers. AFAIK, IRIX, HP-UX, *BSD, and probably Windoze can be spoofed with gratuitous ARP
Date:19 September 1997
Exploit & full info:Available here


Asynchronous I/O signal handling
Description:Two problems in the Asynchronous I/O handling of many *NIX boxes. The most important ones allows SIGIO, SIGURG, and possiby other signals to be sent to arbitrary processes on the system (from unpriviliged code)
Author:"Thomas H. Ptacek" <tqbf@RDIST.ORG> wrote the advisory, Alan Peakall found the original problem
Compromise:In some cases you can kill or disrupt many system processes
Vulnerable Systems:*BSD, IRIX, probably others
Date:15 September 1997
Exploit & full info:Available here


root bug in IRIX game spaceware
Description:Root hole in SpaceWare trackball software
Author:"J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES>
Compromise: root (local)
Vulnerable Systems:Presumably any system running spaceware 7.3 v1.0 (probably earlier). I don't know if it is IRIX specific. From the message it sounds like there are likely other holes in the program.
Date:20 August 1997
Exploit & full info:Available here


SGI NIS Domain Name disclosure
Description:In what seems to be YET ANOTHER stupid SGI bug, the system is apparently "nice" enough to create a "home page" for new users in public_html/index.html or public_html/index.html.N if they already have an index.html. The problem is that this file often discloses the NIS domain name of the host, which obviously has serious repercusions.
Author:Joerg Kuemmerlen <joku@BTGIX8.BGI.UNI-BAYREUTH.DE>
Compromise:Leak of the NIS domain name.
Vulnerable Systems:SGI O2 machines, presumably IRIX 6.3, 6.4
Date:5 August 1997
Exploit & full info:Available here


Another stupid SGI hole
Description:By default SGIs (IRIX 6.3, probably 6.4) will take files of type application/x-sgi-exec or application/x-sgi-task and allow them to run /sr/sysadm commands. Thus you can put a malicous file on your web page and hack root on SGI boxes that connect to it.
Author:Arthur Hagen <art@kether.global-one.no>
Compromise:Trojan a webpage to gain access to the accounts of SGI users who visit it.
Vulnerable Systems:SGI IRIX 6.3, probably 6.4
Date:1 August 1997
Exploit & full info:Available here


IRIX fails to correctly patch /cgi-bin/handler exploit
Description:In an apparent attempt to prevent breakins through the common handler cgi technique, IRIX changed the code. They now check the end of a string for a pipe (trying to make sure perl opens the file as a plain file), but you can still get away with putting tabs after the pipe, to hide it.
Author:Razvan Dragomirescu <drazvan@kappa.ro>
Compromise:remotely run commands through this pathetic CGI
Vulnerable Systems:IRIX 6.3 and 6.4, the older versions are vulnerable to an even easier version of the same problem.
Date:19 June 1997
Exploit & full info:Available here


Seyon calls system(xterm), Krad!
Description:seyon, which is setgid uucp on RedHat 4 at least, calls system(xterm) if it can't find seyon-emu. The exploit is obvious, 'nuff said
Author:Shawn Hillis <shillis@CLCSMAIL.KSC.NASA.GOV>
Compromise:root on some systems, like IRIX. Otherwise join the UUCP group, or whatever seyon is setgid to.
Vulnerable Systems:Redhat Linux 4.0, Irix 6.3, anything else with vulnerable version of seyon installed
Date:17 June 1997
Notes:system(xterm) from a setuid root prog? Is this really 1997???
Exploit & full info:Available here


IRIX handler cgi hole
Description:another prog that uses a perl open() with untrusted filenames, allowing the pipe symbol to be used to create a pipe instead. I think this is a serious problem with perl which should be fixed (perl is supposed to make programming securely EASIER than C does.)
Author:Razvan Dragomirescu <drazvan@kappa.ro>
Compromise:Run arbitrary commands as the owner of the httpd process
Vulnerable Systems:IRIX 6.2, the later versions try to fix this, but without success (see the other handler entry). It also works on 5.3
Date:15 June 1997
Exploit & full info:Available here


IRIX /usr/sbin/printers and /usr/bin/X11/xterm overflows
Description:two more buffer overflows for IRIX, this time in xterm and printers.
Author:David Hedley <hedley@CS.BRIS.AC.UK>
Compromise: root (local)
Vulnerable Systems:IRIX 5.x, 6.x
Date:27 May 1997
Notes:Note that David Hedley thinks the xterm problem is more general. He was able to overflow xlockmore on a FreeBSD machine. The xterm exploit post is right after the printers post below.
Exploit & full info:Available here


Buffer overflow in /usr/sbin/iwsh for Irix 5.3
Description:This overflow of /usr/sbin/iwsh is specifically taylored for IRIX 5.3. It is also possible to write a similar overflow for 6.x.
Author:David Hedley <hedley@CS.BRIS.AC.UK>
Compromise: root (local)
Vulnerable Systems:IRIX 5.3 (6.x would work with another exploit)
Date:27 May 1997
Exploit & full info:Available here


Overflows in IRIX /usr/sbin/X11/xconsole, /usr/sbin/X11/cdplayer, /usr/sbin/xwsh, and /usr/sbin/monpanel.
Description:As he mentions, there must be some bad IRIX library which is causing all of these IRIX progs to overflow. Anyway, this is a standard overflow which works on all of the above.
Author:"Patrick J. Paulus" <pjp@STEPAHEAD.NET> posted the exploit which was a _very_ slighty modified version of David Hedley's code posted earlier.
Compromise: root (local)
Vulnerable Systems:IRIX 5.3, probably 6.x
Date:27 May 1997
Notes:Someone reported to me that he couldn't get these to work. Has anyone used them successfully?
Exploit & full info:Available here


IRIX /bin/login overflow
Description:Overflow in /bin/login on IRIX 5.3-6.4
Author:David Hedley <hedley@CS.BRIS.AC.UK>
Compromise: root (local)
Vulnerable Systems:IRIX 5.3 through 6.4
Date:26 May 1997
Exploit & full info:Available here


Overflow in IRIX /usr/lib/desktop/permissions
Description:standard IRIX overflow, in /usr/lib/desktop/permissions
Author:David Hedley <hedley@CS.BRIS.AC.UK>
Compromise:Gain egid sys
Vulnerable Systems:IRIX 6.2, 5.x is probably vulnerable, but needs a rewritten exploit due to stack position.
Date:26 May 1997
Exploit & full info:Available here


3 More IRIX buffer overflows, courtesy of LsD
Description:Apparently, the "anonymous friend" who sent exploit code to Yuri may have swiped it from the polish group LsD. Anyway, they sent in 3 more exploits which are very similar (actually almost exactly the same) as those Yuri's polish friend sent.
Author:Sent from a hacked account by LsD, Last Stage of Delirium
Compromise: root (local)
Vulnerable Systems:IRIX, presumably up to 6.3
Date:25 May 1997
Exploit & full info:Available here


IRIX stupid xhost + default
Description:For X sessions, IRIX (I think up to 6.3) by default gives global access (ie xhost +). Duh. Of course this fits in very well with their default non-passworded guest account and their security-filled default crontab (see those other exploit entries for more information).
Author:Well known, but Matt Harrigan <matth@CONNECTNET.COM> posted interesting comments on exploiting the hole to someone who mentioned the problem.
Compromise:Take over an X session
Vulnerable Systems:IRIX, up to 6.3 I believe, using default IRIX default X access permissions.
Date:19 May 1997
Exploit & full info:Available here


Assorted IRIX WWW vulnerabilities
Description:IRIX has serious problems with some of their CGI's and other WWW programs like handler. Yuri explores these and exposes a lot of problems.
Author:Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU>
Compromise:Become owner of httpd process, read files that are "protected" by .htaccess.
Vulnerable Systems:Irix 6.2
Date:16 May 1997
Notes:Woo! I'm glad to see Yuri isn't out of the scene like I was afraid he was.
Exploit & full info:Available here


IRIX default guest account
Description:Apparently, all IRIX systems come by default with a unpassworded guest account. Almost as stupid as HP/UX's staticly passworded uid 0 sam_exec accounts.
Author:well known, but Mike Neuman <mcn@RIPOSTE.ENGARDE.COM> mentioned it on bugtraq
Compromise:remotely obtain local user privileges.
Vulnerable Systems:IRIX, apparently all versions up to 6.3
Date:15 May 1997
Exploit & full info:Available here


IRIX sadc symlink vulnerability
Description:the IRIX program /usr/lib/sa/sadc is sgid sys and writes to /tmp/sa.adrfl, even if that is a symlink.
Author:Well known, but Jaechul Choe <poison@COSMOS.KAIST.AC.KR> posted this warning that IRIX is still vulnerable.
Compromise:GID sys
Vulnerable Systems:IRIX 5.3, 6.2
Date:9 May 1997
Exploit & full info:Available here


IRIX addnetpr race condition
Description:IRIX's addnetpr program has a symlink race condition that allows the clobbering of arbitrary files.
Author:Jaechul Choe <poison@COSMOS.KAIST.AC.KR>
Compromise:cause addnetpr to write to arbitrary files. It is unclear whether it appends or overwrites to already existing files. Could probably lead to root access.
Vulnerable Systems:IRIX 5.3, 6.2
Date:9 May 1997
Exploit & full info:Available here


IRIX rmail system() and LOGNAME hole
Description:rmail is setgid mail and apparently does a system() involving the contents of untrusted user environmental variable LOGNAME. Duh.
Author:Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU>
Compromise:Group mail, the uses of this are obvious
Vulnerable Systems:IRIX, 5.3, 6.2, possibly 6.3
Date:7 May 1997
Notes:Too bad Yuri Volobuev is retiring. There wouldn't be a IRIX section without him. Good job Yuri!
Exploit & full info:Available here


IRIX inpview hole
Description:inpview is part of a video conferencing package. Wow, in 1997 we've got a system() without absolute path vulnerability. Haven't seen something that pathetic in a while, except for the M$ OOB problem.
Author:Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU>
Compromise: root (local)
Vulnerable Systems:IRIX, presumably 5.3, 6.2, and 6.3
Date:7 May 1997
Exploit & full info:Available here


IRIX webdist CGI vulnerability
Description:Stupid cgi
Author:Grant Kaufmann <grant@CAPE.INTEKOM.COM>
Compromise:remotely execute arbitrary commands as httpd process owner (usually nobody or daemon)
Vulnerable Systems:IRIX 6.2, 6.3
Date:7 May 1997
Exploit & full info:Available here


IRIX xfsdump hole
Description:standard symlink problem.
Author:Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU>
Compromise: root (local)
Vulnerable Systems:IRIX, presumably 5.3, 6.2, 6.3
Date:7 May 1997
Exploit & full info:Available here


IRIX crontab problems
Description:IRIX's default crontab contains some bad stuff. Like find that execs rm. Check the bugtrac archives for ways to leverage this to delete anything from the filesystem.
Author:Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU>
Compromise:Delete any files on the (probably root) filesystem. You should be able to leverage root access from this.
Vulnerable Systems:IRIX, probably 5.3, 6.2, and 6.3
Date:7 May 1997
Exploit & full info:Available here


A bunch of IRIX holes found by Yuri Volubuev
Description:I have made a lot of these into their own pages, but I didn't include the more obscure ones, and I didn't have a good place to include his IRIX bashing. So I'm putting the whole post here.
Author:Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU>
Compromise: root (local)
Vulnerable Systems:IRIX 5.3, 6.2, 6.3
Date:7 May 1997
Exploit & full info:Available here


Irix netprint vulnerability
Description:standard system() call/path hole
Author:Yuri Volobuev <volobuev@t1.chem.umn.edu&rt;
Compromise: root (local)
Vulnerable Systems:IRIX with vulnerable Netprint
Date:4 January 1997
Exploit & full info:Available here


IRIX suid_exec hole
Description:suid_exec, a program apparently distributed with ksh, has a number of security holes, including trusting the user's $SHELL variable.
Author:Yuri Volobuev (volobuev@t1.chem.umn.edu)
Compromise: root (local)
Vulnerable Systems:Irix 5.3 and 6.2, possibly AIX and others.
Date:2 December 1996
Exploit & full info:Available here


IRIX fsdump hole
Description:/var/rfindd/fsdump handles lock files poorly, which can lead to root access.
Author:Yuri Volobuev (volobuev@t1.chem.umn.edu)
Compromise: root (local)
Vulnerable Systems:Irix 5.3 and some 6.2 systems (its apparently optional in 6.2)
Date:28 November 1996
Notes:There is a better exploit at the addendum
Exploit & full info:Available here


IRIX /usr/etc/LicenseManager hole
Description:/usr/etc/LicenseManager handles log files poorly, which can lead to root access.
Author:Yuri Volobuev (volobuev@t1.chem.umn.edu)
Compromise: root (local)
Vulnerable Systems:Irix 5.3 and 6.2 systems (possibly other Irix systems)
Date:22 November 1996
Exploit & full info:Available here


IRIX /usr/bin/X11/cdplayer hole
Description:/usr/bin/X11/cdplayer is setuid on IRIX and is very insecure in file/directory creation, which can lead to root access.
Author:Yuri Volobuev (volobuev@t1.chem.umn.edu)
Compromise: root
Vulnerable Systems:at least Irix 5.3 and 6.2
Date:21 November 1996
Exploit & full info:Available here


IRIX systour package security holes
Description:The "systour" packaged shipped with IRIX contains numerous security holes.
Author:Tung-Hui Hu (hhui@STARDOT.NET)
Compromise: root (local)
Vulnerable Systems:At least Irix 5.3 and 6.2 with systour installed
Date:30 October 1996
Exploit & full info:Available here


IRIX day5notifier hole
Description:Hehe, the good folks at SGI apparently tried to avoid the system() call security problems, by an execve("/sbin/sh", "sh", "-c", "command..."). Ha!
Author:Mike Neuman <mcn@RIPOSTE.ENGARDE.COM>
Compromise: root (local)
Vulnerable Systems:IRIX 6.2
Date:Mike reported it on 6 August 1996, but they apparently didn't get around to fixing it.
Exploit & full info:Available here


IRIX 5.3 chost vulnerability
Description:IRIX 5.3 chost apparently fails to drip privileges sufficiently when an invalid root password is entered
Author:Grant Kaufmann (gkaufman@cs.uct.ac.za)
Compromise: root (local)
Vulnerable Systems:IRIX 5.3 with vulnerable chost.
Date:6 August 1996
Notes:The SGI patch may not always plug the hole!
Exploit & full info:Available here


IRIX/usr/Cadmin/bin/csetup vulnerability
Description:standard dumb tmpfile creation vulnerability in csetup
Author:Discovered by Jay (srinivas@t2.chem.umn.edu)
Compromise: root (local)
Vulnerable Systems:IRIX with vulnerable suid csetup
Date:6 January 1996
Exploit & full info:Available here



This page Copyright © Fyodor 1996, 1997, 1998
[Back] to Fyodor's Exploit World main index

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]