IRIX inpview hole

Description:inpview is part of a video conferencing package. Wow, in 1997 we've got a system() without absolute path vulnerability. Haven't seen something that pathetic in a while, except for the M$ OOB problem.
Author:Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU>
Compromise: root (local)
Vulnerable Systems:IRIX, presumably 5.3, 6.2, and 6.3
Date:7 May 1997

te: Wed, 7 May 1997 05:48:00 -0500
From: Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU>
Subject: Irix: misc

1. /usr/lib/InPerson/inpview

inpview is part of InPerson desktop video conferencing package.  It's
root-owned/suid and is written in a classic SGI suid-programming style, 
in the course of execution inpview, without dropping euid=0, starts 
ttsession, using system() and without bothering to use absolute path.  So
it's pretty much like suid shell sitting around, in case you forget root
password.  It does all kinds of other dangerous stuff as well, e.g.
predictable tmp files.

Obvious fix is to strip suid bit, which is most likely to break it.  I 
know why it's necessary to be root to establish non-authentificated
connection between two machines, but I guess SGI guys know better.  If you
do need InPerson badly, consider restricting execution privileges to the
trusted group of users, or putting a standard wrapper around it, kind of 
AUSCERT usually supplies with their advisories.  Such a wrapper should 
critical environment variables (PATH, HOME, LOGNAME, etc.), check command
line for unwanted characters (shell metacharacters, see sh(1) manpage),
checks command line and may be few environment variables for length.  It
doesn't protect you from all evils, notably nothing can be done about
tmp files, but it's better than nothing.

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: