Seyon calls system(xterm), Krad!
| Description: | seyon, which is setgid uucp on RedHat 4 at least, calls system(xterm) if it can't find seyon-emu. The exploit is obvious, 'nuff said |
| Author: | Shawn Hillis <shillis@CLCSMAIL.KSC.NASA.GOV> |
| Compromise: | root on some systems, like IRIX. Otherwise join the UUCP group, or whatever seyon is setgid to. |
| Vulnerable Systems: | Redhat Linux 4.0, Irix 6.3, anything else with vulnerable version of seyon installed |
| Date: | 17 June 1997 |
| Notes: | system(xterm) from a setuid root prog? Is this really 1997??? |
Date: Tue, 17 Jun 1997 11:16:54 -0400
From: Shawn Hillis <shillis@CLCSMAIL.KSC.NASA.GOV>
To: BUGTRAQ@NETSPACE.ORG
Subject: Seyon vulnerability - IRIX
I am kinda surprised that I haved seen anything come across about this
on bugtraq. I searched the archives and only found one reference for
seyon and that was on linux. So, even tho' I looked, I apologize if
this is old news.
Anyway, seyon is a telecommunications package for the X Window System
and I believe that it is freeware. It seems that when seyon starts, it
tries to execute 'seyon-emu'. When it fails to find that, it opens an
xterm instead. Unfortunately, it opens xterm and not
/usr/bin/X11/xterm. That's right, another relative path call.
I'm not sure if seyon actually needs to be setuid to root to work or
not, but it seems to be commonly installed that way. I tested it on
Irix 6.3 and it will give you euid=0 easily enough.
--
--------------------------------------------------------------
Shawn Hillis Network Engineer
Lockheed-Martin shillis@clcsmail.ksc.nasa.gov
KSC Phone: (407) 861-2229
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
world.
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources:
