Seyon calls system(xterm), Krad!

Summary
Description:seyon, which is setgid uucp on RedHat 4 at least, calls system(xterm) if it can't find seyon-emu. The exploit is obvious, 'nuff said
Author:Shawn Hillis <shillis@CLCSMAIL.KSC.NASA.GOV>
Compromise:root on some systems, like IRIX. Otherwise join the UUCP group, or whatever seyon is setgid to.
Vulnerable Systems:Redhat Linux 4.0, Irix 6.3, anything else with vulnerable version of seyon installed
Date:17 June 1997
Notes:system(xterm) from a setuid root prog? Is this really 1997???
Details


Date: Tue, 17 Jun 1997 11:16:54 -0400
From: Shawn Hillis <shillis@CLCSMAIL.KSC.NASA.GOV>
To: BUGTRAQ@NETSPACE.ORG
Subject: Seyon vulnerability - IRIX

I am kinda surprised that I haved seen anything come across about this
on bugtraq.  I searched the archives and only found one reference for
seyon and that was on linux.  So, even tho' I looked, I apologize if
this is old news.

        Anyway,  seyon is a telecommunications package for the X Window System
and I believe that it is freeware.  It seems that when seyon starts, it
tries to execute 'seyon-emu'.  When it fails to find that, it opens an
xterm instead.  Unfortunately, it opens xterm and not
/usr/bin/X11/xterm.  That's right, another relative path call.

        I'm not sure if seyon actually needs to be setuid to root to work or
not, but it seems to be commonly installed that way.  I tested it on
Irix 6.3 and it will give you euid=0 easily enough.
--
--------------------------------------------------------------
Shawn Hillis                    Network Engineer
Lockheed-Martin                 shillis@clcsmail.ksc.nasa.gov
KSC                             Phone: (407) 861-2229

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: