Exploit world!
Irix Section
[Back] to Fyodor's Playhouse
| Xaw and Xterm vulnerabilities | |
|---|---|
| Description: | There are a number of vulnerabilities in X11R6 xterm(1) and Xaw(3c) libraries. They are mostly all overflows |
| Author: | Pavel Kankovsky <peak@kerberos.troja.mff.cuni.cz> and the exploit was written by alcuin |
| Compromise: | root (local) |
| Vulnerable Systems: | Those running Xterm or X apps linked to vulnerable Xaw. Virtually all versions of X are vulnerable to the *Keymap hole and the others are mostly X11R6 specific (which virtually everyone uses anyway). Thus it is likely that many Solaris, Linux, HP/UX, and perhaps IRIX and AIX boxes are vulnerable. |
| Date: | 4 May 1998 |
| Notes: | I have also included an exploit sent to me by "M.C.Mar" <emsi@it.com.pl>. This exploit works against Xaw and neXtaw even WITH Solar Designer's non-executable stack patch applied. Check it out! |
| Exploit & full info: | Available here |
| Overflow in kppp -c option | |
|---|---|
| Description: | Standard overflow |
| Author: | "|[TDP]|" <tdp@psynet.net> |
| Compromise: | root (local) |
| Vulnerable Systems: | Those running kppp version < 1.1.3 suid root. This comes with the KDE system (which is pretty neat -- www.kde.org) and runs on Solaris, Linux, IRIX, and HP/UX |
| Date: | 29 April 1998 |
| Notes: | The hole was fixed a while prior to this posting so the (then) current version was not vulnerable. |
| Exploit & full info: | Available here |
| Major holes in IRIX IPX tools | |
|---|---|
| Description: | Sigh, IRIX was trivial to root before, but now thanks to their IPX tools it is even easier. We are talking blatant system() calls here! The story in this message is rather pathetic. |
| Author: | Fabrice Planchon <fabrice@MATH.PRINCETON.EDU> |
| Compromise: | root (local) |
| Vulnerable Systems: | IRIX 6.3, perhaps earlier versions. |
| Date: | 8 April 1998 |
| Exploit & full info: | Available here |
| Yet another SGI pfdispaly CGI hole | |
|---|---|
| Description: | As has been demonstrated many times, SGI CANNOT write secure CGI scripts. Nor can they write secure setuid programs. They fixed the last pfdisplay.cgi hole, but the new version is still quite buggy -- as this post demonstrates. |
| Author: | "J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES> |
| Compromise: | run arbitrary commands remotely as the UID running the webserver |
| Vulnerable Systems: | SGI IRIX 6.2 using the performer_tools CGIs. |
| Date: | 7 April 1998 |
| Notes: | I honestly believe default SGI security is as bad as default Windows NT security. That is sad. |
| Exploit & full info: | Available here |
| Majordomo tmpfile bug | |
|---|---|
| Description: | Standard tmpfile problem |
| Author: | Karl G - NOC Admin <ovrneith@tqgnet.com> |
| Compromise: | Any user on a system running majordomo can append arbitrary data to any file owned by the majordomo account. |
| Vulnerable Systems: | Those running majordomo. This runs on a ton of systems (Solaris, Linux, IRIX, etc.). |
| Date: | 26 March 1998 |
| Exploit & full info: | Available here |
| Irix pfdispaly CGI hole | |
|---|---|
| Description: | Standard .. read-any-file CGI exploit. |
| Author: | "J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES> |
| Compromise: | Read any file (remotely) that user nobody (or whatever web server runs as) can read. |
| Vulnerable Systems: | IRIX 6.2 with performer_tools.sw.webtools (Performer API Search Tool 2.2) installed, check for /var/www/cgi-bin/pfdispaly.cgi. |
| Date: | 17 March 1998 |
| Exploit & full info: | Available here |
| routed trace file exploit | |
|---|---|
| Description: | routed has the ability to have trace mode turned on remotely using any arbitrary filename. Thus you can append stuff to arbitrary files remotely. |
| Author: | Rootshell |
| Compromise: | You should be able to leverage this to root remote access. |
| Vulnerable Systems: | Redhat linux; IRIX 5.2-5.3-6.2 is vulnerable, NetBSD 1.2 is vulnerable. |
| Date: | 8 January 1998 |
| Exploit & full info: | Available here |
| ARP and ICMP redirection games | |
|---|---|
| Description: | This excellent article/code from Yuri points out a number of (mostly known) problems with the ARP and ICMP protocols/implementations |
| Author: | Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU> |
| Compromise: | spoof as a trusted host, redirect trafic through your host, DoS |
| Vulnerable Systems: | Many versions of Linux, numerous hubs/routers. AFAIK, IRIX, HP-UX, *BSD, and probably Windoze can be spoofed with gratuitous ARP |
| Date: | 19 September 1997 |
| Exploit & full info: | Available here |
| Asynchronous I/O signal handling | |
|---|---|
| Description: | Two problems in the Asynchronous I/O handling of many *NIX boxes. The most important ones allows SIGIO, SIGURG, and possiby other signals to be sent to arbitrary processes on the system (from unpriviliged code) |
| Author: | "Thomas H. Ptacek" <tqbf@RDIST.ORG> wrote the advisory, Alan Peakall found the original problem |
| Compromise: | In some cases you can kill or disrupt many system processes |
| Vulnerable Systems: | *BSD, IRIX, probably others |
| Date: | 15 September 1997 |
| Exploit & full info: | Available here |
| root bug in IRIX game spaceware | |
|---|---|
| Description: | Root hole in SpaceWare trackball software |
| Author: | "J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES> |
| Compromise: | root (local) |
| Vulnerable Systems: | Presumably any system running spaceware 7.3 v1.0 (probably earlier). I don't know if it is IRIX specific. From the message it sounds like there are likely other holes in the program. |
| Date: | 20 August 1997 |
| Exploit & full info: | Available here |
| SGI NIS Domain Name disclosure | |
|---|---|
| Description: | In what seems to be YET ANOTHER stupid SGI bug, the system is apparently "nice" enough to create a "home page" for new users in public_html/index.html or public_html/index.html.N if they already have an index.html. The problem is that this file often discloses the NIS domain name of the host, which obviously has serious repercusions. |
| Author: | Joerg Kuemmerlen <joku@BTGIX8.BGI.UNI-BAYREUTH.DE> |
| Compromise: | Leak of the NIS domain name. |
| Vulnerable Systems: | SGI O2 machines, presumably IRIX 6.3, 6.4 |
| Date: | 5 August 1997 |
| Exploit & full info: | Available here |
| Another stupid SGI hole | |
|---|---|
| Description: | By default SGIs (IRIX 6.3, probably 6.4) will take files of type application/x-sgi-exec or application/x-sgi-task and allow them to run /sr/sysadm commands. Thus you can put a malicous file on your web page and hack root on SGI boxes that connect to it. |
| Author: | Arthur Hagen <art@kether.global-one.no> |
| Compromise: | Trojan a webpage to gain access to the accounts of SGI users who visit it. |
| Vulnerable Systems: | SGI IRIX 6.3, probably 6.4 |
| Date: | 1 August 1997 |
| Exploit & full info: | Available here |
| IRIX fails to correctly patch /cgi-bin/handler exploit | |
|---|---|
| Description: | In an apparent attempt to prevent breakins through the common handler cgi technique, IRIX changed the code. They now check the end of a string for a pipe (trying to make sure perl opens the file as a plain file), but you can still get away with putting tabs after the pipe, to hide it. |
| Author: | Razvan Dragomirescu <drazvan@kappa.ro> |
| Compromise: | remotely run commands through this pathetic CGI |
| Vulnerable Systems: | IRIX 6.3 and 6.4, the older versions are vulnerable to an even easier version of the same problem. |
| Date: | 19 June 1997 |
| Exploit & full info: | Available here |
| Seyon calls system(xterm), Krad! | |
|---|---|
| Description: | seyon, which is setgid uucp on RedHat 4 at least, calls system(xterm) if it can't find seyon-emu. The exploit is obvious, 'nuff said |
| Author: | Shawn Hillis <shillis@CLCSMAIL.KSC.NASA.GOV> |
| Compromise: | root on some systems, like IRIX. Otherwise join the UUCP group, or whatever seyon is setgid to. |
| Vulnerable Systems: | Redhat Linux 4.0, Irix 6.3, anything else with vulnerable version of seyon installed |
| Date: | 17 June 1997 |
| Notes: | system(xterm) from a setuid root prog? Is this really 1997??? |
| Exploit & full info: | Available here |
| IRIX handler cgi hole | |
|---|---|
| Description: | another prog that uses a perl open() with untrusted filenames, allowing the pipe symbol to be used to create a pipe instead. I think this is a serious problem with perl which should be fixed (perl is supposed to make programming securely EASIER than C does.) |
| Author: | Razvan Dragomirescu <drazvan@kappa.ro> |
| Compromise: | Run arbitrary commands as the owner of the httpd process |
| Vulnerable Systems: | IRIX 6.2, the later versions try to fix this, but without success (see the other handler entry). It also works on 5.3 |
| Date: | 15 June 1997 |
| Exploit & full info: | Available here |
| IRIX /usr/sbin/printers and /usr/bin/X11/xterm overflows | |
|---|---|
| Description: | two more buffer overflows for IRIX, this time in xterm and printers. |
| Author: | David Hedley <hedley@CS.BRIS.AC.UK> |
| Compromise: | root (local) |
| Vulnerable Systems: | IRIX 5.x, 6.x |
| Date: | 27 May 1997 |
| Notes: | Note that David Hedley thinks the xterm problem is more general. He was able to overflow xlockmore on a FreeBSD machine. The xterm exploit post is right after the printers post below. |
| Exploit & full info: | Available here |
| Buffer overflow in /usr/sbin/iwsh for Irix 5.3 | |
|---|---|
| Description: | This overflow of /usr/sbin/iwsh is specifically taylored for IRIX 5.3. It is also possible to write a similar overflow for 6.x. |
| Author: | David Hedley <hedley@CS.BRIS.AC.UK> |
| Compromise: | root (local) |
| Vulnerable Systems: | IRIX 5.3 (6.x would work with another exploit) |
| Date: | 27 May 1997 |
| Exploit & full info: | Available here |
| Overflows in IRIX /usr/sbin/X11/xconsole, /usr/sbin/X11/cdplayer, /usr/sbin/xwsh, and /usr/sbin/monpanel. | |
|---|---|
| Description: | As he mentions, there must be some bad IRIX library which is causing all of these IRIX progs to overflow. Anyway, this is a standard overflow which works on all of the above. |
| Author: | "Patrick J. Paulus" <pjp@STEPAHEAD.NET> posted the exploit which was a _very_ slighty modified version of David Hedley's code posted earlier. |
| Compromise: | root (local) |
| Vulnerable Systems: | IRIX 5.3, probably 6.x |
| Date: | 27 May 1997 |
| Notes: | Someone reported to me that he couldn't get these to work. Has anyone used them successfully? |
| Exploit & full info: | Available here |
| IRIX /bin/login overflow | |
|---|---|
| Description: | Overflow in /bin/login on IRIX 5.3-6.4 |
| Author: | David Hedley <hedley@CS.BRIS.AC.UK> |
| Compromise: | root (local) |
| Vulnerable Systems: | IRIX 5.3 through 6.4 |
| Date: | 26 May 1997 |
| Exploit & full info: | Available here |
| Overflow in IRIX /usr/lib/desktop/permissions | |
|---|---|
| Description: | standard IRIX overflow, in /usr/lib/desktop/permissions |
| Author: | David Hedley <hedley@CS.BRIS.AC.UK> |
| Compromise: | Gain egid sys |
| Vulnerable Systems: | IRIX 6.2, 5.x is probably vulnerable, but needs a rewritten exploit due to stack position. |
| Date: | 26 May 1997 |
| Exploit & full info: | Available here |
| 3 More IRIX buffer overflows, courtesy of LsD | |
|---|---|
| Description: | Apparently, the "anonymous friend" who sent exploit code to Yuri may have swiped it from the polish group LsD. Anyway, they sent in 3 more exploits which are very similar (actually almost exactly the same) as those Yuri's polish friend sent. |
| Author: | Sent from a hacked account by LsD, Last Stage of Delirium |
| Compromise: | root (local) |
| Vulnerable Systems: | IRIX, presumably up to 6.3 |
| Date: | 25 May 1997 |
| Exploit & full info: | Available here |
| IRIX stupid xhost + default | |
|---|---|
| Description: | For X sessions, IRIX (I think up to 6.3) by default gives global access (ie xhost +). Duh. Of course this fits in very well with their default non-passworded guest account and their security-filled default crontab (see those other exploit entries for more information). |
| Author: | Well known, but Matt Harrigan <matth@CONNECTNET.COM> posted interesting comments on exploiting the hole to someone who mentioned the problem. |
| Compromise: | Take over an X session |
| Vulnerable Systems: | IRIX, up to 6.3 I believe, using default IRIX default X access permissions. |
| Date: | 19 May 1997 |
| Exploit & full info: | Available here |
| Assorted IRIX WWW vulnerabilities | |
|---|---|
| Description: | IRIX has serious problems with some of their CGI's and other WWW programs like handler. Yuri explores these and exposes a lot of problems. |
| Author: | Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU> |
| Compromise: | Become owner of httpd process, read files that are "protected" by .htaccess. |
| Vulnerable Systems: | Irix 6.2 |
| Date: | 16 May 1997 |
| Notes: | Woo! I'm glad to see Yuri isn't out of the scene like I was afraid he was. |
| Exploit & full info: | Available here |
| IRIX default guest account | |
|---|---|
| Description: | Apparently, all IRIX systems come by default with a unpassworded guest account. Almost as stupid as HP/UX's staticly passworded uid 0 sam_exec accounts. |
| Author: | well known, but Mike Neuman <mcn@RIPOSTE.ENGARDE.COM> mentioned it on bugtraq |
| Compromise: | remotely obtain local user privileges. |
| Vulnerable Systems: | IRIX, apparently all versions up to 6.3 |
| Date: | 15 May 1997 |
| Exploit & full info: | Available here |
| IRIX sadc symlink vulnerability | |
|---|---|
| Description: | the IRIX program /usr/lib/sa/sadc is sgid sys and writes to /tmp/sa.adrfl, even if that is a symlink. |
| Author: | Well known, but Jaechul Choe <poison@COSMOS.KAIST.AC.KR> posted this warning that IRIX is still vulnerable. |
| Compromise: | GID sys |
| Vulnerable Systems: | IRIX 5.3, 6.2 |
| Date: | 9 May 1997 |
| Exploit & full info: | Available here |
| IRIX addnetpr race condition | |
|---|---|
| Description: | IRIX's addnetpr program has a symlink race condition that allows the clobbering of arbitrary files. |
| Author: | Jaechul Choe <poison@COSMOS.KAIST.AC.KR> |
| Compromise: | cause addnetpr to write to arbitrary files. It is unclear whether it appends or overwrites to already existing files. Could probably lead to root access. |
| Vulnerable Systems: | IRIX 5.3, 6.2 |
| Date: | 9 May 1997 |
| Exploit & full info: | Available here |
| IRIX rmail system() and LOGNAME hole | |
|---|---|
| Description: | rmail is setgid mail and apparently does a system() involving the contents of untrusted user environmental variable LOGNAME. Duh. |
| Author: | Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU> |
| Compromise: | Group mail, the uses of this are obvious |
| Vulnerable Systems: | IRIX, 5.3, 6.2, possibly 6.3 |
| Date: | 7 May 1997 |
| Notes: | Too bad Yuri Volobuev is retiring. There wouldn't be a IRIX section without him. Good job Yuri! |
| Exploit & full info: | Available here |
| IRIX inpview hole | |
|---|---|
| Description: | inpview is part of a video conferencing package. Wow, in 1997 we've got a system() without absolute path vulnerability. Haven't seen something that pathetic in a while, except for the M$ OOB problem. |
| Author: | Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU> |
| Compromise: | root (local) |
| Vulnerable Systems: | IRIX, presumably 5.3, 6.2, and 6.3 |
| Date: | 7 May 1997 |
| Exploit & full info: | Available here |
| IRIX webdist CGI vulnerability | |
|---|---|
| Description: | Stupid cgi |
| Author: | Grant Kaufmann <grant@CAPE.INTEKOM.COM> |
| Compromise: | remotely execute arbitrary commands as httpd process owner (usually nobody or daemon) |
| Vulnerable Systems: | IRIX 6.2, 6.3 |
| Date: | 7 May 1997 |
| Exploit & full info: | Available here |
| IRIX xfsdump hole | |
|---|---|
| Description: | standard symlink problem. |
| Author: | Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU> |
| Compromise: | root (local) |
| Vulnerable Systems: | IRIX, presumably 5.3, 6.2, 6.3 |
| Date: | 7 May 1997 |
| Exploit & full info: | Available here |
| IRIX crontab problems | |
|---|---|
| Description: | IRIX's default crontab contains some bad stuff. Like find that execs rm. Check the bugtrac archives for ways to leverage this to delete anything from the filesystem. |
| Author: | Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU> |
| Compromise: | Delete any files on the (probably root) filesystem. You should be able to leverage root access from this. |
| Vulnerable Systems: | IRIX, probably 5.3, 6.2, and 6.3 |
| Date: | 7 May 1997 |
| Exploit & full info: | Available here |
| A bunch of IRIX holes found by Yuri Volubuev | |
|---|---|
| Description: | I have made a lot of these into their own pages, but I didn't include the more obscure ones, and I didn't have a good place to include his IRIX bashing. So I'm putting the whole post here. |
| Author: | Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU> |
| Compromise: | root (local) |
| Vulnerable Systems: | IRIX 5.3, 6.2, 6.3 |
| Date: | 7 May 1997 |
| Exploit & full info: | Available here |
| Irix netprint vulnerability | |
|---|---|
| Description: | standard system() call/path hole |
| Author: | Yuri Volobuev <volobuev@t1.chem.umn.edu&rt; |
| Compromise: | root (local) |
| Vulnerable Systems: | IRIX with vulnerable Netprint |
| Date: | 4 January 1997 |
| Exploit & full info: | Available here |
| IRIX suid_exec hole | |
|---|---|
| Description: | suid_exec, a program apparently distributed with ksh, has a number of security holes, including trusting the user's $SHELL variable. |
| Author: | Yuri Volobuev (volobuev@t1.chem.umn.edu) |
| Compromise: | root (local) |
| Vulnerable Systems: | Irix 5.3 and 6.2, possibly AIX and others. |
| Date: | 2 December 1996 |
| Exploit & full info: | Available here |
| IRIX fsdump hole | |
|---|---|
| Description: | /var/rfindd/fsdump handles lock files poorly, which can lead to root access. |
| Author: | Yuri Volobuev (volobuev@t1.chem.umn.edu) |
| Compromise: | root (local) |
| Vulnerable Systems: | Irix 5.3 and some 6.2 systems (its apparently optional in 6.2) |
| Date: | 28 November 1996 |
| Notes: | There is a better exploit at the addendum |
| Exploit & full info: | Available here |
| IRIX /usr/etc/LicenseManager hole | |
|---|---|
| Description: | /usr/etc/LicenseManager handles log files poorly, which can lead to root access. |
| Author: | Yuri Volobuev (volobuev@t1.chem.umn.edu) |
| Compromise: | root (local) |
| Vulnerable Systems: | Irix 5.3 and 6.2 systems (possibly other Irix systems) |
| Date: | 22 November 1996 |
| Exploit & full info: | Available here |
| IRIX /usr/bin/X11/cdplayer hole | |
|---|---|
| Description: | /usr/bin/X11/cdplayer is setuid on IRIX and is very insecure in file/directory creation, which can lead to root access. |
| Author: | Yuri Volobuev (volobuev@t1.chem.umn.edu) |
| Compromise: | root |
| Vulnerable Systems: | at least Irix 5.3 and 6.2 |
| Date: | 21 November 1996 |
| Exploit & full info: | Available here |
| IRIX systour package security holes | |
|---|---|
| Description: | The "systour" packaged shipped with IRIX contains numerous security holes. |
| Author: | Tung-Hui Hu (hhui@STARDOT.NET) |
| Compromise: | root (local) |
| Vulnerable Systems: | At least Irix 5.3 and 6.2 with systour installed |
| Date: | 30 October 1996 |
| Exploit & full info: | Available here |
| IRIX day5notifier hole | |
|---|---|
| Description: | Hehe, the good folks at SGI apparently tried to avoid the system() call security problems, by an execve("/sbin/sh", "sh", "-c", "command..."). Ha! |
| Author: | Mike Neuman <mcn@RIPOSTE.ENGARDE.COM> |
| Compromise: | root (local) |
| Vulnerable Systems: | IRIX 6.2 |
| Date: | Mike reported it on 6 August 1996, but they apparently didn't get around to fixing it. |
| Exploit & full info: | Available here |
| IRIX 5.3 chost vulnerability | |
|---|---|
| Description: | IRIX 5.3 chost apparently fails to drip privileges sufficiently when an invalid root password is entered |
| Author: | Grant Kaufmann (gkaufman@cs.uct.ac.za) |
| Compromise: | root (local) |
| Vulnerable Systems: | IRIX 5.3 with vulnerable chost. |
| Date: | 6 August 1996 |
| Notes: | The SGI patch may not always plug the hole! |
| Exploit & full info: | Available here |
| IRIX/usr/Cadmin/bin/csetup vulnerability | |
|---|---|
| Description: | standard dumb tmpfile creation vulnerability in csetup |
| Author: | Discovered by Jay (srinivas@t2.chem.umn.edu) |
| Compromise: | root (local) |
| Vulnerable Systems: | IRIX with vulnerable suid csetup |
| Date: | 6 January 1996 |
| Exploit & full info: | Available here |
This page Copyright © Fyodor 1996, 1997, 1998
[Back] to Fyodor's Exploit World main index