Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1997_1

Bugtraq archives for 1st quarter (Jan-Mar) 1997: Re: IRIX 5.3 /var/rfindd/fsdump - exploit

Re: IRIX 5.3 /var/rfindd/fsdump - exploit

Larry Glaze (lglazeMC2-CSR.COM)
Tue, 25 Feb 1997 11:30:31 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Cristian SCHIPOR: "BIG Security Hole in Solaris 2.X (X)passwd + exploit"
Previous message: Mitja Kolsek: "Re: [NTSEC] ! [ADVISORY] Major Security Hole in MS ASP"
Maybe in reply to: Chris Sheldon: "IRIX 5.3 /var/rfindd/fsdump - exploit"
Next in thread: Yuri Volobuev: "Re: IRIX 5.3 /var/rfindd/fsdump - exploit"

At 06:33 AM 2/25/97 -0800, Chris Sheldon wrote:

>Ok. Well, yet another IRIX 5.3 root exploit.

>Of course, the major problem here is that IRIX allow users to

>give away ownership of files. Without that, this could only

>be used for changing the permissions on file so that you could read

>and modify.


exploit stuff deleted....


>This can be used to access pretty much any file on the system

>which is currently group owned...

>

>fun, fun, fun until SGI takes the bugs away... ;-) (right)


Ummm, why don't you just remove the file giveaway priviledge?


pandora 2# systune -i

Updates will be made to running system and /unix.install


systune-> restricted_chown 1

        restricted_chown = 1 (0x1)

        Do you really want to change restricted_chown to 1 (0x1)? (y/n) y


In order for the change in parameter restricted_chown to become effective,

reboot the system


systune->q

pandora 3# /etc/reboot


Takes less than 5 minutes of time and gets rid of file giveaways and the

above security hole. BTW, this is especially important if you are running

quotas since people can 'give' their files away to root (who usually doesn't

have a quota) to bypass the quota limit, yet retain ownership of the directory

the files reside in, thus giving them the ability to still modify the files.


Larry

System/Network Administrator

MC2 Cyberspace



--

---------------------------------------------------------------------------

|<color><param>0000,0000,8080</param>Larry Glaze
</color>|<color><param>0000,0000,8080</param>    "...Life's a bummer..."
         </color>|

|<color><param>0000,0000,8080</param>System/Network Administrator
</color>|<color><param>0000,0000,8080</param>            --Smashing
Pumpkins       </color>|

|<color><param>0000,0000,8080</param>MC<smaller>2</smaller> Cyberspace,
Ltd               </color>|<color><param>0000,0000,8080</param>
                           </color>|

|<color><param>0000,0000,8080</param>http://www.mc2-csr.com/~lglaze
</color>|<color><param>0000,0000,8080</param>
lglazemc2-csr.com        </color>|

---------------------------------------------------------------------------

|               <color><param>ffff,0000,0000</param>All opinions are my
own, as they should be!               </color>|

---------------------------------------------------------------------------

Next message: Cristian SCHIPOR: "BIG Security Hole in Solaris 2.X (X)passwd + exploit"
Previous message: Mitja Kolsek: "Re: [NTSEC] ! [ADVISORY] Major Security Hole in MS ASP"
Maybe in reply to: Chris Sheldon: "IRIX 5.3 /var/rfindd/fsdump - exploit"
Next in thread: Yuri Volobuev: "Re: IRIX 5.3 /var/rfindd/fsdump - exploit"