IRIX inpview Environment Variable Local Privilege Escalation

2005-01-13T00:00:00
ID OSVDB:12915
Type osvdb
Reporter iDEFENSE(idlabs-advisories@idefense.com)
Modified 2005-01-13T00:00:00

Description

Vulnerability Description

IRIX contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when inpview trusts the user environment and does not drop privileges. A malicious user can set the environment variable SUN_TTSESSION_CMD to "cp /bin/jsh /tmp/jsh;chmod 6755 /tmp/jsh;killall -9 inpview," which will execute with root permissions, thus allowing a regular user to drop a setuid and setgid shell to /tmp. This flaw leads to a loss of integrity.

Solution Description

The vendor has discontinued this product and therefore has no patch or upgrade that mitigates this problem. However, it is possible to fix this vulnerability by implementing the following workaround: remove the setuid bit from inpview.

chmod u-s /usr/lib/InPerson/inpview

Short Description

IRIX contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when inpview trusts the user environment and does not drop privileges. A malicious user can set the environment variable SUN_TTSESSION_CMD to "cp /bin/jsh /tmp/jsh;chmod 6755 /tmp/jsh;killall -9 inpview," which will execute with root permissions, thus allowing a regular user to drop a setuid and setgid shell to /tmp. This flaw leads to a loss of integrity.

References:

Vendor URL: http://www.sgi.com/ Security Tracker: 1012894 Secunia Advisory ID:13858 Other Advisory URL: http://www.idefense.com/application/poi/display?id=182&type=vulnerabilities Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-01/0470.html ISS X-Force ID: 18894 CVE-2005-0113 Bugtraq ID: 12259