IRIX cdplayer Arbitrary Directory Creation Privilege Escalation

1996-11-21T00:00:00
ID OSVDB:8448
Type osvdb
Reporter Yuri Volobuev(volobuev@t1.chem.umn.edu)
Modified 1996-11-21T00:00:00

Description

Vulnerability Description

IRIX contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when a malicious user can create arbitrary directories using a command line option for the cdplayer program, which is setuid root. This flaw may lead to a loss of integrity.

Technical Description

This vulnerability can be exploited even when the target does not have a CD-ROM drive.

Solution Description

Silicon Graphics, Inc. has released a patch to address this vulnerability. It is also possible to correct the flaw by implementing the following workaround: Remove the setuid bit from cdplayer.

Short Description

IRIX contains a flaw that may allow a malicious user to gain access to unauthorized privileges. The issue is triggered when a malicious user can create arbitrary directories using a command line option for the cdplayer program, which is setuid root. This flaw may lead to a loss of integrity.

Manual Testing Notes

umask 000 cdplayer -dbcdir /usr/admin/ echo "+ +" > /usr/admin/.rhosts chown root.sys /usr/admin/.rhosts rsh localhost -l sysadm

References:

Vendor URL: http://www.sgi.com Vendor Specific Solution URL: ftp://ftp.sgi.com/patches/ Vendor Specific Advisory URL Other Advisory URL: http://www.auscert.org.au/render.html?it=1864&cid=16 ISS X-Force ID: 1632 CVE-1999-0960 Bugtraq ID: 333