The runpriv program is a setuid root application that checks to see if a regular user has been granted privileges to execute a certain predefined command, and if so it runs the command found in the directory /usr/sysadm/privbin with root privileges. It is installed by default under multiple versions of IRIX 6.
Local exploitation of a design error vulnerability in the runpriv command included in multiple versions of Silicon Graphics Inc.'s IRIX could allow for arbitrary code execution as the root user.
The runpriv program is a setuid root application that checks to see if a regular user has been granted privileges to execute a certain predefined command, and if so it runs the command found in the directory /usr/sysadm/privbin with root privileges.
The vulnerability specifically exists because runpriv unsafely executes commands after it has verified a user's privileges. This allows an attacker who has been given privileged access to one binary in /usr/sysadm/privbin to effectively execute any command as root. To exploit this vulnerability, all that is required is appending a string of the form "command to execute" to the end of an otherwise authorized and legitimate command. For example, if a user has been authorized to run the mountfs utility, they can exploit this vulnerability in the following way:
This will have the effect of adding an administrative user "r00t" to the system with no password, which allows for trivial privilege escalation.
Analysis:
Exploitation requires an attacker to have access to an account which has been granted usage of a binary in the /usr/sysadm/privbin directory. As root must explicitly allow such privileges, the impact of this vulnerability is lessened significantly. Exploitation does not require any knowledge of application internals, making exploitation trivial, even for unskilled attackers.
Workaround:
Only grant runpriv privileges to trusted users with secure accounts.
Alternately, remove the setuid and setgid bits from runpriv: chmod ug-s /usr/sysadm/bin/runpriv
