[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: IRIX midikeys Vulnerability
From:       "Pawel K. Peczak" <pkpecza () ERENJ ! COM>
Date:       1999-05-27 18:20:50
[Download RAW message or body]

As a comment on Aleph's recent summary of the responses to the IRIX
midikeys vulnerability (http://www.geek-girl.com/bugtraq/1999_2/0518.html)
let me add my own observation.

It turns out that one does not need any particular text editor
to exploit the vulnerability.  That's because of a nice "feature" of
the desktop environment variable WINEDITOR that can be set to any system
command, e.g., "/bin/chmod 4755 /tmp/bsh" (where /tmp/bsh is just
a root-owned copy of Bourne shell).

This can be done on both irix 6.2 (e.g., using toolchest -> Desktop
-> Customize ->Desktop ->Default Editor: Other...)  and on
irix 6.5 (toolchest -> Desktop -> Customize -> Utilities -> Text Editor:
Other...).  After setting WINEDITOR (which can be verified by inspecting
~/.desktop-hostname/desktopenv) the exploit follows the well-known path
by running midikeys, opening a file manager, etc.

Using this method I was able to gain root access (via a local account)
on two systems running irix 6.2 and 6.5.3m.  I suspect that any system
running irix 6.2 or higher with suid midikeys program may be vulnerable.

To remove the vulnerability one should immediately remove suid from
the IRIX midikeys program, as suggested in the recent SGI Security
Advisory 19990501-01-A.


Pawel Peczak                                     pkpecza@erenj.com

[prev in list] [next in list] [prev in thread] [next in thread]