> IP Forwarding is a kernel tunable which, once changed, requires building
> a new kernel, then booting it. Did you do this?
Yes, the system was rebooted, and it still forwarded packets.
> You should also be very aware that there are at least several
> "versions" of 5.3 that will run on any Indy.
In particular, I meant *6.3* doesn't run on an Indy, and the bug
(day5notifier) doesn't appear to be in it.
> BTW, since SUID shell scripts are diabled by default on every SGI, you must
> have enabled them for your exploit to work.
>
> 1# systune | grep uid
> nosuidshells = 1 (0x1)
Wow, here's another bug. Apparently that flag does nothing at all:
.remise.mcn,~ {1} # uname -a
IRIX remise 6.2 03131015 IP22
.remise.mcn,~ {2} # systune | grep uid
nosuidshells = 1 (0x1)
.remite.mcn,~ {3} # exit
.remise.mcn,~ {9} > reg4root
# id
uid=100(mcn) gid=20(user) euid=0(root)
....
reg4root is the exact exploit I posted late last week. It creates a setuid
shell, and executes it. I guess the nosuidshells flag doesn't do anything?
-Mike
mcn@EnGarde.com