[1189] in bugtraq
Re: Exploit for SGI permissions tool
daemon@ATHENA.MIT.EDU (Tony Hoffmann)
Mon Mar 6 19:34:48 1995
From: Tony Hoffmann <hoffmann@drao.nrc.ca>
To: glaze@rclsgi.eng.ohio-state.edu (Larry Glaze)
Date: Mon, 6 Mar 1995 15:34:47 -0800 (PST)
Cc: bugtraq@fc.net
In-Reply-To: <9503061303.AA05568@rclsgi.eng.ohio-state.edu> from "Larry Glaze" at Mar 6, 95 08:03:42 am
> This is a pretty simple hole to exploit. Below are the steps involved:
> 1. run /usr/lib/desktop/permissions on your favorite file (/etc/passwd is a
> good one)
> 2. modify the permissions to suit your needs
> 3. click on the 'Apply' button *twice* before the window pops up to ask for
> root password if you don't own the file
> 4. click 'Cancel' button in the window asking for root password
> 5. you are done, the permissions changes should have gone through
>
> Once again, this only works for SGI IRIX 5.2 and only if the tool has had the
> suid and sgid bits set. Removing the suid and sgid bits solves this problem.
>
This also worked just fine on our Power Indigo2 running IRIX 6.0.1. Needless
to say, I've removed suid sgid permission on the utility.
--
Tony Hoffmann
Internet : hoffmann@drao.nrc.ca
Snailnet : Dominion Radio Astrophysical Observatory
P.O. Box 248, Penticton, BC, Canada V2A 6K3
BC Tel net: (604) 493-2277 Faxnet : (604) 493-7767
voicemailnet: (604) 490-4344 Localnet : ext 344