[1197] in bugtraq
Re: Large security hole in SGI IRIX 5.2
daemon@ATHENA.MIT.EDU (Software Test Account)
Tue Mar 7 13:24:24 1995
Date: Tue, 07 Mar 1995 09:42:08 -0600 (CST)
From: Software Test Account <softtest@wu1.wl.aecl.ca>
In-Reply-To: <9503031317.AA03349@indikos>
To: "Christian A. Ratliff" <ratlifc@ctron.com>
Cc: Larry Glaze <glaze@rclsgi.eng.ohio-state.edu>, bugtraq@fc.net
On Fri, 3 Mar 1995, Christian A. Ratliff wrote:
> On Thu, 2 Mar 1995 14:03:03 -0500 (EST) Larry Glaze wrote:
> > I want to give admins some time to change the priveldges on the permissions
> > tool so I am waiting until Monday morning (when I get to work) to post the
> > exploit of this hole.
> >
> bugtraq is a FULL disclosure list.
>
> The hole comes from the authentication being at the _dirview_ (an SGI
> directory browser) level. You can only pull up 'permissions' when the menu
> item is not grayed out. If you run 'permissions' by hand, you eliminate
> that check and have root access to the permissions on an file.
> Turning the setuid/setgid bit off is a perfectly sensible solution to
> this problem, and it is beyond me why that wasn't the default permissions.
>
I attempted to verify this problem on one of our SGI IRIX 5.2 boxes and
found that with or without the sgid/suid bits set and from dirview or
from the command line -- the permissions routine prompts you for a name
and password of a priveledged user.
I didn't check to see if password attempts were logged, but
permissions seems pretty secure to me.
Erik
____ _____ _______ __ Erik Lindquist
/ _ | / ___/ / _____/ / / Systems Administrator
/ /_| | / /__ / / / / AECL Whiteshell Laboratories
/ __ | / ___/ / / / / VOICE: (204) 753-2311x3145
/ / | | / /____ / /_____ / /_____ FAX: (204) 753-2455
/_/ |_| /______/ /_______/ /________/ E-mail: lindquie@wu1.wl.aecl.ca