[10658] in bugtraq
Re: IRIX midikeys Vulnerability
daemon@ATHENA.MIT.EDU (Pawel K. Peczak)
Thu May 27 15:07:50 1999
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <9905271420.ZM2683@trurl.erenj.com>
Date: Thu, 27 May 1999 14:20:50 -0400
Reply-To: "Pawel K. Peczak" <pkpecza@ERENJ.COM>
From: "Pawel K. Peczak" <pkpecza@ERENJ.COM>
To: BUGTRAQ@NETSPACE.ORG
As a comment on Aleph's recent summary of the responses to the IRIX
midikeys vulnerability (http://www.geek-girl.com/bugtraq/1999_2/0518.html)
let me add my own observation.
It turns out that one does not need any particular text editor
to exploit the vulnerability. That's because of a nice "feature" of
the desktop environment variable WINEDITOR that can be set to any system
command, e.g., "/bin/chmod 4755 /tmp/bsh" (where /tmp/bsh is just
a root-owned copy of Bourne shell).
This can be done on both irix 6.2 (e.g., using toolchest -> Desktop
-> Customize ->Desktop ->Default Editor: Other...) and on
irix 6.5 (toolchest -> Desktop -> Customize -> Utilities -> Text Editor:
Other...). After setting WINEDITOR (which can be verified by inspecting
~/.desktop-hostname/desktopenv) the exploit follows the well-known path
by running midikeys, opening a file manager, etc.
Using this method I was able to gain root access (via a local account)
on two systems running irix 6.2 and 6.5.3m. I suspect that any system
running irix 6.2 or higher with suid midikeys program may be vulnerable.
To remove the vulnerability one should immediately remove suid from
the IRIX midikeys program, as suggested in the recent SGI Security
Advisory 19990501-01-A.
Pawel Peczak pkpecza@erenj.com
