[4025] in bugtraq
Re: IRIX: Bug in startmidi
daemon@ATHENA.MIT.EDU (Yuri Volobuev)
Sun Feb 9 23:30:35 1997
Date: Sun, 9 Feb 1997 21:20:36 -0600
Reply-To: Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU>
From: Yuri Volobuev <volobuev@T1.CHEM.UMN.EDU>
X-To: David Hedley <hedley@CS.BRIS.AC.UK>
To: BUGTRAQ@netspace.org
In-Reply-To: <16207.855511905@maxx>
> Whilst browsing around the filesystem on my SGI (running IRIX 5.3), I
> noticed a little suid-root program called 'startmidi' which hides in
> /usr/sbin. When run, this program creates various files in /tmp. You
> guessed it, it respects umask and follows symlinks. Comme ca:
>
> % umask 0
> % ln -s /blardyblar /tmp/.midipid
> % startmidi -d /dev/ttyd1
> % ls -l /blardyblar
> -rw-rw-rw- 1 root pgrad 0 Feb 9 17:46 /blardyblar
> % stopmidi -d /dev/ttyd1
eh... that's strange. I was looking at startmidi a while back, but didn't
find any root holes. Now I look again, still nothing. Indeed, on my 5.3
box it creates couple of files in /tmp with known names, but it calls
setreuid(-1,userid) right after the startup, so files are owned by the
caller. Of course, it's still bad, because caller's files can be
overwritten, and if you can trick root into calling it... But if you go
there, there are already too few programs running as root (not suid, I mean
cronjobs and such) that do this already. I was going to make a summary of
dangerous cronjobs, but then got busy with something else. Run crontab -l
as root to get an impression :).
You must have some special configuration, I recon. On the box I was testing
on
showfiles | grep startmidi
f 64563 18688 dmedia_eoe.sw.midi usr/sbin/startmidi
It's Irix 5.3 with all security patches applied, plus DSE 1.1.
Still, chmodding-s away startmidi is a good idea. Why should users be able
to screw around with MIDI, anyway?
cheers,
yuri
Always speaking for myself and only for myself.
