[4510] in bugtraq
Re: Reminder for ppl (ANOTHER SGI BUG!)
daemon@ATHENA.MIT.EDU (Mike Neuman)
Mon May 19 18:30:43 1997
Date: Mon, 19 May 1997 11:56:00 -0600
Reply-To: mcn@EnGarde.com
From: Mike Neuman <mcn@RIPOSTE.ENGARDE.COM>
X-To: Eric Kimminau <root@DOSGOD.MI.ORG>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: root's message of Sat, 17 May 1997 02:36:29 -0400.
<Pine.LNX.3.91.970517022817.17566A-100000@dosgod.mi.org>
Eric's blind defense of IRIX (without even trying my exploit) has lead
to the discovery of yet another major IRIX bug. Read on...
> IP Forwarding is a kernel tunable which, once changed, requires building
> a new kernel, then booting it. Did you do this?
Yes, the system was rebooted, and it still forwarded packets.
> You should also be very aware that there are at least several
> "versions" of 5.3 that will run on any Indy.
In particular, I meant *6.3* doesn't run on an Indy, and the bug
(day5notifier) doesn't appear to be in it.
> BTW, since SUID shell scripts are diabled by default on every SGI, you must
> have enabled them for your exploit to work.
>
> 1# systune | grep uid
> nosuidshells = 1 (0x1)
Wow, here's another bug. Apparently that flag does nothing at all:
.remise.mcn,~ {1} # uname -a
IRIX remise 6.2 03131015 IP22
.remise.mcn,~ {2} # systune | grep uid
nosuidshells = 1 (0x1)
.remite.mcn,~ {3} # exit
.remise.mcn,~ {9} > reg4root
# id
uid=100(mcn) gid=20(user) euid=0(root)
....
reg4root is the exact exploit I posted late last week. It creates a setuid
shell, and executes it. I guess the nosuidshells flag doesn't do anything?
-Mike
mcn@EnGarde.com
