[4518] in bugtraq
Re: Reminder for ppl (ANOTHER SGI BUG!)
daemon@ATHENA.MIT.EDU (Henri Karrenbeld)
Tue May 20 04:40:51 1997
Date: Tue, 20 May 1997 03:15:40 +0200
Reply-To: Henri Karrenbeld <ishtar@CAL022011.STUDENT.UTWENTE.NL>
From: Henri Karrenbeld <ishtar@CAL022011.STUDENT.UTWENTE.NL>
To: BUGTRAQ@NETSPACE.ORG
At 11:56 19/5/97 -0600, you wrote:
> Eric's blind defense of IRIX (without even trying my exploit) has lead
>to the discovery of yet another major IRIX bug. Read on...
[snip]
>> BTW, since SUID shell scripts are diabled by default on every SGI, you must
>> have enabled them for your exploit to work.
>>
>> 1# systune | grep uid
>> nosuidshells = 1 (0x1)
>
> Wow, here's another bug. Apparently that flag does nothing at all:
>
>.remise.mcn,~ {1} # uname -a
>IRIX remise 6.2 03131015 IP22
>.remise.mcn,~ {2} # systune | grep uid
> nosuidshells = 1 (0x1)
>.remite.mcn,~ {3} # exit
>.remise.mcn,~ {9} > reg4root
># id
>uid=100(mcn) gid=20(user) euid=0(root)
>
>....
>
>reg4root is the exact exploit I posted late last week. It creates a setuid
>shell, and executes it. I guess the nosuidshells flag doesn't do anything?
>
Oh yes, it sure should be doing something... however, not the thing you
think it should be doing: it does NOT disable suid shells.
So what does it do? There is probably some info in the manpage of systune,
but as far as I can remember it should disable setuid _shellscripts_ and
_not_ setuid shells. For IRIX a shell is just a binary like any other
binary, so the setuid bit works like with any other program. As far the name
is concerned...
I guess 'nosuidshells' means 'NOSetUIDSHELLScripts'
$) Henri
Hardware, n.:
The parts of a computer system that can be kicked. - nn.
If God used E-mail, he'd use PGP. - myself
