Re: Exploit for SGI permissions tool

Tony Hoffmann (hoffmann@drao.nrc.ca)
Mon, 6 Mar 1995 15:34:47 -0800 (PST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Dr. Frederick B. Cohen: "no subject (file transmission)"
Previous message: Ed Arnold: "Re: Re: COPS reporting unrestricted NFS exports under Linux"
In reply to: Larry Glaze: "Exploit for SGI permissions tool"

> This is a pretty simple hole to exploit.  Below are the steps involved:
> 1. run /usr/lib/desktop/permissions on your favorite file (/etc/passwd is a 
> 	good one)
> 2. modify the permissions to suit your needs
> 3. click on the 'Apply' button *twice* before the window pops up to ask for
> 	root password if you don't own the file
> 4. click 'Cancel' button in the window asking for root password
> 5. you are done, the permissions changes should have gone through
> 
> Once again, this only works for SGI IRIX 5.2 and only if the tool has had the
> suid and sgid bits set.  Removing the suid and sgid bits solves this problem.
> 

This also worked just fine on our Power Indigo2 running IRIX 6.0.1.  Needless
to say, I've removed suid sgid permission on the utility.

-- 
Tony Hoffmann

Internet  :   hoffmann@drao.nrc.ca
Snailnet  :   Dominion Radio Astrophysical Observatory
              P.O. Box 248, Penticton, BC, Canada V2A 6K3
BC Tel net:   (604) 493-2277    Faxnet    :   (604) 493-7767
voicemailnet: (604) 490-4344    Localnet  :   ext 344

Next message: Dr. Frederick B. Cohen: "no subject (file transmission)"
Previous message: Ed Arnold: "Re: Re: COPS reporting unrestricted NFS exports under Linux"
In reply to: Larry Glaze: "Exploit for SGI permissions tool"