[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
IRIX :midikeys root exploit.
Solution: turn off the setuid bit on midikeys for irix.
"Larry W. Cashdollar" wrote:
>
> Aleph1,
> Please forgive me if this has already been on this list. I searched
> geek-girl with no luck. I have been auditing our IRIX boxes and found what I
> believe to be a new vulnerability.
>
> On IRIX 6.5 systems (IRIX Release 6.5 IP28 )
> # uname -a
> IRIX64 devel 6.5 05190004
>
> The setuid root binary midikeys can be used to read any file on the
> system using its gui interface. It can also be used to edit anyfile on the
> system. I was able to get from guest account access to root access using the
> following procedure.
>
>
> 1) Choose an unpassworded account and telnet in. I like guest or lp.
>
> devel 25% id
> uid=998 gid=998(guest)
>
> 2) Execute the midikeys application with display set to your host.
>
> devel 26% ./midikeys
> devel 27% Xlib: extension "GLX" missing on display "grinch:0.0".
> Xlib: extension "GLX" missing on display "grinch:0.0".
>
> 3) under the midikeys window click sounds and then midi songs. This will
> open a file manager type interface.
>
> 4) You can enter the path and filename of files you which to read.
> including root owned with group/world read/write permissions unset.
>
> 5) If you select a file like "/usr/share/data/music/README" it will
> appear in a text editor. Use the text editor to open /etc/passwd and
> make modifications at will. Save and enjoy.
>
> So I removed the '*' from sysadm...
>
> $ su sysadm
> # id
> uid=0(root) gid=0(sys)
>
> devel 28% ls -l /usr/sbin/midikeys
> -rwsr-xr-x 1 root root 218712 Jan 10 17:19 /usr/sbin/midikeys
>
>
> I have tested this on 2 IRIX 6.5 hosts with success. A patch exists for
> startmidi and stopmidi buffer overflows.
>
> More info on previous patch:
> ftp://sgigate.sgi.com/security/19980301-01-PX).
>
> However, I didnt find any for midikeys.
>
>
> -- Larry W. Cashdollar
> UNIX/Security Operations.
> Computer Sciences Corporation.
>