Bugtraq mailing list archives

Re: Exploit for SGI permissions tool

From: hoffmann () drao nrc ca (Tony Hoffmann)
Date: Mon, 6 Mar 1995 15:34:47 -0800 (PST)

This is a pretty simple hole to exploit.  Below are the steps involved:
1. run /usr/lib/desktop/permissions on your favorite file (/etc/passwd is a 
      good one)
2. modify the permissions to suit your needs
3. click on the 'Apply' button *twice* before the window pops up to ask for
      root password if you don't own the file
4. click 'Cancel' button in the window asking for root password
5. you are done, the permissions changes should have gone through

Once again, this only works for SGI IRIX 5.2 and only if the tool has had the
suid and sgid bits set.  Removing the suid and sgid bits solves this problem.


This also worked just fine on our Power Indigo2 running IRIX 6.0.1.  Needless
to say, I've removed suid sgid permission on the utility.

-- 
Tony Hoffmann

Internet:   hoffmann () drao nrc ca
Snailnet:   Dominion Radio Astrophysical Observatory
              P.O. Box 248, Penticton, BC, Canada V2A 6K3
BC Tel net:   (604) 493-2277    Faxnet    :   (604) 493-7767
voicemailnet: (604) 490-4344    Localnet  :   ext 344

Current thread:

Re: Sendmail fixkit John F. Haugh II (Mar 04)
- Re: Sendmail fixkit Dave Horsfall (Mar 05)
  - Re: Sendmail fixkit System Administrator (Mar 06)
- Exploit for SGI permissions tool Larry Glaze (Mar 06)
  - Re: Exploit for SGI permissions tool Tony Hoffmann (Mar 06)
  - no subject (file transmission) Dr. Frederick B. Cohen (Mar 06)
- <Possible follow-ups>
- Re: Sendmail fixkit der Mouse (Mar 07)