Re: Large security hole in SGI IRIX 5.2

[softtest () wu1 wl aecl ca (Software Test Account)]

On Fri, 3 Mar 1995, Christian A. Ratliff wrote:

> On Thu, 2 Mar 1995 14:03:03 -0500 (EST)  Larry Glaze wrote:
> > I want to give admins some time to change the priveldges on the permissions
> > tool so I am waiting until Monday morning (when I get to work) to post the
> > exploit of this hole.
>   bugtraq is a FULL disclosure list.
>
>   The hole comes from the authentication being at the _dirview_ (an SGI 
> directory browser) level. You can only pull up 'permissions' when the menu 
> item is not grayed out. If you run 'permissions' by hand, you eliminate 
> that check and have root access to the permissions on an file.
>   Turning the setuid/setgid bit off is a perfectly sensible solution to 
> this problem, and it is beyond me why that wasn't the default permissions.

I attempted to verify this problem on one of our SGI IRIX 5.2 boxes and 
found that with or without the sgid/suid bits set and from dirview or 
from the command line -- the permissions routine prompts you for a name 
and password of a priveledged user. 

I didn't check to see if password attempts were logged, but 
permissions seems pretty secure to me.


Erik
     ____       _____    _______   __     Erik Lindquist  
    / _  |     / ___/   / _____/  /  /    Systems Administrator 
   / /_| |    / /__    / /       /  /     AECL Whiteshell Laboratories
  /  __  |   / ___/   / /       /  /      VOICE: (204) 753-2311x3145  
 / /   | |  / /____  / /_____  /  /_____  FAX:   (204) 753-2455 
/_/    |_| /______/ /_______/ /________/  E-mail: lindquie () wu1 wl aecl ca