Bugtraq mailing list archives
Re: IRIX 5.3 chost
From: nickless () MCS ANL GOV (Bill Nickless)
Date: Wed, 14 Aug 1996 13:08:14 -0500
I did a little experimentation and found that there's another precondition for this cadmin exploit to work. You cannot have a desktopManager process already running as you when you start the process. First, verification that we're running the right patch levels and such: flying% uname -a IRIX flying 5.3 11091811 IP19 mips flying% versions -b | cut -c35-199 | grep Patch Patch SG0000172 Patch SG0000197 Patch SG0000426 Patch SG0000813: Provide icrash on 5.3 Patch SG0000852: SCSI roll up for 5.3 without XFS Patch SG0000870: 5.3 EFS rollup patch for all 5.3 non-XFS releases Patch SG0000900: rev 3.17 io4prom patch Patch SG0000918: RE OpenGL Extensions, Aux Buffers, and Bug Fix Rollup Patch SG0001020: Security fix for login and telnetd Patch SG0001092: networking rollup, fixes for hangs on socket data, new mrouted Patch SG0001096: Objectsystem & Removable Media Software roll up Patch SG0001102: NFS roll-up Patch SG0001116: 5.3/5.3XFS combined kernel roll up patch Patch SG0001128: CERT VU 15781 Patch SG0001146: sendmail security bug in queue management Patch SG0001157: Change hinv to recognize all IMPACT gfx Patch SG0001324: Fix for security loophole in the desktop permissions panel flying% cd /usr/Cadmin/bin flying% ls -l cimport -rwsr-xr-x 1 root sys 161896 Apr 9 00:29 cimport flying% sum cimport 62654 317 cimport flying% df | grep nfs cavesound:/usr/tmp nfs 3052196 2725027 327169 89% /mnt Now for the exploit, run as a regular non-root user: 1. From any shell prompt: killall -9 desktopManager 2. From /usr/Cadmin/bin, run ./cadmin. 3. Click on "New" as if you were going to create a new NFS mount point. 4. A dialog window will appear asking for the root password. Enter something other than the root password into the password field. Click on "OK". 5. An error dialong window will appear warning that you have entered an incorrect password. Click on "OK". 6. You are then returned to the root password-requesting dialong window. Click on "Cancel." 7. Doubleclick on the folder icon of the previously-mounted NFS filesystem. This will start a desktopManager process, ostensibly running as you the user, but actually running with some root priveleges. 8. In the top of the desktopManager window, replace the pathname of the previously-mounted NFS filesystem with /etc 9. Scroll down to passwd, doubleclick, and edit to your heart's content in the jot window that gets created. Once again, the workaround shell script fragment than eliminates this exposure: #!/bin/sh # Exploit from http://www.eecs.nwu.edu/~jmeyers/bugtraq/1099.html # will work even with the patches installed as of 13 August 1996. # Accordingly, turning off the suid bits on the Cadmin programs. for p in cexport cformat chaltsys chost chostInfo cimport clogin \ cmidi configClogin cpeople cports cpuView csetup cswap \ diskView tapeView videoView do /bin/chmod u-s /usr/Cadmin/bin/$p done -- Bill Nickless nickless () mcs anl gov +1 630 252 7390 PGP 2.6.2 Key fingerprint = 0E 0F 16 80 C5 B1 69 52 E1 44 1A A5 0E 1B 74 F7 http://www.mcs.anl.gov/people/nickless
Current thread:
- Re: CERT Advisory CA-96.19 - Vulnerability in expreserve, (continued)
- Re: CERT Advisory CA-96.19 - Vulnerability in expreserve Casper Dik (Aug 18)
- Re: Tracking tools? Greg Miller (Aug 15)
- Re: mail storm Valdis.Kletnieks () vt edu (Aug 13)
- Re: mail storm Darrell Fuhriman (Aug 13)
- Re: mail storm Ed Arnold (Aug 14)
- list mail meta-question der Mouse (Aug 13)
- Re: IRIX 5.3 chost Neil J Long (Aug 16)
- Live playback of tcpdump data Ficus Kirkpatrick (Aug 17)
- Re: Live playback of tcpdump data pc (Aug 18)