Bugtraq mailing list archives
Irix: scanners hole
From: volobuev () t1 chem umn edu (Yuri Volobuev)
Date: Mon, 16 Dec 1996 13:38:55 -0600
Howdy, In an attempt to bring some fresh air into pretty monotonic line of Irix suid-related bugs, I decided to look at something unusual. I didn't know what "unusual" is, actually, but brief look at the list of suid binaries on my box somehow made me pick /usr/sbin/scanners. It's not part of Irix, it comes with Impressario package. Thus, there's a different development team and possibly new kinds of bugs. Unfortunately, latter is not true. The only news about the hole I found is that this bug is the lamest bug I found so far. It's the easiest to exploit. That is, if I had to hack a typical Irix box and was facing a difficult problem of making a choice, I'd choose this one. ABSTRACT /usr/sbin/scanners, GUI tool for scanners setup, root-suid, contains an ugly and easily exploitable bug that allows any local user to gain root priviledges. It's part of Impressario package. I'm not sure about the scope of the problem. The one that comes with Irix 5.3 is vulnerable, the one in 6.2 seems to be fixed. However, it seems like SGI is aware of this kind of vulnerability, so there may be a patch available. Quick check strings /usr/sbin/scanners | grep SGIHELPROOT if string is found, your system is probably vulnerable. FIX chmod u-s /usr/sbin/scanners If you are a busy person, move on to your next message now. Full story. It looks like this is just a leftover from an old SGI help flaw, the one they released patch for. I've never seen an exploit, though, and feel real lazy right now, so I didn't do any net search. Problem may not be new. If you know something about it, drop me a line please. All Irix GUI programs deal with help subsystem in a unified way, from what I can tell from looking at the file contents. /usr/sbin/scanners is an exception, perhaps it was linked to some older library, and because security is by far not the top SGI's concern it was left like this. Bug itself is pretty lame. scanners runs with uid=0 and euid=luserid, and doesn't change uid before calling sgihelp. And it's even more gullible than LicenceManager v1.0 -- it takes path for help program from SGIHELPROOT environment variable. So setting SGIHELPROOT to /tmp and putting something called sgihelp in /tmp, then running scanners and selecting any line in Help menu will execute this something as root. Pretty neat. Obviously, SGI is aware of the problem, because none of the other similar GUI tools interface with help subsystem this way. But somehow scanners was forgotten, or something. I've never seen a patch for it (which doesn't mean it doesn't exists, of course). cheers, yuri Always speaking for myself and only for myself P.S. Few people asked me to put all that Irix mess somewhere in one place on a web page. There are quite a few bugs, so it makes sense. However, since I'm so lazy I will probably never get to setting up one. So if you feel like doing it, go ahead. I'll be supplying comments and suggestions :)
Current thread:
- [nph]test-cgi *Hobbit* (Dec 12)
- Re: [nph]test-cgi Laurent FACQ (Dec 16)
- Irix: scanners hole Yuri Volobuev (Dec 16)
- scanf overflow David Sacerdote (Dec 16)