Irix: scanners hole

[volobuev () t1 chem umn edu (Yuri Volobuev)]

Howdy,

In an attempt to bring some fresh air into pretty monotonic line of Irix
suid-related bugs, I decided to look at something unusual.  I didn't know
what "unusual" is, actually, but brief look at the list of suid binaries on
my box somehow made me pick /usr/sbin/scanners.  It's not part of Irix, it
comes with Impressario package.  Thus, there's a different development team
and possibly new kinds of bugs.  Unfortunately, latter is not true.  The
only news about the hole I found is that this bug is the lamest bug I found
so far.  It's the easiest to exploit.  That is, if I had to hack a typical
Irix box and was facing a difficult problem of making a choice, I'd choose
this one.

ABSTRACT

/usr/sbin/scanners, GUI tool for scanners setup, root-suid, contains an ugly
and easily exploitable bug that allows any local user to gain root
priviledges.  It's part of Impressario package.  I'm not sure about the
scope of the problem.  The one that comes with Irix 5.3 is vulnerable, the
one in 6.2 seems to be fixed. However, it seems like SGI is aware of this
kind of vulnerability, so there may be a patch available. Quick check

strings /usr/sbin/scanners | grep SGIHELPROOT

if string is found, your system is probably vulnerable.

FIX

chmod u-s /usr/sbin/scanners

If you are a busy person, move on to your next message now.

Full story.

It looks like this is just a leftover from an old SGI help flaw, the one
they released patch for.  I've never seen an exploit, though, and feel real
lazy right now, so I didn't do any net search.  Problem may not be new. If
you know something about it, drop me a line please.

All Irix GUI programs deal with help subsystem in a unified way, from what I
can tell from looking at the file contents.  /usr/sbin/scanners is an
exception, perhaps it was linked to some older library, and because security
is by far not the top SGI's concern it was left like this.

Bug itself is pretty lame.  scanners runs with uid=0 and euid=luserid, and
doesn't change uid before calling sgihelp.  And it's even more gullible than
LicenceManager v1.0 -- it takes path for help program from SGIHELPROOT
environment variable.  So setting SGIHELPROOT to /tmp and putting something
called sgihelp in /tmp, then running scanners and selecting any line in Help
menu will execute this something as root.  Pretty neat.

Obviously, SGI is aware of the problem, because none of the other similar
GUI tools interface with help subsystem this way.  But somehow scanners was
forgotten, or something.  I've never seen a patch for it (which doesn't mean
it doesn't exists, of course).

cheers,

yuri
Always speaking for myself and only for myself

P.S.  Few people asked me to put all that Irix mess somewhere in one place
on a web page.  There are quite a few bugs, so it makes sense.  However,
since I'm so lazy I will probably never get to setting up one.  So if you
feel like doing it, go ahead.  I'll be supplying comments and suggestions :)