Re: Reminder for ppl (ANOTHER SGI BUG!)

[mcn () RIPOSTE ENGARDE COM (Mike Neuman)]

  Eric's blind defense of IRIX (without even trying my exploit) has lead
to the discovery of yet another major IRIX bug. Read on...

> IP Forwarding is a kernel tunable which, once changed, requires building
> a new kernel, then booting it. Did you do this?

  Yes, the system was rebooted, and it still forwarded packets.

> You should also be very aware that there are at least several
> "versions" of 5.3 that will run on any Indy.

  In particular, I meant *6.3* doesn't run on an Indy, and the bug
(day5notifier) doesn't appear to be in it.

> BTW, since SUID shell scripts are diabled by default on every SGI, you must
> have enabled them for your exploit to work.
>
> 1# systune | grep uid
>         nosuidshells = 1 (0x1)

  Wow, here's another bug. Apparently that flag does nothing at all:

.remise.mcn,~ {1} # uname -a
IRIX remise 6.2 03131015 IP22
.remise.mcn,~ {2} # systune | grep uid
        nosuidshells = 1 (0x1)
.remite.mcn,~ {3} # exit
.remise.mcn,~ {9} > reg4root
# id
uid=100(mcn) gid=20(user) euid=0(root)

....

reg4root is the exact exploit I posted late last week. It creates a setuid
shell, and executes it. I guess the nosuidshells flag doesn't do anything?

-Mike
mcn () EnGarde com