Bugtraq mailing list archives
Re: Reminder for ppl (ANOTHER SGI BUG!)
From: ishtar () CAL022011 STUDENT UTWENTE NL (Henri Karrenbeld)
Date: Tue, 20 May 1997 03:15:40 +0200
At 11:56 19/5/97 -0600, you wrote:
Eric's blind defense of IRIX (without even trying my exploit) has lead to the discovery of yet another major IRIX bug. Read on...
[snip]
BTW, since SUID shell scripts are diabled by default on every SGI, you must have enabled them for your exploit to work. 1# systune | grep uid nosuidshells = 1 (0x1)Wow, here's another bug. Apparently that flag does nothing at all: .remise.mcn,~ {1} # uname -a IRIX remise 6.2 03131015 IP22 .remise.mcn,~ {2} # systune | grep uid nosuidshells = 1 (0x1) .remite.mcn,~ {3} # exit .remise.mcn,~ {9} > reg4root # id uid=100(mcn) gid=20(user) euid=0(root) .... reg4root is the exact exploit I posted late last week. It creates a setuid shell, and executes it. I guess the nosuidshells flag doesn't do anything?
Oh yes, it sure should be doing something... however, not the thing you think it should be doing: it does NOT disable suid shells. So what does it do? There is probably some info in the manpage of systune, but as far as I can remember it should disable setuid _shellscripts_ and _not_ setuid shells. For IRIX a shell is just a binary like any other binary, so the setuid bit works like with any other program. As far the name is concerned... I guess 'nosuidshells' means 'NOSetUIDSHELLScripts' $) Henri Hardware, n.: The parts of a computer system that can be kicked. - nn. If God used E-mail, he'd use PGP. - myself
Current thread:
- Re: Reminder for ppl (ANOTHER SGI BUG!) Henri Karrenbeld (May 19)