Re: IRIX midikeys vulnerability list.

[aleph1 () UNDERGROUND ORG (Aleph One)]

This is a summary of some of the responses to this thread. It seems
that whether or not you use a vi or some other editor makes a difference.
Would the people that reported it as not working please repeat their
test using a different editor? Thank you.


> From Jean-Francois Malouin <Jean-Francois.Malouin () bic mni mcgill ca>:

  dmedia_eoe.sw.synth ( at least on IRIX 6.5.3m).

  Following the aforementionned recipe, I tried to modify some system files
  on an Octane IP30 running 6.5.3m but to no avail. hmmmm, I see that same
  system as being reported vulnerable...

  # uname -Ra
  # IRIX64 6.5 6.5.3m 01221553 IP30

> From Jeremy Hinegardner <jeremy () meru cecs missouri edu>:

  I have tested the exploit on a couple of Octanes, and
  it seems to be fixed in the IRIX 6.5.3 feature stream.

  Our machines using 6.5.3f were not vulnerable.
  Both the filemanager and the editor ran as the user
  no root.

  Verified to work on Octane running IRIX 6.4
  uname -aR
  IRIX64 octane 6.4 S2MP+OCTANE 02121744 IP30

  Verified to NOT work on Octane running IRIX 6.5.3f
  uname -aR
  IRIX64 octane 6.5 6.5.3f 01221643 IP30

  The IRIX 6.5.4 streams is available for download,
  anyone try them?

> From J.A. Gutierrez <spd () gtc1 cps unizar es>:

    * verified:

    IRIX64 IRIX 6.5.3f
    (editor (jot) runs as root)
     |-+------- 1147467 root     midikeys
     | \-+----- 1150492 root     dirview /usr/share/data/music
     |   \----- 1152654 root     fmserv sgonyx.ita.es:1.0


    * Didn't work at first

    IRIX 6.2 where midikeys is from dmedia_eoe.sw.synth
    (editor (vi) runs as user)

    But if you open an X11 editor (gvim), it will run as root,
    and you will be able to edit anything, again...

> From eLement <eLement () nirvanet net>:

  The vulnerability is verified to work on

  uname -aR
  IRIX eLement 6.3 O2 R10000 12161207 IP32

> From Klaus <klaus () imprint uwaterloo ca>

  The machine on my desk:

  IRIX grimlock 6.5 6.5.2m 11051733 IP32

  didn't seem to be vulnerable, but I don't have nedit installed; vi didn't
  preserve my setuid from midikeys.

  However, on a machine -with- nedit,

  IRIX jazz 6.5 6.5.2m 11051733 IP32

  I was able to replicate it. I was also able to replicate the exploit using
  jot (another window based text editor).

  So the exploit seems to revolve around the use of an editor that doesn't
  require a terminal device; opening a tty to run the editor (although I'm
  not 100% on how gvim works in that respect) seems to reset the effective
  UID.


--
Aleph One / aleph1 () underground org
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01