Re: IRIX midikeys root exploit.

From: Erik Mouw (J.A.K.Mouwat_private)
Date: Thu May 20 1999 - 02:49:11 PDT

Next message: Eivind Eklund: "Re: Secure Storage of Secrets in Windows"

Previous message: aleph1at_private: "Update to Microsoft Security Bulletin (MS99-013)"
Maybe in reply to: Larry W. Cashdollar: "IRIX midikeys root exploit."
Next in thread: Philipp Schott: "Re: IRIX midikeys root exploit."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Larry W. Cashdollar wrote:
>      Please forgive me if this has already been on this list. I searched
> geek-girl with no luck.  I have been auditing our IRIX boxes and found what I
> believe to be a new vulnerability.
>
>      On IRIX 6.5 systems (IRIX Release 6.5 IP28 )
>      # uname -a
>      IRIX64 devel 6.5 05190004
>
>      The setuid root binary midikeys can be used to read any file on the
> system using its gui interface.  It can also be used to edit anyfile on the
> system.  I was able to get from guest account access to root access using the
> following procedure.
>
>
>      1) Choose an unpassworded account and telnet in. I like guest or lp.
>
>      devel 25% id
>      uid=998 gid=998(guest)

Unpassworded account? That's a known (and documented) feature on IRIX
systems. First thing you do when you unpack an IRIX box: set a root
password and disable the open accounts (EZsetup, OutOfBox, lp, guest,
4Dgifts, sgiweb). There's even an entry in the "System manager" to do it.

You just need an account to gain root priviliges; it's not limited to the
unpassworded accounts, any normal user could use this exploit.

>      2) Execute the midikeys application with display set to your host.
>
>      devel 26% ./midikeys
>      devel 27% Xlib:  extension "GLX" missing on display "grinch:0.0".
>      Xlib:  extension "GLX" missing on display "grinch:0.0".
>
>
>      3) under the midikeys window click sounds and then midi songs. This will
>      open a file manager type interface.
>
>      4) You can enter the path and filename of files you which to read.
>          including root owned with group/world read/write permissions unset.
>
>      5) If you select a file like "/usr/share/data/music/README" it will
>      appear in a text editor.  Use the text editor to open /etc/passwd and
>      make modifications at will. Save and enjoy.
>
> So I removed the '*' from sysadm...
>
> $ su sysadm
> # id
> uid=0(root) gid=0(sys)
>
> devel 28%  ls -l /usr/sbin/midikeys
> -rwsr-xr-x    1 root     root      218712 Jan 10 17:19 /usr/sbin/midikeys
>
>
>      I have tested this on 2 IRIX 6.5 hosts with success. A patch exists for
>      startmidi and stopmidi buffer overflows.

Verified to work on an O2 running IRIX 6.3:
  uname -aR
  IRIX o2 6.3 O2 R10000 12161207 IP32

And on an Octane running IRIX 6.5.3:
  uname -aR
  IRIX64 octane 6.5 6.5.3m 01221553 IP30

Editor was XEmacs, but that doesn't really matter.


Erik
(strictly speaking for myself)

--
J.A.K. (Erik) Mouw, Information and Communication Theory Group, Department
of Electrical Engineering, Faculty of Information Technology and Systems,
Delft University of Technology, PO BOX 5031,  2600 GA Delft, The Netherlands
Phone: +31-15-2785859  Fax: +31-15-2781843  Email J.A.K.Mouwat_private
WWW: http://www-ict.its.tudelft.nl/~erik/

Next message: Eivind Eklund: "Re: Secure Storage of Secrets in Windows"
Previous message: aleph1at_private: "Update to Microsoft Security Bulletin (MS99-013)"
Maybe in reply to: Larry W. Cashdollar: "IRIX midikeys root exploit."
Next in thread: Philipp Schott: "Re: IRIX midikeys root exploit."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:46:13 PDT