This is a summary of some of the responses to this thread. It seems that whether or not you use a vi or some other editor makes a difference. Would the people that reported it as not working please repeat their test using a different editor? Thank you. >From Jean-Francois Malouin <Jean-Francois.Malouinat_private>: dmedia_eoe.sw.synth ( at least on IRIX 6.5.3m). Following the aforementionned recipe, I tried to modify some system files on an Octane IP30 running 6.5.3m but to no avail. hmmmm, I see that same system as being reported vulnerable... # uname -Ra # IRIX64 6.5 6.5.3m 01221553 IP30 >From Jeremy Hinegardner <jeremyat_private>: I have tested the exploit on a couple of Octanes, and it seems to be fixed in the IRIX 6.5.3 feature stream. Our machines using 6.5.3f were not vulnerable. Both the filemanager and the editor ran as the user no root. Verified to work on Octane running IRIX 6.4 uname -aR IRIX64 octane 6.4 S2MP+OCTANE 02121744 IP30 Verified to NOT work on Octane running IRIX 6.5.3f uname -aR IRIX64 octane 6.5 6.5.3f 01221643 IP30 The IRIX 6.5.4 streams is available for download, anyone try them? >From J.A. Gutierrez <spdat_private>: * verified: IRIX64 IRIX 6.5.3f (editor (jot) runs as root) |-+------- 1147467 root midikeys | \-+----- 1150492 root dirview /usr/share/data/music | \----- 1152654 root fmserv sgonyx.ita.es:1.0 * Didn't work at first IRIX 6.2 where midikeys is from dmedia_eoe.sw.synth (editor (vi) runs as user) But if you open an X11 editor (gvim), it will run as root, and you will be able to edit anything, again... >From eLement <eLementat_private>: The vulnerability is verified to work on uname -aR IRIX eLement 6.3 O2 R10000 12161207 IP32 >From Klaus <klausat_private> The machine on my desk: IRIX grimlock 6.5 6.5.2m 11051733 IP32 didn't seem to be vulnerable, but I don't have nedit installed; vi didn't preserve my setuid from midikeys. However, on a machine -with- nedit, IRIX jazz 6.5 6.5.2m 11051733 IP32 I was able to replicate it. I was also able to replicate the exploit using jot (another window based text editor). So the exploit seems to revolve around the use of an editor that doesn't require a terminal device; opening a tty to run the editor (although I'm not 100% on how gvim works in that respect) seems to reset the effective UID. -- Aleph One / aleph1at_private http://underground.org/ KeyID 1024/948FD6B5 Fingerprint EE C9 E8 AA CB AF 09 61 8C 39 EA 47 A8 6A B8 01
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:46:32 PDT