As a comment on Aleph's recent summary of the responses to the IRIX midikeys vulnerability (http://www.geek-girl.com/bugtraq/1999_2/0518.html) let me add my own observation. It turns out that one does not need any particular text editor to exploit the vulnerability. That's because of a nice "feature" of the desktop environment variable WINEDITOR that can be set to any system command, e.g., "/bin/chmod 4755 /tmp/bsh" (where /tmp/bsh is just a root-owned copy of Bourne shell). This can be done on both irix 6.2 (e.g., using toolchest -> Desktop -> Customize ->Desktop ->Default Editor: Other...) and on irix 6.5 (toolchest -> Desktop -> Customize -> Utilities -> Text Editor: Other...). After setting WINEDITOR (which can be verified by inspecting ~/.desktop-hostname/desktopenv) the exploit follows the well-known path by running midikeys, opening a file manager, etc. Using this method I was able to gain root access (via a local account) on two systems running irix 6.2 and 6.5.3m. I suspect that any system running irix 6.2 or higher with suid midikeys program may be vulnerable. To remove the vulnerability one should immediately remove suid from the IRIX midikeys program, as suggested in the recent SGI Security Advisory 19990501-01-A. Pawel Peczak pkpeczaat_private
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:47:23 PDT