Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: IRIX 5.3 /var/rfindd/fsdump - exploit
From: lglaze () MC2-CSR COM (Larry Glaze)
Date: Tue, 25 Feb 1997 11:30:31 -0500


At 06:33 AM 2/25/97 -0800, Chris Sheldon wrote:

Ok. Well, yet another IRIX 5.3 root exploit.

Of course, the major problem here is that IRIX allow users to

give away ownership of files. Without that, this could only

be used for changing the permissions on file so that you could read

and modify.


exploit stuff deleted....


This can be used to access pretty much any file on the system

which is currently group owned...



fun, fun, fun until SGI takes the bugs away... ;-) (right)


Ummm, why don't you just remove the file giveaway priviledge?


pandora 2# systune -i

Updates will be made to running system and /unix.install


systune-> restricted_chown 1

        restricted_chown = 1 (0x1)

        Do you really want to change restricted_chown to 1 (0x1)? (y/n) y


In order for the change in parameter restricted_chown to become effective,

reboot the system


systune->q

pandora 3# /etc/reboot


Takes less than 5 minutes of time and gets rid of file giveaways and the

above security hole. BTW, this is especially important if you are running

quotas since people can 'give' their files away to root (who usually doesn't

have a quota) to bypass the quota limit, yet retain ownership of the directory

the files reside in, thus giving them the ability to still modify the files.


Larry

System/Network Administrator

MC2 Cyberspace



--

---------------------------------------------------------------------------

|<color><param>0000,0000,8080</param>Larry Glaze
</color>|<color><param>0000,0000,8080</param>    "...Life's a bummer..."
         </color>|

|<color><param>0000,0000,8080</param>System/Network Administrator
</color>|<color><param>0000,0000,8080</param>            --Smashing
Pumpkins       </color>|

|<color><param>0000,0000,8080</param>MC<smaller>2</smaller> Cyberspace,
Ltd               </color>|<color><param>0000,0000,8080</param>
                           </color>|

|<color><param>0000,0000,8080</param>http://www.mc2-csr.com/~lglaze
</color>|<color><param>0000,0000,8080</param>
lglaze () mc2-csr com        </color>|

---------------------------------------------------------------------------

|               <color><param>ffff,0000,0000</param>All opinions are my
own, as they should be!               </color>|

---------------------------------------------------------------------------



  By Date           By Thread  

Current thread:
  • Re: IRIX 5.3 /var/rfindd/fsdump - exploit Larry Glaze (Feb 25)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]